SYSTEM VAPT

A Project Report for Industrial Training and Internship submitted by

ROHON KUMAR DUTTA

SOURAV MONDAL
SUBHAM SHARMA
SRIJITA BISWAS
SUDHAMAY SARDAR
SUBHRANIL GANGULY

Under the guidance of

SACHCHIDANANDA MANDAL

In the partial fulfillment of the award of the degree of

B. TECH at
JIS COLLEGE OF ENGINEERING

at

Ardent Computech Pvt. Ltd.

 CERTIFICATE FROM SUPERVISOR

This is to certify that ROHON KUMAR DUTTA, SOURAV MONDAL, SUBHAM SHARMA, SRIJITA
BISWAS, SUDHAMAY SARDAR, SUBHRANIL GANGULY completed the project titled " SYSTEM VAPT "
under my supervision during the period from “07.07.2025” to “18.07.2025” which is in partial
fulfillment of requirements for the award of the B. TECH degree and submitted to “Ardent
Computech Pvt. Ltd”.

Signature of the Supervisor Date:

Name of the Project Supervisor: SACHCHIDANANDA MANDAL
 ACKNOWLEDGEMENT

The achievement associated with the successful completion of any task would be completed by
mentioning the names of those whose endless cooperation made it possible. Their constant guidance
and encouragement made all our efforts successful.

We take this opportunity to express our deep gratitude towards our project mentor, Mr.
SACHCHIDANANDA MANDAL for giving such valuable suggestions, guidance, and encouragement
during the development of this project work.

Last but not least we are grateful to all Ardent Computech Pvt. Ltd. faculty members for their support.
 ABSTRACT OF THE PROJECT

Penetration Testing is a specialized security auditing method where a tester simulates an attack
on the system. The goal of this testing is not to damage the system, but to identify attack surfaces,
vulnerabilities, and other security weaknesses from the perspective of an attacker. Besides testing
, great care is taken that no system should get damaged. This type of testing involves manual
scanning
tools like Nmap, nikto, wpscan, metasploit and automated vulnerability scanning tools like Nessus.
This report first introduces to the steps taken for testing the security of a system and then it shows
the attack narrative where the system would be exploited and proof of exploitation would be
showed. Lastly, the vulnerabilities would be rated according to their impact on the system
and recommendations on each vulnerability would be given.
 CONTENTS

1 Introduction
- General Introduction
- Problem Definition
- Objective
- Methodology

2 Literature Survey
- Passive Reconnaissance
- Active Reconnaissance
- Nmap
- Metasploit

3 Attack Narrative
- Open Ports & Services
- Vsftpd Backdoor Exploit
- PRNG Brute Force Exploit
- Samba Exploit
- Unreal IRCD Exploit
- Distcc Exploit
- GRUB Misconfiguration
4 Conclusion

5 References and Bibliography

 1. INTRODUCTION
1.1 General Introduction:

A penetration test also known as a pen test, is an authorized simulated attack on a computer system
that looks for security weaknesses, potentially gaining access to the system's features and data.

The process typically identifies the target systems and a particular goal—then reviews available
information and undertakes various means to attain the goal. A penetration test target may be a
white box (which provides background and system information) or black box (which provides only
basic or no information except the company name). A penetration test can help determine whether
a system is vulnerable to attack, if the defences were sufficient, and which defences (if any) the test
defeated.

Security issues that the penetration test uncovers should be reported to the system owner.
Penetration test reports may also assess potential impacts to the organization and suggest
countermeasures to reduce risk.

The goals of a penetration test vary depending on the type of approved activity for any given
engagement with the primary goal focused on finding vulnerabilities that could be exploited by a
nefarious actor, and informing the client of those vulnerabilities along with recommended mitigation
strategies.

Penetration tests are a component of a full security audit. For example, the Payment Card Industry
Data Security Standard requires penetration testing on a regular schedule, and after system changes.

1.2) Problem Definition:

Computer applications are becoming more complex day by day and the risks associated with them
are also increasing. Developers and administrators cannot fully ensure the safety of the system.
Hence, we need to attack the system from the perspective of an attacker. There are many
automated scanners like nessus but they also do not ensure full safety of the system. These
Automated scanners that

searches for vulnerabilities are good enough to identify well known

vulnerabilities but they fail to identify security misconfigurations. Also automated scans do not
ensure the safety of the system and in some cases, these can perform Denial of Service on the
system.

