ethical hacking and penetrate testing using kali and

International Journal of Innovation in Computational Science and Engineering Volume-2 Issue-1, pp:09-22

ISSN: 2708-3128 May-2021

IJICSE@2021 9

Abstract

The need to ensure confidentiality has expanded

exponentially with the increase of recent Internet usage.

For users and enterprises, the reliability and accessibility

of their networks have become critical, and the

development of secure infrastructure to protect user

identity and privacy information is crucial. Internet

development and popularity have generated many issues

such as cyber theft, hacking, phishing, spamming and many

more. Individuals and companies have migrated their data

to a cloud architecture that poses new data protection

issues and threats. According to the Cybersecurity Ventures

survey, cybercrime exposure could cost 6 trillion dollars a

year worldwide by the end of 2021. Ethical Hacking

enables consumers and companies to investigate the

vulnerability in their infrastructure and of their network to

take appropriate steps to secure their networks and systems

from illegal and malicious attacks. It further protects

networks and processes by recognizing common

vulnerabilities and enabling them to take appropriate

safeguards. In the research paper, we have discussed the

Ethical Hacking and Penetrate Testing process and

practical experiments to brief fresh researchers and

students on the deployment and use of the Metasploit

framework as a student-centred learning approach. We

have performed both server-side and client-side

exploitations to understand the process. We have used the

Kali Linux Operating System (OS) tool to complete these

ethical hacking and penetration testing. In the end, we have

proposed mitigation measures and security enhancement to

resist hacking attacks.

1. Introduction

Cybercrimes on the Internet users are increasing

exponentially. The recent attacks using network flaws and

vulnerability loopholes exploitation have become serious

issues for the end-users and businesses. Data privacy and

network safety of Internet users have become critical fields

of distress. Network security scientists and engineers focus

on developing robust architectures and solutions to secure

networks, platforms, and software from illegitimate

hacking. Even though in this developed era, current security

infrastructure offers some degree of protection. Therefore,

the fundamental safety directives must be understood by

businesses and individuals to resist these assaults.

The Internet has been a requirement in every field of life

due to its usability. As an Internet user carries out an

operation, it increases the chance of criminals using

personal data in identity fraud. The company and the client

should ensure that these events do not arise often and that

their networks are secure. The websites and systems contain

sensitive information such as financial records, users’

details, and other confidential information protected with

suitable policies. When designing a secure network

infrastructure, three criteria must be considered:

confidentiality, integrity, and availability [1].

Attackers have several ways to exploit any network and

obtain private information. By hacking a web portal or

device may destroy the network and interrupt the

application services. The appropriate network firewall,

protection protocols and equipment must also be enforced

and tracked carefully.

Many firms, such as Google, Banking and Microsoft, are

encouraging Ethical Hacking to address their network flaws

and offer the ethics hacker big prize money. In addition,

many network consultants are available to analyze the

network flaws of organizations and provide them with best

practices and recommendations for improved network and

asset protection.

Linux Kali is a reliable tool that can be used to examine

networks, systems, and application vulnerabilities [2]. This

paper has used Kali to perform Metasploit-related

experiments on a preconfigured network and procedures as

part of Ethical Hacking to exploit their vulnerabilities. A

Metasploit framework is an open-source software that

Ethical Hacking and Penetrate Testing using Kali and Metasploit Framework

Mujahid Tabassum

Department of IT, University of Technology and

Applied Sciences

Muscat, Oman [email protected]

Tripti Sharma


Applied Sciences


Saju Mohanan


Applied Sciences



ISSN: 2708-3128 May-2021

IJICSE@2021 10

provides the infrastructure and tools to perform a

penetration test and security auditing. It exploits

vulnerabilities in networks, operating systems, and

applications and generates new exploits for new or

unknown vulnerabilities. Metasploit offers many features

such as information gathering, vulnerabilities scanning,

exploit development, client-side attack etc.

These experiments were performed as part of

student-centred learning without gaining any monetary

benefits or exploiting any organization. We have shown the

usefulness and comprehension of these tools through such

assaults to students for learning purposes. Ultimately, we

have suggested that consumers protect their networks and

implement appropriate measures to deter these assaults.

These studies were carried out as part of student-centred

learning without any money or organization exploitation.

We have demonstrated the usability and reliability of these

hacking tools as part of students and companies' learning

processes. We also ultimately recommended that users

defend their networks and take reasonable steps to prevent

these attacks.

2. Literature Review

In the following article [3], the author illustrates

Cross-Site Scripting assaults on banking websites and

proposes the necessary mitigation strategy. Online systems

are popular for Digital Banking transactions. Online

applications use Java scripting to enable complex

client-side activity on web pages, which could cause

browser server vulnerabilities attacks. A sandboxing

function protects the users' environment from malicious

JavaScript code that restricts only access to resources

associated with its originating site. Such safeguards are

unfortunately useless if a user may access malicious

JavaScript code from a trusted central location. It provides

complete access to all resources belonging to the trusted

site, e.g., authentication tokens and cookies, to a malicious

script. They are classified as cross-site scripting (XSS)

attacks. XSS assaults are generally fast but hard to spot and

prevent. One theory is that HTML encoding schemes offer

attackers several possibilities to avoid inserting malicious

scripts into trustworthy pages by bypassing server-side

input filters. Developing a customer-side approach is

enough, but JavaScript programming is hard to identify

malicious activities. Therefore, the author suggested Noxes

as a web proxy-based client-side tool to mitigate cross-site

scripting assault. Noxes is a browser proxy that utilizes

manual and automatic guidelines to prevent cross-site

scripting. The solution has certain drawbacks, requiring

several manual configurations and lacking SSL support.

Web-based applications XML-based SOAP is a widely

used application that allows users to perform various remote

operations and data transport. It is incorporated into

architectures, cloud interfaces, management, and federated

identity-based eGovernment programs. The widespread use

of this technology resulted in the emergence of numerous,

sometimes complex, extension specifications. It coincided

with an increase in the number of Web Services-related

attacks. They range from straightforward denial of service

attacks to cloud-based interfaces that compromise or

decrypt the confidentiality of communications. The author

evaluates their device's protection in the following paper [4]

by conducting Penetrate Testing and designing their own

Penetrate Testing method, called WS-Attacker.

