Open in app

Sign in

Write

Sign in

Guardians of the cyber world

Mehmet Zeki Özkaplan
8 min readMar 26, 2024

--

Penetration testers

Tools Used in Pentest Studies

Some software and tools are needed to detect security vulnerabilities and exploit these vulnerabilities. In this way, we can greatly alleviate the difficult part of our job.

First of all, we need to have information on the target site. The software we will use for this is nmap (network mapper).

Then, it is to exploit the discovered security vulnerabilities with the Metasploit tool and ensure that the vulnerabilities are closed.

We use the Linux operating system, which provides the basis for the operations we carry out throughout the penetration studies.

NMAP

Nmap (network mapper), as its name suggests, is a network mapping tool. While it provides a lot of information on the target system on a silver platter, it is an indispensable tool for penetration testing studies. At the same time, the moment you start using the nmap tool on the target site, you start a cyber attack. Of course, if you have the relevant certificates and permissions, there is no problem. 🙂 Otherwise, you will accept legal and criminal responsibilities.

Some of the information that can be obtained on the relevant site/application using Nmap is as follows;

Host Discovery
Port Scan
Detecting the Operating System
Reverse DNS Resolution

As a result of the scan, we will now have clearer information on the target site. In this way, we determine which port is vulnerable and which packets return or pass through the firewall. Then, we must use the Metasploit tool to exploit the information given in numbered form.

Metasploit Framework Console(msfconsole)

The Metasploit tool is a security project written in the Ruby language. In addition to attacking a system and exploiting vulnerabilities in that system, Metasploit also provides access and editing by creating backdoors on the relevant site or application. It is one of the important and indispensable tools used in penetration testing studies. According to the course of the scenarios to be experienced, you can also perform your work by adding the exploit you have written (coded) on Metasploit. In the continuation of this article, 2 different types of scenarios will be realized. In scenario 1, work will be carried out on a website that does not have any security vulnerabilities, and in scenario 2, studies will be carried out on a website with security vulnerabilities. Thus, as a result of your studies in 2 types, you can learn how to perform the analyzes. Now let’s move on to the application phase and perform a pentest study live;

#1 Website with no vulnerabilities

After opening our terminal, we first write the address of the target site with the nslookup command. In this way, we learn the IP address of the relevant site. We carry out our work via IP address(es).

Example: nslookupyoursitename.com

After discovering the IP address of the target site, we can now perform a network scan and create a network map with the nmap tool.

The command we need to use here is; nmap -sV 127.0.0.1

With this command, we list the network map and version versions of the target site.

The IP address 127.0.0.1 is the address of the target site discovered with nslookup.

  • The IP address(es) used here have been changed to localhost IP for security reasons.

In its discovery studies, Nmap sends packets to the target system and if the packets are returned, it means that backdoors have been discovered in the system.

There are 3 port vulnerabilities on a website I am currently working on, seen in the image above. Under normal circumstances, version versions should also be found opposite these ports. But these discoveries are not security vulnerabilities.

Port 21 — FTP File Upload

Port 80 — HTTPS Protocol

Port 8888 — Managing/implementing lower HTTP protocols

Despite extensive analysis, no security vulnerabilities were detected on this website that I work on. However, let’s perform a more detailed analysis again to be sure.

For this, again via our terminal

nmap –v –A yoursitename.com

We enter the command. We will be presented with an analysis of all areas of the target system.

There was no evidence of any security vulnerability on this target website that I preferred, both because the version it uses is the latest and up-to-date and because it is protected by security shields such as RSA encryption method.
At the same time, as a side note, thanks to the extra security measures offered by your preferred hosting companies, IP addresses trying to attack are detected and their access to the site is banned.

#2 Vulnerable website

In order to discover the IP address of the website we have determined, we enter the nslookup sitename.com command into our terminal.

Then, we will switch to our nmap tool and try to detect the network map and vulnerabilities of the target site. To do this, we start working on the relevant site with its version versions by entering the nmap –sV 127.0.0.1 (Discovered IP address) command.
After Nmap work is completed, we see; Scan results will appear under the headings port, state, service, version. Here, whether the status of the port is open or not, what type of service the relevant port is (for what purpose it is used) and its version are written. This information is critical information and provides results about whether there is a security vulnerability.

We need to use our metasploit tool to exploit the found vulnerabilities. To do this, we enter the msfconsole command into our terminal.

Next, what we need to do is to search for the name of the vulnerability we have detected in the metasploit tool. In the Nmap tool, copy any vulnerability (e.g. http) under the “version” category and
We must enter the search http command into our terminal.

Afterwards, we are presented with previously disclosed information about the relevant vulnerability. The Description section contains explanations and sources of this vulnerability type. Under the Date section, you can find out the dates on which these security vulnerabilities were disclosed and detected. We will test whether we can exploit the security vulnerability using these.
We move on to using the vulnerability with the use 1 command. “1 (name part)” used here is one of the most suitable options that can be used on the vulnerability (compared to normal, excellent, great options…). We are now in vulnerability number 1.
By entering the show targets command into the terminal, we will show the targets.

set targets 0,We chose the name part 0 among the targets that came with the command and determined the target to log into the system. (Depending on the type of vulnerability we have chosen, we may encounter tens, hundreds or even thousands of options. In our current study, only 1 target has been shown. You can observe the difference by trying the versions resulting from the search and scanning on Nmap, one by one.)

show options,By entering the command, we see the options of the target I determined in the previous step.

show payloads,By typing the command into our terminal, we show the payloads (vulnerabilities, back doors in the system) in the options.

set PAYLOAD 5, With the command, we determined one of the payloads we encountered in the previous step (number 5 in the numbered list) and set our target in this direction.

show options, The command shows us the options of our target.

In this way, by performing your pentest studies, you can check whether there are any signs of security vulnerabilities on your website.

What You Need to Do to Avoid Having a Security Vulnerability

No one wants a security vulnerability in the website or application they actively use. But still, many people do not know exactly what to do.

If you do not want security vulnerabilities on your website or application, I have a few suggestions for you.

You should definitely use the latest version of your system. Because with each update, the deficiencies of the previous version are corrected, improvements are made and any security vulnerabilities are closed. With new updates, version developers notify users of what they have done and add them as sources. By using these resources, malicious people become aware of what has changed and try to detect websites using the old version and exploit vulnerabilities.
If you have a CMS (content management system) such as WordPress, you should choose your plugins carefully and keep them updated. If you do a little research on the recent past, due to the security vulnerabilities of many plugins, tens of thousands of website owners and users have been affected, their personal information and data have been disclosed or used for malicious purposes and interests.
While the software development phase continues, experiments should be carried out continuously and versions should be tested instantly. In this way, future problems are detected at an early stage and solutions are produced.
You should prevent the use of special characters (*/><%) in areas such as the comment panel, contact form, and user creation on your site. This way, you prevent malicious people from executing malicious codes. Big problems can happen to you through these codes. XSS attacks and HTML Injection are examples of this situation.
You should use your website on the “https” protocol. If you still have an http site, you should immediately switch to https. Because sites with http protocol are like houses with open doors. It is vulnerable to attacks. The HTTPS protocol provides great benefits to both site owners and users in terms of encrypted and security and helps protect your data.

Cyber Security Training
Cyber Security Services
Cyber Security Awareness
Cyber Security Solutions
Penetration Test

--

--

Mehmet Zeki Özkaplan

Written by Mehmet Zeki Özkaplan

400 Followers

Harran University-Computer Engineering Student [ CYBER SECURİTY ]

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams