Sample

DEVELOPING A PENETRATION TESTING LABORATORY AS A BASIS FOR

NETWORK SECURITY
A Research
Presented to the
Computer Engineering Department
College of Engineering and Architecture
Pangasinan State University
Urdaneta City
In Partial Fulfilment
of the Requirements for the Degree
Bachelor of Science in Computer Engineering
Major in System and Network Administration
ELLYSA BALANZA
JAE ANNE V. EBORA
CLARK JR. P. NONES
JUNE 2022

APPROVAL SHEET
The Design Project entitled “DEVELOPING A PENETRATION TESTING
LABORATORY AS A BASIS FOR NETWORK SECURITY,” was prepared and
submitted by ELLYSA BALANZA, JAE ANNE V. EBORA, and CLARK JR. P.
NONES in partial fulfillment of the requirements for the degree of Bachelor of
Science in Computer Engineering Major in Systems and Network Administration
has been examined and recommended for acceptance.
FEVICLENE L. VILLAMOR, CpE KENNETH OLIVER S. LOPEZ, Ph.D.

Critic Reader Adviser
Approved by the Committee on Oral Examination
EMMERSON A. CANUEL, MSME

Advisory Committee
KHAYZELLE C. CAYABYAB, CpE JAY-AR PENTECOSTES, CpE

Advisory Committee Advisory Committee
Accepted in partial fulfillment of the requirements for the degree of
Bachelor of Science in Computer Engineering Major in Systems and Network
Administration this June 2022.
REX B. BASUEL, Meng’g, CCpE HONORIO L. CASCOLAN, Ph.D.

Department Chairman, CpE Campus Executive Director
College Dean, CEA
ii

ACKNOWLEDGMENT
First and above all, from the bottom of our hearts, we would like to thank
God Almighty for the courage, strength, guidance, knowledge, opportunity, and
wisdom to undertake this thesis project.
This project thesis would not have been possible without the help of some
individuals and institutions. It is a great honor and pleasure to acknowledge the
support and assistance of the following people who assisted and supported us in
various ways for the success of this study.
Firstly, we would like to express our sincerest gratitude to our project
adviser, Dr. Kenneth Oliver S. Lopez, for the never-ending support, patience,
motivation, and guidance in finishing this research study. His utmost knowledge
and ideas in this study helped us go through this.
We would also like to thank our advisory committee, Engr. Emmerson A.
Canuel, Engr. Jay-Ar Pentecostes, and Engr. Khayzelle C. Cayabyab for giving
their insights on improving this study, understanding us (the researchers) and our
research study, and for the patience in giving us time to share our knowledge and
ideas with this project.
We would also like to express our gratitude to the rest of the Computer
Engineering Faculty. They motivated us and gave us some techniques to go
through this phase. Engr. Rex B. Basuel, the Dean of the College of Engineering
iii

ACKNOWLEDGEMENT

and Architecture, thank you for the knowledge he lends us and for his favorable
response regarding this study.
To our families and friends, we express our sincerest gratitude and heartfelt
"Thank You" for giving us motivation, patience, financial needs, and extra push
during rough times. You are our inspiration.
We want to owe our deepest gratitude to the Department of Science and
Technology (DOST) to all their staff for the financial support throughout our
college life. We would not be able to get to where we are right now without their
help. We will never forget that we are the 'Scholars for the Nation.'
Lastly, gratitude and appreciation should also go to us, the researchers, for
giving the best in this study. We hope you appreciated the outcome of our hard
work, hopes, dreams, sleepless nights, blood, sweat, and tears. Thank you for not
giving up.
iv

TABLE OF CONTENTS

DEDICATION
This study is wholeheartedly dedicated to our Almighty Father, for the courage,
strength, guidance, and knowledge, and for giving us a healthy life.
To our beloved family and friends, who have been our source of inspiration
throughout our college life up until to finish this study.
And to the faculty of the Computer Engineering Department for giving their time,
effort, and support in making this study possible.
Ellysa Balanza
Jae Anne V. Ebora
Clark Jr. P. Nones
v

TABLE OF CONTENTS

TABLE OF CONTENTS
Page
TITLE PAGE …………………………………………………………………i
APPROVAL SHEET ………………………………………………………...ii
ACKNOWLEDGMENT ……………………………………………………......iii
DEDICATION ………………………………….…….……….………………v
TABLE OF CONTENTS …………………...………………………,………...vi
LIST OF TABLES ……………………………………………………,………… xi
LIST OF FIGURES ………………………………………………,,………… xiii
ABSTRACT ……………………………………………………,,………... xvi
CHAPTER 1: INTRODUCTION
Background of the Study …………………………….………………….. 1
Statement of the Problem …………………………….………………….. 4
Significance of the Study …………………………….………………….. 6
Scope and Delimitation of the Study ….……………..…………….….. 7
Definition of Terms and Variable …………………………………………. 9
CHAPTER 2: REVIEW OF RELATED LITERATURE AND STUDIES
Related Literature
Ethical Hacking ……………………………………………….. 13
Cybersecurity in the Philippines .………………………………. 14
Kali Linux ……………………………………………………….. 14
Penetration Testing …..………………………………………….... 15
vi