Numerous businesses have expanded their popularity as

the Internet has grown by shifting their marketing strategies

to digital marketing. They use web services to share massive

amounts of knowledge to promote themselves across

businesses, manufacturers, retailers, and consumers. These

websites' store user credentials, financial and payment

reports, company figures, and other relevant details.

Databases are a source of secure and easily accessible

information. Such websites are constantly attacked by

fraudulent users motivated by financial gain. SQL injection

and XSS are the most often employed application layer

assault tactics for attackers to control or disable material on

websites and applications by inputting malicious command

strings. In recent years, Structured Query Language

Injection Attacks (SQLIA) also ranked first on the Open

Platform Application Security Project's (OWASP) top ten

vulnerabilities chart, resulting in substantial attacks on

numerous websites. The author explored various structured

query language injections, cross-site scripting assaults,

bugs, and protection strategies in this article. However, this

research paper [5] relied on content interpretation and a

survey rather than an experimental method.

Nowadays, Internet use is immense and increases day by

day. Websites are employed in nearly all areas of

employment, and people are growing more and more

dependent on them. With rising internet reliance, the

question for information protection has been increased.

Since most jobs, e-commerce, texting, bill paying, etc.,

depends on the Internet. Therefore, information security is

most critical for any website and system. For every

organization, institution and the finance industry, specific

safety concerns are essentially considerable. This challenge

is challenging, especially in finance, not just because of the

related financial resources but also because of the

customer's confidential information and companies' and

clients' private data. Once an attacker hacks these systems,

they can misuse the information for various purposes. To

assess network protection, various companies perform

penetration tests to identify bugs in their web apps and

attacking behavior. This paper [6] focuses on protection in

web applications. A methodology was developed to assess

bugs in this proposed study. This framework has the same

operating module as a forum for financial institutions. After


ISSN: 2708-3128 May-2021

IJICSE@2021 11

penetration testing, a frame can be built depending on the

flaw which can offer more protection for websites like this.

The developed methodology can be used to assess

insecurity in many organizations, companies, and

organizations.

Another paper [7] would focus on exploring and

reviewing the VAPT process life cycle and VAPT

vulnerability detection tools in the framework. They

emphasize its value at different organizational levels to

update security mechanisms to protect against various

cyber-attacks. In today's world, organizations and

institutions, their networks, and data are rising

vulnerabilities are in a complicated position. It is always

easier to detect and recognize those vulnerabilities until an

intruder uses them. Thus, vulnerability evaluation and

penetration evaluation techniques help decide whether the

security device configurations function correctly or correct

the protection deficiencies.

A student-centred experiment was done as part of the

Ethical Hacking training in this article [8]. The hands-on

training and comprehensive understanding of ethical

hacking have become essential for computer security

students. However, fewer studies show extensive realistic

knowledge on ethical hacking and penetration testing in the

enclosed lab due to restricted budgets and the availability of

certain facilities. In this article, the author addressed

VIBRANT as a virtual cloud-based laboratory framework

for Ethical Hacking. It is used to enhance cryptography

education and to teach students in universities. The software

is only used by students from LJMU and not available to

other people.

The following paper [9] addresses topics relating to

ethical hacking and information systems security. When

discussing information network security, confidentiality,

integrity, and availability, we are talking about the core

three characteristics of a system. There are several

approaches for identifying existing threats to protect and

enhanced security measures. One is Kali Linux, with its

robust integrated capabilities that are particularly suitable

for carrying out such forms of attacks. In this paper, the

author presents a series of choices for using client and

server-side resources in Kali OS. They spoke mainly about

the advantages of Kali, which provides a range of hacking

methods and a free framework for device vulnerabilities.

We have reviewed many research papers in which

researchers discussed different hacking techniques.

However, there is a shortage of good hacking papers which

describe the detailed process of Metasploit attacks

including server-side and client-side example together for

fresh Ethical Hacking users. In this study, we have used Kali

to perform Metasploit-related experiments on a

preconfigured network and systems as part of Ethical

Hacking to exploit their vulnerabilities. The Metasploit

provides the infrastructure and tools for the user to perform

a penetration test and security auditing. We have exploited

vulnerabilities of a preconfigured network, operating

system, and application to generate new exploits

vulnerabilities and access them without permission. We

have used the Metasploit framework for information

gathering, vulnerabilities scanning, exploit development,

client-side attack etc. In the end, we have suggested some

proposals for end-users to defend their networks and to take

adequate steps to prevent these attacks.

3. Ethical Hacking

As businesses and individuals use many online services

and depend on the Internet, hackers find more avenues and

openings to access sensitive data through web apps and

online networks. The need to safeguard web apps and

networks against the growth of hackers and the demand for

consumers to stop such criminal attacks is then increasing

on the users' systems. Ethical hackers have therefore been

able to solve these fundamental issues. Ethical hacking

involves the identification and correction of device flaws

and vulnerabilities. This can also be defined as a hacking

mechanism without harming or destructive aim to a

network. Ethical hacking may also be described as a safety

evaluation, training, or environment protection review for

information technology. This method demonstrates the risks

faced by an IT environment and the steps to minimize those

risks. Furthermore, these techniques are also known as

Penetration Hacking, Red Teaming, or Intrusion Testing [1,

10, 11].

Ethical Hacker is those who work on a security

framework and checks for the bugs a malicious hacker

might use to exploit the networks. They use their experience

and skills to render the cyber environment alike for owners

and consumers. Ethical hacking is essential to secure the

infrastructure from harm caused by hackers. The primary

purpose behind the ethical hacking service is to assess and

report to the owner on the safety of the targeted systems and

networks.

Ethical hacking is performed along with penetration test

techniques to evaluate the security loopholes. There are

many techniques used to hack information, such as

Information gathering, Vulnerability scanning,

Exploitation, and Test Analysis.

Ethical hacking involves automatic methods. The

hacking process without automated software is inefficient

and time-consuming. There are several tools and ways that

can be used for ethical hacking and penetration testing.