Further they can leave backdoors in system after checking and exploiting system. So, we need to
manually verify the security misconfigurations that these scanners fail to identify. Further we need to
ensure that no damage is made while performing penetration tests on the system.

1.3) Objective:
The objective of this penetration testing is to identify security vulnerabilities on the system
and to what extent they can be exploited and what are the risks associated with these. Besides
these we have the following objectives:

 Perform broad scans to identify potential areas of exposure and services that may act

as an entry point.

 Perform targeted scans and manual investigations to validate vulnerabilities.

 Rank vulnerabilities based on threat level, loss potential, and likelihood of

exploitation.

 Perform supplemental research and developmental activities to support analysis.

 Identify issues of immediate consequence and recommend solutions.

 Develop long term recommendations to enhance security.

 Considerate safety of system at every point of the attack.

1.4 Methodology:

Phase 1 - Reconnaissance

Reconnaissance is probably the longest phase, sometimes lasting weeks or months. The black hat
uses a variety of sources to learn as much as possible about the target business and how it operates,

including:

 Internet searches
 Social engineering
 Dumpster diving
 Domain name management/search services
  Non-intrusive network scanning

The activities in this phase are not easy to defend against. Information about an organization finds its
way to the Internet via various routes.

Phase 2 - Scanning

Once the attacker has enough information to understand how the business works and what
information of value might be available, he or she begins the process of scanning perimeter and
internal network devices looking for weaknesses, including

 Open ports
 Open services
 Vulnerable applications, including operating systems
 Weak protection of data in transit
 Make and model of each piece of LAN/WAN equipment

Phase 3 - Gaining Access

Gaining access to resources is the whole point of a modern-day attack. The usual goal is to either
extract information of value to the attacker or use the network as a launch site for attacks against
other targets. In either situation, the attacker must gain some level of access to one or more network
devices.

Finally, encrypt highly sensitive information and protect keys. Even if network security is weak,
scrambling information and denying attacker access to encryption keys is a good final defence when
all other controls fail. But don’t rely on encryption alone. There are other risks due to weak security,
such as system unavailability or use of your network in the commission of a crime.

Phase 4 - Maintaining Access

Having gained access, an attacker must maintain access long enough to accomplish his or her
objectives. Although an attacker reaching this phase has successfully circumvented your security
controls, this phase can increase the attacker’s vulnerability to detection.

Phase 5 – Covering Tracks

After achieving his or her objectives, the attacker typically takes steps to hide the intrusion and
possible controls left behind for future visits. Again, in addition to anti-malware, personal firewalls,
and host-based IPS solutions, deny business users local administrator access to desktops. Alert on
any unusual activity, any activity not expected based on your knowledge

of how the business works. To make this work, the security and network teams must have at least as
much knowledge of the network as the attacker has obtained during the attack process.

2. Literature Survey

2.1) Passive Reconnaissance

This is also known as Open-Source Intelligence (OSINT) or simply Information Gathering. The idea
behind passive reconnaissance is to gather information about a target using only publicly available
resources.

Some references will assert that passive reconnaissance can involve browsing a target’s website to
view and download publicly available content whereas others will state that passive reconnaissance
does not involve sending any packets whatsoever to the target site.

Types of passive reconnaissance:

Passive Information Gathering: Passive Information Gathering is generally only useful if there is a
very clear requirement that the information gathering activities never be detected by the target. This
type of profiling is technically difficult to perform as we are never sending any traffic to the target
organization neither from one of our hosts or “anonymous” hosts or services across the Internet.
This means we can only use and gather archived or stored information. As such this information can
be out of date or incorrect as we are limited to results gathered from a third party.