TABLE OF CONTENTS

Reconnaissance Tools …………………………………………… 16
Scanning for Vulnerabilities Tools.………………………………. 17
Gaining Access Tools….………………………………………….. 20
Penetration Test Laboratory……………………………………… 27
Related Studies
Ethical Hacking.…………………………………………………… 32
Penetration Testing for Kali Linux.…………….………………… 33
Penetration Testing Tools.……………………….………………. 35
Research Paradigm ………………………………….……………….. 39
Conceptual Framework ……………………………….……………… 40
CHAPTER 3: METHODOLOGY
Research Design …………………….…………………..…………….. 42
Data Collection
Observation …………………………………………………….. 43
Data Gathering ……………………………………………………. 44
Tools for Analysis ………………………………………………. 44
Testing ……………………………………………………………. 45
Statistical Treatment …………………………………………… 46
CHAPTER 4: PRESENTATION AND DISCUSSION
Network Topology and Configurations ...…………………………….. 48
Penetration Testing Tools …….………………………………….…… 51
Recon-ng .……………………………………………………… 52
vii

TABLE OF CONTENTS

theHarvester ...………………………………………………… 55
Nmap ……………………………………………………...…….. 57
Nikto ……………………………………………………………… 64
Wireshark .……………………………………………………. 68
TCPDump ..…………………………………………………….. 71
ExploitDB ..…………………………………………………….. 73
Metasploit .………………………………………………..……. 75
Brutespray ..…………………………………………………….. 78
THC-Hydra ..…………………………………………………….. 83
John-the-Ripper ..……………………………………………. 86
Burpsuite .………………………………………………...… 89
Sqlmap .…………………………………………………… 95
Cisco-Global-Exploiter …………………………………… 101
Yersinia …..………………………………………………… 104
Aircrack-ng ...……...…………………………………………… 108
Fern-WiFi-Cracker ...…………………………………………... 111
Karmetasploit …..…………………………………………… 113
Setoolkit …..………………………………………………… 114
Penetration Testing Tools’ Speed .……………………………………. 116
Penetration Testing Tools’ Coverage.………………………………… 126
Reliability and Acceptability of the Penetration Testing …………. 138

Laboratory
viii

TABLE OF CONTENTS

Problems Encountered During the Implementation of the ………. 147
Nineteen Penetration Testing Tools
CHAPTER 5: SUMMARY, CONCLUSION, AND RECOMMENDATION
Summary ……….…………………….……………………………… 151
Conclusion .………………………………………………….………… 153
Recommendations ...…………………………………………….…… 156
BIBLIOGRAPHY ………………………………………………………….…. 159
APPENDICES
Appendix A – Actual Laboratory Setup ...…………………………... 165
Appendix B – Cisco 2811 Catalyst Router Specifications ...……… 167
Appendix C – DTE/DCE Serial Cable Specifications …...……….. 170
Appendix D – Straight-through Cable Pin Out …………..………... 171
Appendix E – Cisco 3750 Catalyst Switch Specifications ………... 172
Appendix F – Raspberry Pi 4 Model B Specifications …………..…. 178
Appendix G – Strontium Nitro 32GB MicroSD Specifications …..... 180
Appendix H – TP-Link TL-WR840N Technical Specifications …….. 181
Appendix I – Raspberry Pi 3 Model B+ Specifications …………… 182
Appendix J – Strontium Nitro 16GB MicroSD Specifications ……… 184
Appendix K - Port and Network Configurations …………………..… 185
Appendix L – SSH and Telnet Configurations ……..……..……..….. 186
Appendix M – Routing Configurations Routers: …………………... 188

EIGRP and BGP
Appendix N – DHCP Configuration on Blue Team Router ………. 190
ix

TABLE OF CONTENTS

Appendix O – VLAN Management Configuration on Switch ……… 191
Appendix P – Access Point Configuration .………………..…...… 193
Appendix Q – Sample Laboratory Manual …………………….. 194
Appendix R – Questionnaire …………………………………….. 199
Appendix S – Computation for the Average Weighted Mean …..... 203
Appendix T – USE Questionnaire Developed by Arnold Lund …… 209
OTHER PERTINENT DOCUMENTS
A. Title Defense ………………...…………………..……………... 210
B. Minutes of the Meeting for Title Defense ..… ………………..... 212
C. Approved Project Outline ...……..……………………………… 214
D. Check-Up Defense ……………………………....…………….. 216
E. Minutes of the Meeting for Check-up Defense ..……………… 218
F. Final Defense ………………….………………....…………….. 221
G. Minutes of the Meeting for Final Defense ..…………………… 223
H. Compliance Report ….……….………………....………………. 228
I. Requisition Form for Plagiarism Grammar Scanning ….……… 231
J. Certificate of Plagiarism and Grammar Scanning ….…………. 232
CURRICULUM VITAE … ……………………………………………..... 233
x

LIST OF TABLES

LIST OF TABLES
TABLES PAGE
1 Likert Scale Response Options 47
2 Port and Network Configurations 50
3 Classification of Penetration Testing Tools 116
3.1 Speed of the Modules Used in Recon-ng and theHarvester 117
3.2.1 Speed of the Attacks Used in Scanning Vulnerabilities 117

Tools
3.2.2 Speed for Searching Vulnerabilities Using Wireshark and 118

TCPDump
3.2.3 Speed for Searching Vulnerabilities Using ExploitDB 119
3.3.1 Speed of Port Scanning and Exploitation using Metasploit 120
3.3.2 Speed of Brute forcing Using Brutespray and THC-Hydra 120
3.3.3 Speed of de-hashing using John-the-Ripper 121
3.3.4 Speed of SQL Injection Using Burpsuite and SQLmap 121
3.3.5 Speed of Performing Denial-of-Service using Cisco- 122

Global Exploiter and Yersinia
3.3.6 Speed of Wireless Cracking Using Aircrack-ng and Fern- 123

Wifi-Cracker
3.3.7 Speed of Creating Fake Access Point Using Karmetasploit 124
3.3.8 Speed of Harvesting Credentials Using Social 124

Engineering Toolkit
4 Likert Scale with Interpretation 139
4.1 Reliability of the Penetration Testing Laboratory Under the 140