NMAP is a standard automated tool for port scanning and

service usability applications in hacking environments.

Nessus is another home consumer hacking app.

Metasploit consists of a directory containing a list of

vulnerabilities accessible, which is simple to use with one of

the best penetration test tools. The Metasploit Framework is


ISSN: 2708-3128 May-2021

IJICSE@2021 12

open-source software that, based on its commercial

products, is built. It provides the infrastructure and tools for

the user to perform a penetration test and security auditing.

Metasploit framework eases the effort to exploit

vulnerabilities in networks, operating systems and

applications and generate new exploits for new or unknown

vulnerabilities. Metasploit offers many features such as

information gathering, vulnerabilities scanning, exploit

development, client-side attack etc., [12, 13].

4. Penetrate Testing

The penetration test is one of the standard means of

assessing protection status and increasing safety threats. It is

also known as Pentest. Pentest is a controlled effort to

penetrate a system or network to identify vulnerabilities. It

is an approved simulated cyber assault conducted on a

network to evaluate device security. Pentest employs tactics

identical to hackers when attacking usually. This

mechanism requires adequate steps to be taken before

unauthorized individuals can explore vulnerabilities. These

checks are carried out to examine several of the bugs,

including the possibility for unauthorized parties to have

access to the software and the application's data.

The penetration test is used to identify exploitation and

weakness in the enterprise's network and allow developers

to build safe and effective systems. Business and individuals

must secure their systems and information from external or

internal attackers and constantly monitor the security

loopholes. The test results are regarded as private and

confidential because it reveals both system problems and

how they can be utilized. Pentest can be accomplished by

attacking the system close to external threats and figuring

out what can be achieved. By using an attack chain series to

reach the targeted system [13, 14].

5. Ethical Hacking and Penetrate Testing Model

An ethical hacker is a white hat hacker who exploits for a

legitimate cause, for example, to protect organizational

networks. They have legal rights to enter and exploit

organization networks to find our vulnerabilities. They used

various tools to scan open ports, find websites loophole and

bugs through a proper mechanism to attack the system. To

perform an Ethical Hacking, they need five steps [12, 13]:

Reconnaissance

Scanning and Enumeration

Gaining Access

Maintaining Access

Clearing Tracks

Figure 1: Ethical Hacking & Penetrate Testing Procedure

5.1. Reconnaissance

Reconnaissance is an essential method used for

penetrating testing and the origin of several privacy

infringements. The method includes the gathering of a

targeted system to find bugs and weaknesses. In the first

step, the hacker obtains detailed information about security

measures on the targeted network. This phase is known as

Footprint or information gathering. Footprinting is

completed with the following objectives [11, 13]:

Get full system knowledge to reduce the attack area.

To understand the detail of the security structure

Draw information database of attack.

Develop or create Network Map.

Reconnaissance is a collection of strategies and

procedures used to identify targeted device security flaws

without user knowledge and use these flaws to enter the

system. This information includes three parameters, such as

Network, Host, and involved people details. The attacker

acts as a detective and collects as much as possible details of

the targeted system to understand it. This process involves

examining email lists, identifying open-source and access

points, operating system fingerprinting, revealing running

services on ports, and mapping related information. Their

purpose is to understand the system better than internal

people. They analyze vulnerabilities and utilize every flaw

to get benefited.

Reconnaissance can be divided into two phases, as

Active and Passive [12].

Passive: In this process, hackers tried to gather the

targeted system information without directly

involving or communicating with the system. They

used public sources such as search engines, OSINT,

Shodan, Whois Lookup, social media, Social

Engineering, and related tools. Network sniffing also

comes under the passive phase in which a hacker

gains IP addresses, naming conventions, servers,

networks, and services information of the targeted

system. It is a natural process that can reveal a


ISSN: 2708-3128 May-2021

IJICSE@2021 13

massive amount of critical information on a targeted

system.

Active: In this process, hackers are directly involved

with the targeted system to gain related information.

However, this is a risky task and could be detected

by network security devices. It needs professional

expert knowledge and experience. If security

barriers detect the hacker, the network administrator

could attack back to identify and trap them again.

Several applications can be used for this purpose,

such as NMAP, Tracert, Ping, ZemMAP, NSlookup,

etc.

5.2. Gaining Access

In the 3rd phase, once an attacker completed the

reconnaissance phase and collected all vulnerabilities

information, he will enter a targeted system using various

techniques by cracking the security password or bypassing

security barriers. In this phase, he will be getting access to

the targeted system; in the next step, he needs to increase his

privilege at the administrator level to control the application

and services for data manipulation. Hacker could use

several methods for password cracking [12, 15]:

Bruteforce: Hacker uses the primary method of trying

all possible combinations until they are successfully

cracking the passwords.

Dictionary Attack: In this method, the hacker tries

dictionary words combination to crack the

passwords.

Rule base Attack: In this method, they used necessary

known information to retrieve the detailed

information and break security barriers.

Rainbow Table: In this method, the hacker used a hash

value of the password and compared it with the list of

pre-computed hash values to crack the password.

This is a better method instead of using the

Bruteforce or Dictionary attacks.

Passive Online Attack: In this method, the hacker does

not change the state of the targeted system; instead,

they tried to monitor or capture the data processing

to get the transmitted data. Wire Sniffing, Man in the

Middle, Reply Attack are examples.

Active Online Attack: This is the most natural way to

access unauthorized administrator access into a

targeted system using password guessing, Trojan,

spyware, keyloggers, hash injection, or phishing

methods.

5.3. Maintaining Access

In the following step, the attacker needs to maintain the

victim system's access or control to perform illegal

activities. Once he gained access, he can exploit the system,

steal private information, manipulate resources/data, or

destroy the system. His main goal is to keep himself on a

low profile to keep control and hide from the administrator

until finishing his job. If an attacker has achieved this point,

the organizational assets and prestige may become very

dangerous. Hacker used Rootkits to gain access at the OS

level and Trojan Horse to gain access at the application

level. Furthermore, they used Trojan Horses to retrieve and

transfer the user's personal information such as usernames,

passwords, credit cards, and other related data [13].

5.4. Maintaining Access

After gaining the required information or exploiting the

system, the attacker's main job is to clear his footprint and

delete all information related to his identity. To complete

this job, he will destroy evidence of his presence on the

targeted system or network. This process is known as

clearing tracks. In this step, an attacker will perform the

following things [53]:

Disable Auditing: Removing audit information is a

smart move because no traces can be discovered

while monitoring is switched off. On Windows

System, hackers may use the “Auditpol” command

to remove the auditing and to verify the logging

standard established by the system administrator.

Clearing Logs: Logs maintain the trace of proof of the

intrusion. Clearing logs is the excellent move for a

hacker to remove his presence. On the Windows

System, they can run Clearlog.exe to perform this

task. However, they need to run the Shred tool to

achieve the same job on the Linux system.

Modifying Logs: In some cases, it easy to alter the logs

using a text editor to delete the history.

Erasing Command History: On a Linux system, the

bash application keeps a record of all running

commands. Therefore, it is essential to remove the

command history. It can be done using the Shred

application.

Ethical

Hacking

Stages

Tools Purpose

Reconnaissance

-

Passive Tools

Wireshark Work on Windows

OS and Linux OS

Network Traffic

Analyser

Google Work on Windows

OS and Linux OS

Give basic

information of

website

FindSubDomains.com To find out website

identity

VirusTotal Analysis of


ISSN: 2708-3128 May-2021

IJICSE@2021 14

potentially

malicious files

Behavioural

Analyser

Shodan IoT base Search

Engine

Assist to find

devices IP addresses

OSINT Monitor relevant

information

contained on the

social media

Reconnaissance

-

Active Tools

NMAP Network Scanner

Find system services

and application

related information

Nessus Vulnerability

Scanner

OpenVAS Vulnerability

Scanner

Nikto Web Server

Vulnerability

Scanner

Metasploit Exploitation Toolkit

NSLookup Use to obtain

information

regarding DNS

ZemMap Used for the network

diagnostics

Ping To find out local

computer IP address

and connectivity

Gaining Access John The Ripper Run on Windows

and Linux OS

Password Cracking

Tool

Aircrack Wireless Password

Cracking Tools

Fluxion Social Engineering

Tool

Used to get WiFi

password using

Keystrokes

Cain & Abel Run on Windows

OS

Tool to Crack

Passwords

Metasploit

Penetration

Testing Software

Cyber Security

Framework

Used for Penetrate

Testing

Maintaining

Access

Beast Run on Windows

OS

Trojan Horse used to

create backdoors

OSForensics Run on Windows

OS

Forensic tool use to

delete the log files

and registry files.

Clearing Tracks Shred Run on Linux. Use

to clear Bash

command and logs

Table 1: Ethical Hacking Tool and Apps [12, 16]

6. Methodology

We have created a dummy environment to attack ethical

hackers who exploit the system to get confidential

information from any company. We planned to perform the

attack on a dummy company to steal confidential

information. To obtain that information, we have used

server and client-side exploitation. First, we gather the

company network infrastructure and internal information.

All staff computers are running Windows 7 Operating

System with Microsoft Security Essential Antivirus. Their

network security contains a hardware firewall to filter out

unauthorized packets from entering their network.

Furthermore, most of the staff phones have Android

Operating systems. Inside the company, the staff uses

“Skype for Business” to communicate among each and

video conferencing between different branches. We planned

to use Metasploit to create a payload to access the company

laptops and mobile phones. A client-side exploit is used as

direct access into the targeted company infrastructure by

using a phishing email to send the exploit to the appropriate

staff working in the company during the server-side exploit.

If the company staff does not fall for the phishing email

exploit, we planned a backup plan of using the server-side

exploit. For this purpose, we must enter the company

network to launch the exploit. Therefore, this plan required

more careful planning, how to access the company network

from the inside. On the contrary, the server-side exploit will

be able to access into company computer without the user

executing the file to run the exploit because this method will

not leave any evidence of the user opening an infected file.

To assist in gaining confidential information of the

company, we used to exploit to access company’s staff

mobile devices to extract information that might be useful.

6.1. Metasploit

The Metasploit Framework is open-source software that,

based on its commercial products, are built. It provides the

infrastructure and tools for the user to perform a penetration

test and security auditing. Metasploit framework eases the

effort to exploit vulnerabilities in networks, operating

systems and applications and generate new exploits for new

or unknown vulnerabilities. Metasploit offers many features

such as information gathering, vulnerabilities scanning,

exploit development, client-side attack etc., [17].

6.2. Basic Concept of Metasploit

Workspace: A workspace is a container that contains


ISSN: 2708-3128 May-2021

IJICSE@2021 15

data, reports, targets, and tasks that the user needed for the

penetration test. All penetration action must be done inside

a workspace in the Metasploit framework.

Module: Most actions perform in Metasploit require the

use of a module. Module is a piece of code that extends the

functionality of Metasploit framework.

Discovery scan: It is a scanning perform by Metasploit to

enumerate and fingerprint targets.

Exploit: An exploit is a program that advantages a

specific vulnerability and delivers a payload to the target

and provides attacker access to the targeted system.

Meterpreter: Meterpreter is a multi-function payload that

provides an interactive shell. It runs on memory, so it does

not detect intrusion detection systems.

Payload: A payload is a shellcode that executes on

target’s system after an exploit successfully compromises

the system. Bind shell payload or reverse shell payload is

the two options that define how you want to connect to the

shell.

Vulnerability: It is a security flaw or weakness that allows

the attacker to compromise a target.

Listener: A listener waits for an incoming connection

message from the other end of the connection and manages

the connection when the message is received [18, 19].

6.3. Functionality of Metasploit

Reconnaissance is the process of gathering information to

understand a network better and create a list of target IP

addresses. A discovery scan identifies the operating systems

running on the network, maps those systems to IP addresses,

and enumerates the open ports on those systems. In default

settings, a discovery scan includes a UDP scan that sends

UDP probes to the most known ports such as DNS, DHCP,

and SNMP. It can also use Nmap to perform basic TCP port

scanning, and additional scanner modules are also executed

to obtain more information about the target host [17, 18,

19].