Semi-passive Information Gathering:

The goal for semi-passive information gathering is to profile the target with methods that would
appear like normal Internet traffic and behaviour. We query only the published name servers for
information, we aren’t performing in-depth reverse lookups or brute force DNS requests, and we
aren’t searching for “unpublished” servers or directories. We aren’t running network level port scans
or crawlers and we are only looking at metadata in published documents and files; not actively
seeking hidden content. The key here is not to draw attention to our activities. Post mortem the
target may be able to go back and discover the reconnaissance activities but they shouldn’t be able
to attribute the activity back to anyone.

Browsing web pages, reviewing available content, downloading posted documents or reviewing any
other information that has been posted to the public domain would all be considered in-scope. It
does not involve actions such as sending crafted payloads to test input validation filters, port
scanning, vulnerability scanning, or other similar activities which would fall under the definition of
active reconnaissance.

2.2) Active reconnaissance

Active reconnaissance involves actual integration with the target to get information about it.

This type of information gathering is more accurate than the passive one. The only disadvantage is
that it sometimes can damage the system and is easier to be detected by the target machine.

hping3 tool

This tool can craft packets at IP layer 3 and above [1]. This tool can be used to find the open ports on
the target system. Perform small attacks on a target like Smurf and land attacks.

Further this can be used to set TCP flags and do fuzzing on the target system. This tool is a command
line tool and it can also perform idle scanning on target.

Scapy

This module is built in Python and can be used to create custom packets at layer 2, layer 3, layer 4
and other upper layers [2]. Further this tool can be combined with Python to form scripts. This tool
can be used to manually probe networks and identify the open ports and for banner grabbing.

2.3) Nmap

Nmap (Network Mapper) is a security scanner, originally written by Gordon Lyon (also known by his
pseudonym Fyodor Vaskovich) used to discover hosts and services on a computer network, thus
building a "map" of the network. To accomplish its goal, Nmap sends specially crafted packets to the
target host(s) and then analyses the responses.

The software provides a number of features for probing computer networks, including host discovery
and service and operating-system detection. These features are extensible by scripts that provide
more advanced service detection, vulnerability detection, and other features. Nmap can adapt to
network conditions including latency and congestion during a scan. The Nmap user community
continues to develop and refine the tool.

Nmap features:

 Host discovery – Identifying hosts on a network. For example, listing the hosts that respond to
TCP and/or ICMP requests or have a particular port open.
 Port scanning – Enumerating the open ports on target hosts [3].
 Version detection – Interrogating network services on remote devices to determine
application name and version number.
 OS detection – Determining the operating system and hardware characteristics of network
devices.
 Scriptable interaction with the target – using Nmap Scripting Engine (NSE) and Lua
programming language.

Nmap can provide further information on targets, including reverse DNS names, device types, and
MAC addresses.

Nmap features:

 Host discovery – Identifying hosts on a network. For example, listing the hosts that respond to
TCP and/or ICMP requests or have a particular port open.
 Port scanning – Enumerating the open ports on target hosts [3].
 Version detection – Interrogating network services on remote devices to determine
application name and version number.
 OS detection – Determining the operating system and hardware characteristics of network
devices.
 Scriptable interaction with the target – using Nmap Scripting Engine (NSE) and Lua
programming language.
 Nmap can provide further information on targets, including reverse DNS names, device types,
and MAC addresses.

Typical uses of Nmap:

 Auditing the security of a device or firewall by identifying the network connections which can
be made to, or through it.
 Identifying open ports on a target host in preparation for auditing.
 Network inventory, network mapping, and maintenance and asset management.
 Auditing the security of a network by identifying new servers.
 Generating traffic to hosts on a network, response analysis and response time measurement.
  Finding and exploiting vulnerabilities in a network.

2.4) Metasploit

The Metasploit Project is a computer security project that provides information about security
vulnerabilities and aids in penetration testing and IDS signature development [4].

Its best-known sub-project is the open source Metasploit Framework, a tool for developing and
executing exploit code against a remote target machine. Other important sub-projects include the
Opcode Database, shellcode archive and related research.

The Metasploit Project is well known for its anti-forensic and evasion tools, some of which are built
into the Metasploit Framework.