Category Usefulness
xi

LIST OF TABLES

TABLES PAGE

Category Ease of Use

Category Ease of Learning

Category Satisfaction
xii

LIST OF FIGURES

LIST OF FIGURES
FIGURE # PAGE
1 Research Paradigm of the Study 39
2 Conceptual Framework of the Study 41
3 Agile Process Model of the Study 42
4 Laboratory Setup in Packet Tracer 48
5 Contacts Information Scanned by Recon-ng 53
6 Hosts Information Scanned by Recon-ng 54
7 Hosts Information Scanned by theHarvester 56
8.1 Discovered IP Addresses Within the Network 58
8.2 Discovered IP Addresses with Parameters 58
9 Scanned Open Ports on Nmap 60
10 Result of Scanning Target Web Server Using Scripts 61
11.1 Brute forced Target Server Using Nmap 63
11.2 Result of Brute forced Target Web Server Using Scripts 63
12.1 Scanned Vulnerabilities on DVWA Using Nikto 65
12.2 Tuning SQl Injection on DVWA 67
13.1 Failed Login Attempt 69
13.2 Failed Login Attempt 69
14.1 Successful Login Attempt 70
14.2 Successful Login Attempt 70
15.1 Discovered DHCP and CDP Packets 70
xiii

LIST OF FIGURES

FIGURE # PAGE
15.2 Discovered DHCP and CDP Packets 70
16 Captured Username and Password 72
17.1 Result of the searchsploit Samba Linux Command 74
17.2 Result of the searchsploit Samba Linux Metasploit 74

Command
18 Failed Exploitation on Metasploit 77
19.1 Result of the Brute-Forced Process on Target Server 80
19.2 Brute-Forced Process on Cisco Router 81
20 Dictionary Attack on the Target Server 85
21 Decrypted Hash Passwords of the Username 88
22 Response of Low-security Level of DVWA 91
23.1 Response of the Payload on the Website 92
23.2 Response of the Payload on the Website 92
24.1 Displaying the Response of the Payload Through HTML 94
24.2 Displaying the Response of the Payload Through HTML 94
25.1 Target Parameters on Low-security Level 97
25.2 Adding Backslash to the Target Parameters on Sqlmap 97
26 Target Parameters on Medium-security Level 98
27 Target Parameters on High-security Level 98
28 Target Parameters on Impossible-security Level 99
29 Result of the SQL Injection Attack Using Sqlmap 100
xiv

LIST OF FIGURES

FIGURE # PAGE
30 Cisco 677/678 Telnet Buffer Overflow Vulnerability 102
31 Cisco IOS Router Denial of Service Vulnerability 102
32 Verification of the Successful DHCP Starvation Attack 106
33 Verification of Successful CDP Flooding on Switch 107
34.1 Scanned Access Points 109
34.2 Cracked WPA from the TP-Link Pentester 110
35 Key Database 112
36.1 Cloned Google Login Page and the Captured Credentials 115
36.2 Cloned Google Login Page and the Captured Credentials 115
37 Penetration Testing Tools and Their Penetration Testing 127

Phases
37.1 Recon-ng and theHarvester’s Coverage 128
37.2.1 Nmap and Nikto’s Coverage 130
37.2.2 Network Monitoring Tools’ Coverage 131
37.2.3 ExploitDB’s Coverage 131
37.3.1 Metasploit’s Coverage 132
37.3.2 Password Cracking Tools’ Coverage 134
37.3.3 Web Application Testing Tools’ Coverage 135
37.3.4 Network Infrastructure Tools’ Coverage 136
37.3.5 Wireless Network Testing Tools’ Coverage 137
37.3.6 Social Engineering Tools’ Coverage 137
xv

ABSTRACT

ABSTRACT
Research Title: DEVELOPING PENETRATION TESTING LABORATORY

AS A BASIS FOR NETWORK SECURITY
Researchers: Ellysa Balanza
Jae Anne V. Ebora
Clark Jr. P. Nones
Degree/Course: BS Computer Engineering Major in Systems and Network
Administration
Institution: Pangasinan State University – Urdaneta City Campus
Year Graduated: 2022
Adviser: Dr. Kenneth Oliver S. Lopez
Keywords: Penetration testing, cybersecurity, ethical hacker, kali linux,
laboratory, attacker, target, passive reconnaissance,
scanning for vulnerabilities, gaining access, exploits
The study "Developing a Penetration Testing Laboratory as a Basis for
Network Security" focuses on developing and designing an environment suitable
and safe for penetration testing. Furthermore, nineteen (19) penetration testing
tools were tested and evaluated and were utilized in the laboratory. The
effectiveness of these tools was assessed in terms of speed and coverage. The
laboratory was divided into two (2) different sides, attacker and target. Some of the
device(s) acted as the attacker, and the other equipment operated as the targets.
The researchers simulated nineteen (19) penetration testing tools installed in the
attacker.
xvi

ABSTRACT

The developed penetration testing laboratory was tested on the thirty (30)
students. Upon testing, the students also answered a questionnaire to determine
the reliability of the said developed laboratory in terms of the following dimensions:
Usefulness; Ease of Use; Ease of Learning; and Satisfaction. Moreover, the only
restraint in the penetration testing laboratory was three (3) of the tools did not work
successfully due to hardware constraints. On the other hand, the sixteen (16)
remaining tools were effective in the laboratory.
With the results presented, it is recommended that the nineteen (19)
penetration testing tools presented could be replaced with other tools. Also, the
attacker machine could be replaced with laptops or desktops that could be installed
with different tools. In addition, some attacks performed were limited due to the
targets deployed. Thus, it is also recommended to add or change targets that were
installed with a Windows operating system. Finally, a simulation could be
performed to challenge things, whereas two teams could be created, Red Team
for attacking and Blue Team for defending.
xvii

CHAPTER 1
INTRODUCTION
BACKGROUND OF THE STUDY
The continuous development of technology and the Internet has
revolutionized every facet of our society at all levels, thus becoming more
dependent on these services irrespective of size and volume or use and purpose.
The numerous advantages of these evolutions come with the rapid increase of
users and their data. According to Statista, as of April 2022, five (5) billion people,
or sixty-three (63) percent of the world's population, use the Internet (Johnson,
2022). With that, the predicted number of datasphere of the International Data
Corporation (IDC) that will be on the Internet by 2025 is one hundred seventy-five
(175) zettabytes (Reinsel et al., 2018).
The exposure and threat of cyber-related crimes have been making
headlines from various media platforms, from personal to corporate security, and
data breaches, phishing scams, malicious software, identity theft, voyeurism, and
many more (Kate B, 2021). Regardless of geographic and demographic
segmentation or the significant sectors of our society from private or public
institutions, organizations, enterprises, government, and nongovernment—they
are all vulnerable in the face of cyber-related crimes (Interpol, 2020). That being
said, it primarily resulted in loss and productivity, significant expenses to the
infected systems, damage or reduction to the organization's reputation or integrity,
and operational continuity (Amer O, 2020).
1

CHAPTER I: INTRODUCTION

Despite the infallible laws and policies implemented, there has always been
the constant challenge in catering to a secure environment, be it for an
organization or personal. There is a need for security assessments and measures,
from a set of tools to mitigate and identify these threats using security software
provided by a variety of vendors to limit the chance of mishaps and data loss. In
addition to that, according to the most significant cybersecurity testing in the
Philippines, Secuna (2022), to diminish these risks, one must venture into how
these black hat hackers think, plan and operate. These organizations would be
better positioned to discover and identify security issues, patch their systems, and
devise strategies and solutions to avoid illegal digital intrusion if they did so (MB
Technews, 2022).
Today, many government websites, colleges, and universities' portals in the
Philippines are insecure and vulnerable, which makes them susceptible to hacking.
With that, according to Manila Bulletin Technology News (MBTechNews), there
has been a rampage of incidents wherein groups of gray hat hackers in the
Philippines like Phantom Troupe, Philippine Hacking University, and Pinoy
Grayhats were illegally accessing these government portals like www.gov.ph,
career.org.gov.ph, Office of Solicitor General (OSG), Philippine National Police
Academy (PNPA), etcetera, and educational institutions like Polytechnic University
of the Philippines (PUP), Far Eastern University (FEU), Fatima School Bacood,
and many more. Unlike the black hat hackers, gray hat hackers have the intention
of either informing and securing these organizations' vulnerabilities and patching
security weaknesses or honing their skills in cybersecurity (Samaniego, 2020).
2


However, even if the motivation is good, unauthorized infiltration into an
organization's or company's infrastructure is rarely welcomed (Kaspersky, n.d);
thus, white hat hackers or penetration testers come into play.
Compared to black hat and gray hat hackers, white hat hackers have the
authorization to access a system or a network to find vulnerabilities to be reported
and immediately fix them. In addition, they can also be called pentester, a shorter
term for penetration testers. However, ethical hacking is not a skill that can be
learned and mastered in just months; it takes time and effort. Thus, creating a
personal lab would be very useful to simulate the penetration testing tools that are
readily available online. You do not want to test the devices on your network,
especially when you do not have permission from the owners. On the other hand,
this setup will not be ideal since the guest hosts would take other computer
resources, especially when the host has a low-level or even mid-level system. But,
with a laboratory, penetration testers could legally customize and control the
environment that will suit their needs, without defacing websites or illegally
penetrating someone else's system and network.
With that, this study entitled “Developing a Penetration Testing Laboratory
as a Basis for Network Security” was conducted to establish a laboratory that could
equip the Computer Engineering students of Pangasinan State University –
Urdaneta City Campus (PSU – UCC). Furthermore, the researchers used different
penetration testing tools and methods to evaluate their effectiveness. The
effectiveness was taken on the premise of response or speed, which refers to the
3


amount of time needed to complete a specific task. On the other hand, coverage
was defined as the ability of these particular tools to pass through the first three
(3) phases of penetration testing, specifically, information gathering, scanning
vulnerabilities, and gaining access.
STATEMENT OF THE PROBLEM
This study aimed to develop a penetration testing laboratory that could be
used by the Computer Engineering students of Pangasinan State University –
Urdaneta Campus (PSU – UCC) and determine the effectiveness of the different
penetration testing software as a basis for network security. Specifically, it
answered the following:
1. What must be the design of the penetration testing laboratory equipment?
2. Determine the effectiveness of the penetration testing tools based on the
speed and coverage that will be used, such as:
A. Information Gathering
a) Recon-ng; and
b) theHarvester
B. Scanning Vulnerabilities
a) Nmap;
b) Nikto;
c) Wireshark;
4


d) TCPDump; and
e) ExploitDB
C. Gaining Access
a) Metasploit;
b) Brutespray;
c) THC-Hydra;
d) John-the-Ripper;
e) BurpSuite;
f) Sqlmap;
g) Cisco-Global-Exploiter;
h) Yersinia;
i) Aircrack-ng;
j) Fern-WiF-Cracker;
k) Karmetasploit; and
l) Social Engineering Toolkit
3. What is the reliability and acceptability (to the students) of the developed
laboratory equipment and manual?
4. What are problems encountered during the testing of the different
penetration testing tools?
5


SIGNIFICANCE OF THE STUDY
This study aimed to develop a penetration testing laboratory and a
laboratory manual that could be used by the Computer Engineering students in the
Systems and Network Administration (SNA) track of PSU – UCC. Furthermore,
penetration testing tools and methods were used to simulate the actual laboratory.
This study would be most beneficial to the following:
College Institutions – Specifically to those in the field of Computer Networks,
where this research would educate students that would be interested in the
cybersecurity field; equipping them with the right tools, let them hone their skills in
an actual environment, and as well as cultivating their knowledge about different
penetration testing tools, their effectiveness, and how to utilize them to their
advantage.
Business Institutions – Since this is one of the most targeted sectors of
hackers, they are always bound to exploit these vulnerabilities, stealing data and
even money. It would be great to have a trained penetration tester to prevent such
unfortunate cases.
Government Institutions – This is also one of the most targeted sectors of
hackers, especially hacktivists; there have been many cases and records about
defacing websites and data leakage from different organizations. The penetration
tester could have prevented these beforehand.
6


The Researchers – With this study, it will be beneficial for the researchers
because they will gain additional knowledge, specifically in the process of
developing the laboratory and incorporating different penetration testing software
tools to practice and apply what they have learned. They can use this
understanding to equip themselves in the workforce. Furthermore, it can be of help
as a future reference for more studies or to further improve this study as the
technologies for both hardware and software are constantly being developed.
SCOPE AND DELIMITATION OF THE STUDY
This study focused on developing a penetration testing laboratory for the
Computer Engineering Department of Pangasinan State University – Urdaneta
Campus for the 2nd Semester of the Academic Year 2021 – 2022 and then testing
the effectiveness of different penetration testing tools. This study's penetration
testing laboratory setup comprised of one (1) Raspberry Pi 4 Model B 4GB
Random-Access Memory (RAM) with 32GB microSD storage, which was installed
with Kali Linux as its operating system, and it functioned as the attacker. The
researchers' used Raspberry Pi 4 Model B; others could use various devices such
as Desktop computers, laptops, and many more. It would particularly simulate the
basic features and functions of nineteen (19) different penetration testing tools
such as Recon-ng, theHarvester, Nmap, Nikto, Wireshark, TCPDump, ExploitDB,
Metasploit, Brutespray, THC-Hydra, John-the-Ripper, Burpsuite, SQLmap, Cisco-
Global-Exploiter, Yersinia, Aircrack-ng, Fern-WiFi-Cracker, Karmetasploit, and
7


Social Engineering Toolkit. The testing method was under gray box testing,
wherein the tester has partial knowledge of the internal infrastructure of the
laboratory setup. Also, the tools, Recon-ng, and theHarvester, were connected to
the Internet to perform, although no Internet connection was provided in the
penetration testing laboratory. Furthermore, two (2) Raspberry Pi 3 Model B+ 1GB
RAM with 16GB microSD storage was used as the target desktop and a web
server, running on a Raspbian Operating System (OS) and Ubuntu Server
Operating System, respectively. Also, a TP-Link TL-WR840N was used as the
access point for the wireless network. Other components that the researchers
included were one (1) Cisco Catalyst 3750 switch and two (2) Cisco Catalyst 2811
routers. They were used to simulate a different network, one of which was used as
the target router.
Furthermore, this laboratory was designed for internal testing only. This
means that all the penetration testing tools performed were on the researchers'
network and infrastructure alone, and they were not simulated on any device or
network to which the researchers have no permission. No other network, wireless,
or network infrastructure was tested. Researchers only used downloadable
vulnerable web applications. For the Recon-ng and theHarvester, passive
reconnaissance was performed to not directly to engage in the target system. The
access point's Broadcast Service Set Identifier (SSID) was "TP-Link Pentesters".
Moreover, for the Social Engineering Toolkit, only one feature was used since most
of the features of the tool relies on the Internet to run successfully.
8


Lastly, there were thirty (30) respondents from Bachelor of Science in
Computer Engineering Major in Systems and Network Administration of
Pangasinan State University – Urdaneta Campus (PSU-UCC) that tested and used
the penetration testing laboratory and the laboratory manual for guidance.
Furthermore, a survey questionnaire was used for data gathering regarding the
reliability and acceptance effectiveness of the developed laboratory.
DEFINITION OF TERMS AND VARIABLE
Application Programming Interface (API) keys – codes that are used to
identify and verify a user or an application. API Keys are available on various
platforms such as Recon-ng's marketplace and theHarvester. (Fortinet, 2022)
Black Hat Hacker – unlike the white hat hackers, they do not have
authorized access to security or network, for they break computer networks or
systems with malicious intentions. The information they learned on a system or
network could either be sold to someone or blackmail the hacked
individual/organization. (Kaspersky, 2022)
Brute-force attack – is a type of attack or technique that decrypts credentials
or mixes a variety of usernames and passwords until the precise and right login
credentials are found. (Kaspersky, 2022)
9


Coverage – the ability of these particular tools to pass through the first three
(3) phases of penetration, specifically, information gathering, scanning
vulnerabilities, and gaining access.
Cybercrime – crimes about the use of a computer and the Internet (e.g.,
unauthorized access to a system or network, internet fraud, website defacing,
identity theft, and password theft). (Kaspersky, 2022)
Datasphere – the theoretical location where digital data is kept. (UK
Dictionary)
Dictionary attack - is a password cracking approach in which attackers will
guess the password using a list of words. Those words and phrases can potentially
be the user's login credentials. (Swinhoe, 2020)
Exploits – taking advantage of the vulnerability in compromising the system.
Gray Box Testing – a type of approach in penetration testing wherein the
penetration tester has limited information regarding its target. (Imperva, 2021)
Gray Hat Hacker – individuals who use hacking for offensive and defensive
purposes. (Kaspersky, 2022)
Internal testing – the penetration testing tools are limited to the researcher's
network and infrastructure. They will not simulate them on any device or network
for which the researchers have no permission. No one will test on other networks,
wireless, or network infrastructure.
10


Intrusion Detection Systems (IDS) - analyzes and monitors network traffic
in response to cyberthreat from the network. It can detect cyberthreat behaviors
such as malware and other security violations. (Peters, 2020)
Intrusion Prevention Systems (IPS) – prevents and denies network traffic
that has a possible security threat to the network. (Peters, 2020)
Open-Source Intelligence (OSINT) – gathering data from the Internet and
other publicly accessible resources. It collects information about computers and
networks' IP addresses, domain names, hostnames, DNS data, e-mails, and
publicly available information. (Chipeta, 2022)
Passive reconnaissance - gathering information on systems and networks
without engaging them directly. It is not directly interacting with the target system
by not sending any request to the target. Therefore, the target has no means of
knowing about the attacker gathering information. (Brathwaite, 2022)
Payloads – a command used by hackers to exploit a vulnerability. It
establishes a connection with the target machine and then acquires access, which
it can exploit to steal data or carry out other malicious operations. (Kaspersky,
2022)
Penetration testing – penetration testing, for short, is simulating a
cyberattack to exploit a system or network's vulnerability. (Imperva, 2021)
Pentester – a shorter term for Penetration Tester, wherein it is an individual
who practices penetration testing. (Cyber Degrees, 2022)
11


Session Cookie – a file containing identifiers, either a string of letters or
numbers, wherein the website server sends it to a browser, which then helps web
pages load faster during the website's navigation. (Technopedia, 2021)
Speed – the time it takes a penetration testing tool to finish a given task.
White Hat Hackers – also known as Ethical Hackers, have the authorization
to exploit a system or network legally. The information they gathered will be used
for good. (Kaspersky, 2022)
12

CHAPTER 2
REVIEW OF RELATED LITERATURE AND STUDIES
This chapter contains a review of literature and studies related to this
research. These give researchers an idea and particular insights into the
development of the study.
REVIEW OF RELATED LITERATURE
Ethical Hacking
The Internet is continuously growing, which has become beneficial to every
human in many different aspects of daily life. However, the Internet has its dark
sides where criminals linger. Therefore, knowing how the users can protect the
network is vital. According to Neeraj Rathore (2015), the practice of ethical hacking
is breaking inside a computer's system without any malicious intent. Its goal is to
identify security risks and report them to the users or the people who are at risk of
cyber-attacks. Ethical hackers are the security experts who hack for defensive and
constructive purposes. (Rathore, 2016)
13

CHAPTER II: REVIEW OF RELATED LITERATURE AND STUDIES

Cybersecurity in the Philippines
The Philippines, in terms of cybersecurity, is a relatively new field of
expertise. In 2017, the Philippines spent only 0.04 percent of its GDP on
cybersecurity, whereas other ASEAN countries spent 0.07 percent. Because of the
increasing cases of hacking issues to government websites, mostly coming from
China and Russia, the government established the Department of Information and
Communications Technology (DICT). DICT aims to plan, develop, and promote
the field of ICT. Secretary Gregorio Honasan Jr., the head of DICT, has three areas
to prioritize: a) provide access for every Filipino; b) adopt more vital ICT
infrastructures; and c) reduce cybercrime and cyberterrorism activities in the
Philippines. (Romaniuk & Manjikian, 2021)
Kali Linux
Ethical hacking, security analysis, digital forensics, and decryption are
some of the frequent uses of Kali Linux. It offers more than three-hundred (300)
penetration testing tools precisely in the areas of information gathering,
vulnerability analysis, wireless attacks, web applications, exploitation, sniffing &
spoofing, password cracking, maintaining access, reporting tools, and many more.
Nmap, Wireshark, SQLmap, Burpsuite, John-the-Ripper, Hydra, and Metasploit
are known tools in this distribution. Kali Linux is a product of Offensive Security.
(Ben, 2021)
14

Penetration Testing
According to Imperva (2021), in the article entitled, "Penetration Testing,"
the penetration testing process has five (5) stages, namely: reconnaissance,
scanning, gaining access, maintaining access, and analysis and web application
firewall (WAF). The reconnaissance stage consists of identifying the network or
systems that will investigate, the testing methods utilized in this situation, and
gathering information about the target (e.g., domain names, mail servers.) The
scanning stage is knowing how some intrusions will be handled by the target.
Gaining access uses attacks (web attacks) to identify the target's weaknesses or
vulnerabilities. The ethical hackers will then try to exploit these vulnerabilities found
either by stealing data, intercepting the traffic and many more, to understand the
damage it might cause to a specific system or machine. It was the maintaining
access stage, where APTs or advanced persistent threats wherein an intruder
trying to have a long-term presence on a network to steal data, specifically
sensitive data. The final phase is analysis, which involves compiling the test
results. Then, the pentesters will report to the security personnel, which will create
solutions to protect the network and even data against possible attacks. (Imperva,
2021)
15