6.4. Four Phase of Discovery Scan

Ping scan: Ping scan is the first phase of the discovery

scan. It tells Nmap to perform a normal ICMP ping sweep to

determine if the hosts are online, if there is an echo reply,

then the discovery scan includes the host in the port scan.

Port scan: During the second phase, Nmap is used to

identify the services available on the open ports. Then, it

sends probes to the ports to determine the state of the port by

classifying the responses from the ports.

OS and version detection: The third phase begins when

Nmap sends various probes to the open ports to detect the

service version numbers and operating system based on how

the system reply to the inquiries. The information provided

by the operating system and version numbers helps to locate

vulnerabilities.

Data import: During the last phase, Nmap gathers all the

collected data and creates a report imported to the project

[20].

7. Experiments and Results

Three main types of payload modules could be used in

the Metasploit framework.

Singles: Singles payloads are generally self-contained so

that they can be used in conjunction with none Metasploit

handlers such as netcat, and it is completely standalone.

Stagers: Multiple similar stagers are used to set up a

network connection with small bandwidth and reliability

between the attacker and victim.

Stages: Payload components that are being downloaded

by Stager’s modules are called Stages. Stages such as

Meterpreter provides advanced features with no size

limitation. To have a successful attack on the targeted

system, a reasonable planning steps need to be conducted.

The steps that hacker need to conduct as follows:

Determine the network information of the targeted

system.

Determine the operating system of the targeted system.

Determine the common and open ports on the targeted

system.

The most important part is getting to know the

company's network structure, such as public IP addresses of

servers, private network subnet, provided services, network

security, and so on. Once hackers gathered all the network

information, they can plan whether to perform an attack

inside or outside the company network. Figure 2 explain the

network diagram.

Figure 2: Experimental Network Environment

Besides that, we have determined the operating system of

the targeted system to find out the latest vulnerabilities for

that operating system and find the suitable framework

module to perform an attack on the system. After that, we

need to find out the common and open ports on the targeted

system. This ensures that the framework can generate a


ISSN: 2708-3128 May-2021

IJICSE@2021 16

session between the targeted system and the local attack

machine with the specific open ports. As ethical hackers we

can use common ports such as HTTP port to bypass the

firewall as normally, the HTTP port is enabled by default in

the firewall. Nmap is a network exploration tool, and it will

be used to perform port scanning and determine the targeted

operating system [21].

There are two types of exploit can be done such as

client-side and server-side exploit. Client-side exploit

means exploiting vulnerabilities in the client side by

executing malicious files to create a session. In contrast,

server-side exploitation exploits vulnerabilities on the

server side without executing anything at the client

machine.

7.1. Client-Side Exploit

To exploit a machine, a payload is needed to create a

communication link between the victim and the server.

Msfvenom is a Metasploit tool used to generate a complete

payload and encode the payload to make sure it functions

properly. Msfvenom also generated a payload to be merged

into an existing executable file. Msfvenom is the latest new

single framework instance combined with the previous

Msfpayload and Msfencode command line.

The payload generated by msfvenom is not good

because the payload is not encrypted and can be detected by

security software. The security software is hindrance to

client-side exploitation. So, to create a payload that will

evade security software such as antivirus, an advanced

payload generator must generate and encrypt the payload. A

veil is a tool that is used to generate Metasploit payloads

that will evade common antivirus. Using Veil, the chance of

client-side exploitation will be increased compared to

msfvenom as the encryption is not as strong as Veil. Below

are the steps of generating Metasploit payload using Veil

3.0 and exploiting it to the victim machines. In Kali Linux,

we launched the Veil 3.0 by entering “./Veil.py”.

Veil-Evasion tool is used to generate Metasploit payload

[22].

Figure 3: Usability of Veil-Evasion Tool

The python script “python/meterpreter/rev_tcp.py” is

used to generate Metasploit Reverse TCP payload, which

can specify TCP port manually shown in figure 4.

Figure 4: TCP Port Payload

After that, we have used the Pyherion encrypter to

encrypt the Metasploit payload to provide better antivirus

evasion. Set the Metasploit local server to

“invisible.viewdns.net” which is the domain of the attacker.

Set the listener port to 443 so that the connection can be

pass through the company firewall.

Figure 5: Payload Configuration

Then set the payload name to “mgmtsys_setup” which is

the fake management system setup file.

Figure 6: Specify output file name

Use Pyinstaller to compile the Python payload script to


ISSN: 2708-3128 May-2021

IJICSE@2021 17

payload executable so that the file can be executed with the

Windows platform. The payload executable is created

successfully, shown in figure 7.

Figure 7: Payload Successfully Generated

After generating payload, set up the listener using

Metasploit Console to get the incoming connection from the

victim company PC. In this case, the LHOST can be set

using IP address instead of the domain name because the

listener is in our server. So, insert interface’s IP address is

more than enough. The LPORT will be the same as

generated payload LPORT, which is 443.

Figure 8: Setup Listener

Assume that the workers are received the payload via

email. Execute the payload by double click the file. After

the victim company workers executed the file, the PC

establishes a connection to the Metasploit server.

Figure 9: Session Established

Now we have gained full access to the victim PCs. We

can do whatever we want, such as download prototypes of

victim company product details, private files, and financial

statements.

7.2. Server-Side Exploit

EternalBlue is one of Windows Operating System’s

vulnerability codename MS17-010, a leak on April 14,

2017 [23]. This exploit was developed by National Security

Agency (NSA) but was leak out by a group of hackers called

Shadow Brockers. This exploit affects different Windows

OS from Windows XP to Windows 7. The exploit works by

using a loophole in Microsoft Server Message Block 1.0,

which oversees network file sharing protocol, allowing

computer applications to access files in a computer network.

DoublePulsar is a tool that allows it to create a backdoor

to inject any malware into the victim's computer. Thus, it is

used together with EternalBlue exploit [24]. It was also used

during the WannaCry ransomware attack. The tools also run

inside the system kernel mode, which means it will have

high-level access over the computer system.