Metasploit Framework

The basic steps for exploiting a system using the Framework include:

 Choosing and configuring an exploit (code that enters a target system by taking advantage of
one of its bugs; about 900 different exploits for Windows, Unix/Linux and Mac OS X systems
are included);
 Optionally checking whether the intended target system is susceptible to the chosen exploit;
 Choosing and configuring a payload (code that will be executed on the target system upon
successful entry; for instance, a remote shell or a VNC server);
 Choosing the encoding technique so that the intrusion-prevention system (IPS) ignores the
encoded payload;
 Executing the exploit.

This modular approach – allowing the combination of any exploit with any payload – is the major
advantage of the Framework. It facilitates the tasks of attackers, exploit writers and payload writers.

Metasploit runs on Unix (including Linux and Mac OS X) and on Windows. The Metasploit Framework
can be extended to use add-ons in multiple languages. To choose an exploit and payload, some
information about the target system is needed, such as operating system version and installed
network services. This information can be gleaned with port scanning and OS fingerprinting tools
such as Nmap. Vulnerability scanners such as Nexpose, Nessus, and OpenVAS can detect target
system vulnerabilities. Metasploit can import vulnerability scanner data and compare the identified
vulnerabilities to existing exploit modules for accurate exploitation.
Exploits

Metasploit currently has over 1613 exploits, organized in different categories like:

 Firefox is a collection of (mostly) remote code execution for this browser.

 Android and Apple's iOS are dedicated to mobile phone [5].
 Linux, Windows, BSD, Irix, Solaris, … are targeting specific operating systems
 Multi for exploits that aren't tied to a specific platform

Payloads

Metasploit currently has over 438 payloads. Some of them are:

 Command shell enables users to run collection scripts or run arbitrary commands against the
host.
 Meterpreter enables users to control the screen of a device using VNC and to browse, upload
and download files.
 Dynamic payloads enable users to evade anti-virus defences by generating unique payloads.

3. Attack Narrative
The first step of this testing was scanning the ip with Nmap to reveal open ports and services along
with their versions that can be used as entry points to the server. Further the operating system was
enumerated so that the target system can be identified for exploits. The following query was
performed to discover the open ports and services:

The above 30 ports are found to be open on the metasploitable2 server. The next step is to
enumerate each service and test for the security vulnerabilities

3.2) Vsftpd backdoor command execution

Description: The vsftpd version 2.3.4 contains a backdoor that can be invoked by logging in on ftp
using a smily after the user’s name and without giving password [6]. After successful command
competition the attacker can get remote shell on port no 6200 of the target machine

Risk Rating: High

Recommendation:
Since version 2.3.4 of the vsftpd contained backdoor, so the best possible way to mitigate this risk is
to update to the latest version of the vsftpd.

3.3. Predictable PRNG Brute Force exploit 3

Description: All the versions of OpenSSL 0.9.8c-1 to 0.9.8g-9 are vulnerable to this exploit. After
removing some c code from ssh there was an impact on the seeding process for the OpenSSL PRNG.
Instead of mixing in random data for the initial seed, the only random value that can be used was the
max Linux process ID and that was 32,768 resulting in very small number of seed values being used for
all PRNG operations. Hence keys can be generated using the max seed value and then ssh can be brute
forced by an attacker and hence valid key can be found that can be used to login on SSH

Exploitation
 First download all the premade rsa and dsa keys generated for this version.
 Then we use a python script that will brute force the target ssh provided the Ip and username of ssh.

Risk Rating: High

Recommendation:
Though the brute force will take time depending on the permutations on the rsa and dsa keys. The
best possible way to mitigate this risk is to switch to newer version of OpenSSL and generate the keys
on newer ssl version operating systems.

3.4 Samba Server Exploit:

Description:
This module exploits a command execution vulnerability in Samba versions 3.0.20 through 3.0.25rc3
[7] when using the non-default “username map script” configuration option. The service runs on port
139. By specifying a username containing shell meta characters, attackers can execute arbitrary
commands and get root shell. No authentication is needed to exploit this vulnerability since this option
is used to map usernames prior to authentication.

Exploitation:
 First smbclient is executed on the target.
 Hence, we could find out which version of samba is running.
 Then we use the Metasploit usermap_script exploit.
 Finally, we get the root shell.
Risk Rating: High

Recommendation: The recommendation for mitigating from this exploit is that anonymous login
should not be enabled and the samba service version should not be disclosed to the extent possible.
Further the patched version of samba should be used and regular security updates must be installed
timely.