Reconnaissance Tools
"In the process of reconnaissance, hackers tend to be like detectives,
gathering data, and information to comprehend their victims." (Upadhyay, 2020).
Reconnaissance is one of the often-used methods in ethical hacking where it
practices covertly discovering and collecting information about a system. Steps in
Reconnaissance, according to Isha Upadhyay (2020), include: (a) collecting new
information, (b) deciding the network’s range, (c) recognizing all active machines,
(d) obtaining an operating system in use, (e) identify operational framework, (f)
show services used on each port, and (g) understanding network map.
Reconnaissance tools include Recon-ng and the harvester.
Recon-ng is among the numerous tools available for the first penetration
testing phase, reconnaissance, or information gathering. It is free and open-source
software for reconnaissance tools, written in python. It is already available and
installed in Kali Linux, operated on a command-line interface (CLI) with the same
appearance as Metasploit. Recon-ng features are interactive help, command
completion, built-in convenience functions, and interaction with databases. Unlike
the Metasploit Frameworks that can exploit a particular machine or system, recon-
ng is solely designed for web-based open-source reconnaissance. This tool can
only collect data on a specific target or domain. It provides an interactive console
with command completion and contextual assistance. Overall, Recon-ng has one
hundred fourteen modules (114) available, which can be installed on the
marketplace inside the Recon-ng. They also categorized them according to their
16

functionalities: reconnaissance, reporting, importing, exploitation, disabling, and
discovery modules. However, twenty-three (23) modules might need prerequisites
like application programming interface (API) keys. (Pence, 2020)
Another tool for the first phase of penetration testing is the theHarvester.
This package contains tools for gathering information. It gathers information like e-
mail addresses, virtual hosts, subdomain names, open ports or banners, and
employee names from different public sources like search engines (Kumar, 2022).
TheHarvester has almost the same features as the Recon-ng, which was also
operated in a command-line interface (CLI). They differ in the number of modules
where the theHarvester has only thirty-eight (38) modules to choose from, and
fourteen (14) require API keys. Furthermore, the modules do not require
installation since they are already available in the theHarvester. (Kumar, 2022)
Scanning for Vulnerabilities Tools
Scanning tools are software tools that examine a network for existing
vulnerabilities, such as security misconfigurations. The network scanning is
possible with the Linux command-line utilities or various cloud-based services.
(Pedamkar, 2020). According to Pedamkar (2020), seven (7) popular tools are
used to perform network scanning. One is the Nmap, or network mapper,
developed by Gordon Lyon. Nmap scans hosts and services on a network,
displays operating systems (OS), and displays the firewalls used and available on
17

different OS. It is considered one of the most popular tools for pentesters and
system and network administrators, and because of it, it garnered many awards
relating to security. Like the other tools, it is open-source and controlled using the
command-line interface (CLI). (Simplilearn, 2019)
Another tool is the Nikto, a pluggable web server and common gateway
interface Computer-Generated Imagery, or CGI scanner. It is written in Perl. One
of Nikto's features is an easily updateable CSV-format database. The output
reports are in plain text or HTML, and there are also HTTP versions available,
cookies support, and many more. Nikto is a web server as well as a web application
analysis tool, both free and open source. Moreover, it is a straightforward and
easy-to-use scanner that was operated on the command-line interface (CLI).
Specifically, it checks or examines a web server for potential security flaws or
vulnerabilities such as misconfigured servers and software, pre-installed
programs, insecure and outdated servers, and/or programs. Nikto quickly tests a
web server, and the results can be found visibly in the log files or an Intrusion
Prevention/Intrusion Detection System (IPS/IDS). (Shivanandhan, 2021)
Next, is the Wireshark which acts as an analyzer on a network in real-time.
It focuses on network protocols going in and out of the network. Similar to Nmap,
it is a well-known network sniffing tool which provides a Graphical User Interface
(GUI) feature to capture packets and network protocols from a network. Each
packet contains sensitive data and information that, later on, will be used for the
next phase of penetration testing. Wireshark can even decode data payloads
18

depending on its protocols (e.g., HTTP). Each captured packet using Wireshark
contained the following details: the time taken to capture the packet, the source
and destination IP address, the protocol used, the length, and some packet
information. However, Wireshark can even go further by sniffing usernames and
passwords if the protocol used in any webpage or web application is not encrypted
(e.g., HTTP). (CompTIA, n.d.)
Another in line for the scanning of vulnerabilities is the TCPDump.
TCPDump is a program that allows users to “dump” traffic on a network. In addition,
TCPDump tracks down network problems, as well as detects attacks or monitors
network activities, for it can be able to examine packets such as Internet Protocol
version 4 (IPv4), Internet Protocol version 6 (IPv6), Internet Control Message
Protocol version 6 (ICMPv6), User Datagram Protocol (UDP), Transmission
Control Protocol (TCP), Internet Control Message Protocol version 4 (ICMPv4),
Simple Network Management Protocol (SNMP), Border Gateway Protocol (BGP),
Routing Information Protocol (RIP), Internet Group Management Protocol (IGMP),
Protocol Independent Multicast (PIM), Distance Vector Multicast Routing Protocol
(DVMRP), Andrew File System (AFS), Server Message Block (SMB), Open
Shortest Path First (OSPF), Network File System (NFS), and many more. (Gerardi,
2020)
On the other hand, the Exploit Database or ExploitDB is the record or
repository of exploits for public security and explains inside that specific database.
Its goal is to give a complete and extensive collection of exploits in a free and easy-
19

to-use database through mailing lists, direct submissions, and other public
sources. (Cyber Security Intelligence, 2021). Moreover, it identifies possible
weaknesses in a specific network and stays up to date on current attacks that are
taking place in other networks. It has a website, exploit-db.com, which contains
documented exploited applications and services, sometimes with vulnerable
applications that can be searchable and downloadable, then used for exploitation.
For penetration testers and vulnerability researchers, the Exploit Database is a
repository of publicly accessible exploits and the susceptible software they relate
to. Its goal is to compile the complete collection of exploits, shellcode, and papers
available, acquired via direct contributions, mailing groups, and other publicly
available sources, and offer them in a freely accessible and easy-to-navigate
database. Included in the Exploit Database repository is searchsploit, wherein it is
a command-line search and query tool for ExploitDB that allows searching for any
exploits locally. (Offensive Security, n.d.)
Gaining Access Tools
As discussed in the Penetration Testing article in the preceding pages,
gaining access uses tools to successfully exploit a particular machine or system.
However, some tools still need other tools (from the earlier phases of ethical
hacking like reconnaissance and scanning for vulnerabilities) to gain access.
Among the plethora of tools that can be used in gaining access, one of which is
the Metasploit. This is a free and open-source penetrating framework tool. There
20