7.2.1 Windows Escalate UAC Protection Bypass

Windows Escalate UAC Protection Bypass is an exploit

that allows a hacker to bypass User Access Control to gain

full privilege in making changes to the operating system.

This is done by utilizing a trusted publisher certificate

during process injection, which will turn off UAC flag [25].

Once the hacker has successfully access the victim

computer remotely using EternalBlue with DoublePulsar

exploit, the hacker will be able to have full administrator

privilege of the victim's computer remotely using this

exploit [25, 26].

7.2.2 Exploit PC Remotely

To use this exploit, first, we have scanned computers that

are connected to the network. To do so, we used Nmap tool.

Since we are accessing from inside the internal network, we

can check the network address of the company by typing

“nmap -sn 192.168.199.0/24”. 192.168.199.0/24 is the

network address of the company. By adding -sn command,

Nmap will also ping the host to check the connectivity from

the hacker to the victim computer. After the scan has

successfully completed, the results are shown in figure 10.

In this scenario, we target the host IP address of

192.168.199.137.


ISSN: 2708-3128 May-2021

IJICSE@2021 18

Figure 10: Nmap - Result of the connected computer to the

network

After this we used Metasploit by launching Msfconsole.

Next, to check whether this victim's IP address is vulnerable

to EternalBlue exploit, the hacker would need to use

Metaspoilt Scanner for EternalBlue by typing use

auxiliary/scanner/smb/smb_ms17_010. This will execute

the module scanner for this exploit vulnerability.

Figure 11: Metasploit Scanner

To know what information is required for this exploit, we

used command show options to list all the modules' options.

RHOSTS, which is the remote host IP address, is necessary

for the scanner to work. Since the hacker has already known

the victim's IP address, we used the command set RHOSTS

to follow the victim's IP address. The results are shown in

figure 12.

Figure 12: Metasploit Scanner EthernalBlue – Set RHOSTS

Next, we run the scanner by using the command exploit.

The victim's computer is vulnerable to EternalBlue exploit.

This means that we have access to the victim file by using

this exploit shown in figure 13.

Figure 13: Metasploit Scanner Results

Now we know that the victim is vulnerable to the exploit,

we used further steps to explode by running the command.

Figure 14: Metasploit Ethernal Hacker Exploit

To know what information is needed, the show options

command is used. Now set the RHOSTS with the victim's IP

address. Since the victim uses a 64-bit version of Windows,

we need to set TARGETARCHITECTURE x64 and then

set the PROCESSINJECT to explorer.exe. This will inject

the exploit to explorer.exe. After this we set payload. In this

scenario, we have used Meterpreter reverse TCP/IP.

Meterpreter allow the hacker control victim computer such

as detect key stroke of the victim, use VNC to see what the

victim is currently doing and so on. Now when show options

command is entered. We can see the EternalBlue options

and Payload options. In Payload options, LHOST is needed

to use this payload. Set the LHOST which is the IP address

of the hacker computer. To launch the exploit, enter the

command exploit. This will execute the loophole and inject

the DLL into the victim computer. Once the Meterpreter

command is shown, means the exploit is successful shown

in the figure 15.


ISSN: 2708-3128 May-2021

IJICSE@2021 19

Figure 15: Exploit Successfully

Now we have control over the victim computer with

fewer privileges than in Figure 16.

Figure 16: Exploit Access

Now to have full privilege, we would need to launch

another exploit to gain full access. First, minimize the

current connection to the victim's PC by using a command

background. It is important to remember which session is in

the background. Then use exploit/windows/local/bypassuac

command to gain full access. In the show options command,

bypassuac exploit required session. Since our minimized

session of the connection to the victim computer is session

2, we need to set the session to 2. This means the exploit will

use the successful connection to the victim computer of the

previous exploit to inject this exploit. Next, we need to set

the payload, which is the windows/meterpreter/reverse_tcp.

Figure 17: Bypass UAC Set Payload

Now we need to use the command show options to see

what info is required for the payload. It required the host IP

address of the hacker. We set the LHOST and the LPORT.

Now by entering the command exploit, the exploit will start

to execute. Once we see the Meterpreter command, we can

successfully execute the exploit on the victim computer. We

can see in figure 18 by running getprivs that we have full

privilege on the victim computer operating system.

Figure 18: Meterpreter - Enable privileges

7.3. Discussion

We have used two types of exploits such as client-side

and server-side exploit. Each has its own pros and cons.

Pros

Client-Side Exploit Server-Side Exploit

Easy to exploit the NAT

enabled network devices as the

malicious file contains the

hacker’s server public IP

address and port.

Exploit by Metasploit server

without execute malicious file

at client side.

Able to exploit to everyone by

giving the malicious file to

everyone without specify the

targeted IP addresses one by

one.

This kind of exploit can bypass

antivirus checking.

Cons

Client-Side Exploit Server-Side Exploit


ISSN: 2708-3128 May-2021

IJICSE@2021 20

We need to send the malicious

file to client-side to exploit the

machine. It also requires user

interaction, such as click on the

malicious file.

Hard to exploit the

NAT-enabled network devices

as not every internal device is

configured as a virtual server

that maps the internal devices

to the WAN interface with a

specific port.

The malicious file may be

detected by Antivirus and

remove it.

Hard to exploit multiple target

machines at the same time.

Today, cybercrimes are growing exponentially

worldwide, causing significant financial damage to

companies and individuals. Recent studies and research on

cyber protection show that hacked and infected data cases

increase from common sources including smartphone

phones, IoT networks, social networking, and other

services. Figure 19 provides detail on the forms of

cyberattack methods in the USA [27].

Figure 19: Types of growing number of cyber-attack methods in

USA

Metasploit attacks can better be protected against

traditional security measures such as patching, running

programs or less privileged systems, restricting access to

networks to trusted hosts and other general controls. We

suggest using CIS (Critical Security Controls) controls are a

prescribed series of cyber security actions that include

concrete and actionable means of stopping the most

common and harmful attacks [29, 30]. The new CIS

Controls comply with current independent guidelines and

guidance on defense. People can use CIS controls to

maintain their safety enhancement program.