3.5 Unreal Ircd backdoor command execution

Description:
The unreal ircd service runs on port 6667 . The service version is identified to be [Link]. By
enumerating the past vulnerabilities, we came to know that this version of the service has a backdoor
installed in it and this can be further exploited by the attackers once they connect to this backdoor.

Exploitation:
 To exploit this service, we directly use the Metasploit module.
 Use the module irc backdoor and set the remote host Ip address.
 Set the payload that would run on the remote host.
 Here we use payload cmd/unix/reverse that spawns a shell and connects to our attacker Ip.
Risk Rating: High

Recommendation:
Since the access gained by the backdoor is of root level. Hence this version of the service should be
updated or the port should be closed.

3.6 Distcc Code Execution

Description:
Distcc is a program to distribute builds of C, C++ and object C++/C across several machines on the
network .This service runs on port 3632. There exists a vulnerability in the distcc 2.x, which is used in
XCode 1.5 and others [9], when not configured to restrict access to the server port, it allows remote
attackers to execute arbitrary commands via compilation jobs, which are executed by the server
without any authorization checks.

Exploitation:
 From exploitdb we can get the ruby code that can be executed by the Metasploit.
 Use this module.
 Set the Ip address of the remote machine.
 After successfully executing the exploit command we gain the shell with daemon privileges.

Risk Rating: High

Recommendations:
To mitigate this security vulnerability is to either close the port until a patch has been released for the
service. If a higher and patched version of distcc is available than that must be installed quickly.

Grub Misconfiguration
Description:
Grub is the default bootloader for Linux and it contains many options on the boot time which can be
edited and booted .If there is no password protection on grub than options can be edited and a root
shell can be obtained.

Exploitation:
 First, we open the grub by pressing esc key.
 After this we need to edit the recovery option.
 Press edits for the kernel.
 Instead of rw we write ro=/bin/bash.
 Boot after editing.
 Hence the machine directly gets booted to the root shell without password and the password
can be changed also.
Risk Rating: Medium since physical access is required.

Recommendation:
A password should be setup on grub so that no one can modify the boot settings and get to the root
shell.
 4. CONCLUSION

To identify threats in the system the machine should be attacked from the attacker’s perspective.
Further the best way to do this is to think the machine like a black box and gather information about
it through active and passive information gathering tools. Once the service is detected, we can easily
search the exploits on exploitdb and then we can test those exploits on the system. Lastly to ensure
that we didn’t miss a vulnerability we can use automated security scanners, but their results should
not be the only criteria of selecting the vulnerabilities. Since these can sometimes damage the
system and can provide false results. Lastly the best recommendation to mitigate these risks is to
keep the system updated and do the configurations correctly .

5. References & Bibliography

 David Kennedy, Jim O’Gorman, Devon Kearns, and Mati Aharoni, Metasploit: The Penetration
Tester’s Guide, No Starch Press, 2011.
 Georgia Weidman, Penetration Testing: A Hands-On Introduction to Hacking, No Starch Press,
2014.
 Offensive Security, "Metasploit Unleashed," 12 March 2010. [Online]. Available:
[Link] [Accessed 17 July 2025].
 Rapid7, "Metasploit Documentation," [Online]. Available: [Link]
[Accessed 17 July 2025].

 OWASP, "OWASP Web Security Testing Guide v4," [Online]. Available: [Link]
project-web-security-testing-guide/. [Accessed 17 July 2025].

 Singh, Metasploit Penetration Testing Cookbook, Packt Publishing, 2013.

 IEEE Xplore, "System Vulnerability Assessment Using Metasploit," [Online]. Available:
[Link] [Accessed 17 July 2025].
 Elsevier, "Automated Penetration Testing Using Metasploit Framework," [Online]. Available:
[Link] [Accessed 17 July 2025].
 EC-Council, Certified Ethical Hacker (CEH) v12 Official Courseware, EC-Council, 2022.
 Offensive Security, OSCP Courseware, Offensive Security, 2023.