Network protection software and resources exist to

support the company not only secure its classified details

but also its total efficiency, credibility and even its business

capacity. Two main advantages of efficient network defense

are continued operating capacity and intact integrity. Table

2 shows the overview of tools that could be used to protect

against Metasploit exploitations [30, 31].

Mitigation

Techniques

Purpose

Nmap Through running Nmap, users may discover

which ports are accessible on a computer and

the resources on it to store or find where weak

points occur in their network.

Nessus It aims to provide a secure, strong, up-to-date,

and easy-to-use remote security scanner. The

services running on non-standard ports can be

identified by its intelligent service

identification.

Benchmark

Tools

After the network is scanned it is useful to verify

if the OS or device settings conform to existing

best practices in the industry. The Center for

Internet Protection (CIS) Free Benchmark and

Scoring Tool offers a fast and simple means of

evaluating your systems to match their level of

security with the minimum benchmark of CIS

due consideration.

Anti-malware

software

Malware is intended to propagate across

operating systems and networks in the form of

malware, trojans, keyloggers, spyware, etc.

Anti-malware tools are a form of network

protection software designed to detect and avoid

the dissemination of malicious programs.

Email security It is aimed at shortening human security

vulnerabilities. Using phishing tactics attackers

persuade e-mail users to exchange information

sensitively via desktop or mobile devices or

download malware into the targeted network

accidentally.

It aims to detect hazardous communications and

can also be used to block threats and avoid

sensitive details from being shared.

Firewall, IDS

and Web

Security

These methods includes software, hardware,

procedures and more is an overview of the

network security steps taken by companies to

maintain secure web use while linked to an

internal network. This prevents the use of

browsers as entry points for the network by

web-based attacks.

Table 2: Metasploit attacks Mitigation Techniques

8. Proposed Security Prevention

A preventive measure can be taken to prevent these

exploits from successfully hacking into the victim's

computer. One of the important actions that can be done are

by installing top-tier antivirus such as Bitdefender,

Kaspersky, and Norton. These antiviruses might be more

expensive than other brands, but it can detect malware

undetected by another brand antivirus. Besides that, regular

updates of Windows will patch up specific loopholes inside

the operating system that might be used by exploit to enter

your computer remotely. Blocking unused port is also

crucial in a company or large organization since

server-sided exploit will be able to use the port that is open

to access your organization's computer and devices.

Implementation of the port block should be done on

software firewalls such as Windows firewall and hardware

firewall like a router in your network. Blocking port 445

will prevent Ethernal Blue from using the Windows


ISSN: 2708-3128 May-2021

IJICSE@2021 21

loophole to enter your operating system. Additionally,

implement Intrusion Prevention System (IPS) into the

organization’s network to detect and prevent vulnerability

exploits by monitoring the network traffic flows.

9. Conclusion

There are several guidelines available to deter phishing

assaults such as defend email from spam. Companies and

individual should use the filtering functions of the email.

This function is not 100% correct, however. Set the

browsers to blacklist any fake domains. In this procedure,

users can retain all bogus websites, even false websites, and

the page should be disabled if a user attempts to load the site

and a warning is shown.

In addition, changing the password periodically and not

using the same password for all accounts is a safe idea. In

addition, websites should have a machine captcha to

improve safety. The company will even ban any fraudulent

activity from its websites. Our victim website, for example,

cannot be cloned. The corporation should avoid the copying

of those acts. Moreover, the company must educate its staff

to become knowledgeable of the attacks and restrict

employees' access to the network and machines of the

organization.

The port scan is checking ports but not linking to our

server so that the port scan does not interfere but may

otherwise be a legitimate attempt at contact. However,

companies and customers can concentrate on tracking

traffic across the network and track incoming source traffic

to the same endpoint utilizing separate port numbers. The

firewall can block the source IP address when the targeted

source has been detected. They must enforce rules to deny

traffic from dangerous and unknown sources.

The Metasploit framework can generate various kinds of

payloads for different situations to allow attackers to

accomplish their goals. Based on the scenario above,

exploitation of systems is an area a company should always

keep an eye on. Successful execution of exploit to the

company will result in huge loss in confidential data loss

and the company's reputation.

References

[1] Tabassum, M. and Elkhateeb, K., 2009. Network Capability

Analysis and Related Implementations Improvements

Recommendations.

[2] Perumal, S., Tabassum, M., Samy, G.N., Ponnan, S.,

Ramamoorthy, A.K. and Sasikala, K.J., Cybercrime Issues in

Smart Cities Networks and Prevention Using Ethical

Hacking. Data-Driven Mining, Learning and Analytics for

Secured Smart Cities: Trends and Advances, p.333.

[3] Kirda, E., Kruegel, C., Vigna, G. and Jovanovic, N., 2006,

April. Noxes: a client-side solution for mitigating cross-site

scripting attacks. In Proceedings of the 2006 ACM

symposium on Applied computing (pp. 330-337).

[4] Mainka, C., Somorovsky, J. and Schwenk, J., 2012, June.

Penetration testing tool for web services security. In 2012

IEEE Eighth World Congress on Services (pp. 163-170).

IEEE.

[5] Johari, R. and Sharma, P., 2012, May. A survey on web

application vulnerabilities (SQLIA, XSS) exploitation and

security engine for SQL injection. In 2012 International

Conference on Communication Systems and Network

Technologies (pp. 453-458). IEEE.

[6] Goutam, A. and Tiwari, V., 2019, November. Vulnerability

Assessment and Penetration Testing to Enhance the Security

of Web Application. In 2019 4th International Conference on

Information Systems and Computer Networks (ISCON) (pp.

601-605). IEEE.

[7] Khera, Y., Kumar, D. and Garg, N., 2019, February. Analysis

and Impact of Vulnerability Assessment and Penetration

Testing. In 2019 International Conference on Machine

Learning, Big Data, Cloud and Parallel Computing

(COMITCon) (pp. 525-530). IEEE.

[8] Younis, Y.A., Kifayat, K., Topham, L., Shi, Q. and Askwith,

B., 2019, March. Teaching Ethical Hacking: Evaluating

Students' Levels of Achievements and Motivations. In

International Conference on Technical Sciences (ICST2019)

(Vol. 6, p. 04).

[9] Cisar, P. and Pinter, R., 2019. Some ethical hacking

possibilities in Kali Linux environment. Journal of Applied

Technical and Educational Sciences, 9(4), pp.129-149.

[10] Holik, F., Horalek, J., Marik, O., Neradova, S. and Zitta, S.,

2014, November. Effective penetration testing with

Metasploit framework and methodologies. In 2014 IEEE

15th International Symposium on Computational

Intelligence and Informatics (CINTI) (pp. 237-242). IEEE.

[11] Perumal, S., Tabassum, M., Samy, G.N., Ponnan, S.,

Ramamoorthy, A.K. and Sasikala, K.J., Cybercrime Issues in

Smart Cities Networks and Prevention Using Ethical

Hacking. Data-Driven Mining, Learning and Analytics for

Secured Smart Cities: Trends and Advances, p.333.

[12] TechLoop, Shaik Ajmal, 2019, Reconnanissance the key to

Ethical Hacking!, Viewed on 15 June 2020, Access link:

https://medium.com/techloop/reconnaissance-the-key-to-eth

ical-hacking-3b853510d977

[13] Patil, S., Jangra, A., Bhale, M., Raina, A. and Kulkarni, P.,

2017, September. Ethical hacking: The need for cyber

security. In 2017 IEEE International Conference on Power,

Control, Signals and Instrumentation Engineering (ICPCSI)

(pp. 1602-160

[14] Tabassum, M., Perumal, S., Mohanan, S., Suresh, P.,

Cheriyan, S. and Hassan, W., 2021. IoT, IR 4.0, and AI

Technology Usability and Future Trend Demands:

Multi-Criteria Decision-Making for Technology Evaluation.

In Design Methodologies and Tools for 5G Network

Development and Application (pp. 109-144). IGI Global.

[15] GreyCampus, Gaining Access, Access link:

https://www.greycampus.com/opencampus/ethical-hacking/

gaining-access

[16] INFOSEC, Howard Poston, Top 10 Network Recon Tools,

Viewed on 11 June 2020, Access

link:https://resources.infosecinstitute.com/category/certifica

tions-training/ethical-hacking/network-recon/#gref


ISSN: 2708-3128 May-2021

IJICSE@2021 22

[17] Holik, F., Horalek, J., Marik, O., Neradova, S. and Zitta, S.,

2014, November. Effective penetration testing with

Metasploit framework and methodologies. In 2014 IEEE

15th International Symposium on Computational

Intelligence and Informatics (CINTI) (pp. 237-242). IEEE.

[18] Offensive Security 2017, Payload Types in the Metasploit

Framework, Offensive Security, viewed 10 May 2021,

<https://www.offensive-security.com/metasploit-unleashed/

payload-types/>.

[19] Shinde, P.S. and Ardhapurkar, S.B., 2016, February. Cyber

security analysis using vulnerability assessment and

penetration testing. In 2016 World Conference on Futuristic

Trends in Research and Innovation for Social Welfare

(Startup Conclave) (pp. 1-5). IEEE.

[20] Lehrfeld, M. and Guest, P., 2016, March. Building an ethical

hacking site for learning and student engagement. In

SoutheastCon 2016 (pp. 1-6). IEEE.

[21] Mathew, K., Tabassum, M. and Siok, M.V.L.A., 2014,

August. A study of open ports as security vulnerabilities in

common user computers. In 2014 International Conference

on Computational Science and Technology (ICCST) (pp.

1-6). IEEE.

[22] The Security Sleuth 2015, Using Veil to bypass antivirus and

disguise a Metasploit backdoor, The Security Sleuth, viewed

20 March 2021,

<https://www.security-sleuth.com/sleuth-blog/2015/2/3/usin

g-veil-with-metasploit>.

[23] Burgess, M 2017, Everything you need to know about

EternalBlue – the NSA exploit linked to Petya, WIRED UK,

viewed 21 April 2021,

<http://www.wired.co.uk/article/what-is-eternal-blue-exploi

t-vulnerability-patch>.

[24] Sterling, B 2017, Double Pulsar NSA leaked hacks in the

wild, WIRED, viewed 19 April 2021,

<https://www.wired.com/beyond-the-beyond/2017/04/doubl

e-pulsar-nsa-leaked-hacks-wild>.

[25] Kennedy, D 2017, Windows Escalate UAC Protection

Bypass, Rapid7, viewed 15 April 2021,

<https://www.rapid7.com/db/modules/exploit/windows/loca

l/bypassuac>.

[26] Tabassum, M. and Mathew, K., 2014, August. Software

evolution analysis of linux (Ubuntu) OS. In 2014

International Conference on Computational Science and

Technology (ICCST) (pp. 1-7). IEEE.

[27] Webroot, n.a, What is Social Engineering?, Viewd on 29

March 2021, Access link:

https://www.webroot.com/us/en/resources/tips-articles/what

-is-social-engineering.

[28] Tabassum, M., Gabr, M., Mohanan, S. and Mathew, K.,

2020. Development of smart vehicle security and

entertainment system (SSES) using raspberry pi. Int. J. Eng

Adv. Technol, 9(3), pp.4077-4083.

[29] N.a, SANS, “CIS Controls v8”, April 21, 2021, Viewed on

16 May 2021, Access link:

https://www.sans.org/blog/cis-controls-v8/.

[30] Setiawan, E.B. and Setiyadi, A., 2018, August. Web

vulnerability analysis and implementation. In IOP

Conference Series: Materials Science and Engineering (Vol.

407, No. 1, p. 012081). IOP Publishing.

[31] Sharma, T. and Tabassum, M., 2021. Enhanced Algorithm to

Optimize QoS and Security Parameters in Ad hoc Networks.

In Design Methodologies and Tools for 5G Network

Development and Application (pp. 1-27). IGI Global.

ethical hacking and penetrate testing using kali and

Documents