are numerous modules in Metasploit that allow configuring an exploit module. After
configuring, just pair it with a payload, then target a victim, and finally attack against
the target machine. According to Said (2020), one of the most popular penetration
testing tools under Kali Linux is Metasploit. It is commonly known for attacking
systems to test security exploits. There are five (5) modules which are the payload,
exploit, auxiliary, post-exploitation, and NOP generator. Before Metasploit begins,
many information-gathering tests are improved, and Metasploit combines with
numerous reconnaissance tools (Nmap and theHarvester) to locate the vulnerable
or weaknesses in a machine. Once the weakness is identified, select then an
appropriate exploit or/and payload for the exploitation of the machine. After that,
the chosen payload is executed at the target, and the ethical hacker is given a shell
to be able to connect with the payload once the exploit is successful. It provides
the penetration tester administrator privileges such as packet sniffing, keyloggers,
screen capture, rebooting of the machine, setting up a permanent backdoor,
deleting files, and many more. (Petters, 2020)
Ottawa (2022) highlighted two (2) steps in this phase, gaining access, in
helping a hacker owns a system: password cracking and privilege escalation.
Password, sometimes called PIN or passcode, protects personal access to specific
applications or systems that only authorized personnel or users know. It is
frequently linked to identification to validate its authenticity and identity (e.g.,
username or email address). THC-Hydra and John-the-Ripper are two of the most
21

widely used password attack tools in Kali Linux, according to Carson (2020), a
Certified Information Systems Security Professional (CISSP).
Brutespray is a penetration testing tool under the gaining access phase of
penetration testing that performs port scanning. From the name itself, once it is
performed, it automatically brutes force attacks on scanned services. The
implementation of this attack started by scanning the target's website or internal
network using Nmap, one of the tools under the reconnaissance phase, to check
the open ports and other services. After the scan, the data and information
scanned were saved in a GNMAP/XML format. The output file is used by the pen-
testers to perform brute force attacks against the open port services of the target
with dictionary attacks to capture credentials. (Ganesh, 2019)
THC-Hydra is one of the most popular brute force password cracking tools.
Similar to the Brutespray, THC-Hydra performs and uses both dictionary and brute-
force attacks, which can be both operated on a GUI feature of the Graphical User
Interface, and the command-line interface or CLI. It also allows various operating
systems like all Unix platforms such as Linux, Solaris, etc., or MacOS and
Windows. Furthermore, Hydra is effective against numerous protocols like SSH,
Telnet, and many more. Hydra is capable of working online and needs to use the
Internet to ensure that a connection is established. (Rajalingham, 2021)
John-the-Ripper is a popular open-source password cracking application
initially designed for Unix-based computers but now works on various platforms.
The three (3) main password-cracking techniques used by John-the-Ripper are (a)
22

single crack mode, which is the quickest and best option if the entire password file
to crack is provided; (b) wordlist mode, which compares the hash to a database of
potential password matches; and (c) incremental mode, which is the most potent
because it employs brute force to try every possible combination until it produces
a result. (Petters, 2020)
One of the online application testing methods used during the obtaining
access phase is called Sqlmap, which looks for and exploits vulnerabilities in web
applications' use of structured query language (SQL) injection. On the target host,
it allegedly finds one or more SQL injections. There are now a variety of choices
available to users, including performing a thorough backend fingerprint database
management system. In addition, it retrieves the session user and database for
database management systems (DBMS). It can also enumerate users, password
hashes, privileges, and databases. SQL dumps the entire or user-specific DBMS
tables and columns. It executes SQL commands or statements, and reads
particular files on the file system, among other things. Also, Sqlmap is utilized on
the command-line interface (CLI) and is open-source and free. MySQL, Oracle,
PostgreSQL, MariaDB, Apache, and other database management systems are
fully supported. It also supports a variety of SQL injection techniques that are both
powerful and diverse for Web Application Testing. (Imperva, n.d.)
Burp is a web application penetration testing tool with a graphical user
interface, often known as Burp Suite (GUI). The most common users of Burp are
the expert web app security researchers and bug bounty hunters. A free
23

Community Edition, a Professional Edition, and an Enterprise Edition are the three
editions of the tool that are offered. There are far fewer features in the Community
Edition. To offer a complete security solution for online applications is its objective,
a web application mapping spider used to map target websites and a repeater that
enables users to send requests with customized alterations. A decoder is also
useful for searching for data chunks in headers, parameter values, etc. In addition,
a comparer function analyzes the two (2) pieces of data to spot visual differences,
and an extender aids BurpSuite in integrating supporting third-party components
into the tools to expand their functionality. The tool's more intricate capabilities
include a sequencer that doubles as an entropy checker to determine whether
tokens created by the web server are indeed random. On the other hand, proxy
server and intruder are essential tools one can practice, which was used in this
study. (Huro, 2020)
Network Infrastructure Tests, on the other hand, are defined as, "Testing
network infrastructure can be accomplished with equipment that operates on one
or more layers that define an Ethernet/IP network" Payerle (2016). One of which
is the Yersinia, a framework for performing layer two attacks. It takes advantage
of some weaknesses in different network protocols such as Spanning Tree
Protocol (STP), Cisco Discovery Protocol (CDP), Dynamic Trunking Protocol
(DTP), Dynamic Host Configuration Protocol (DHCP), Inter-Switch Link Protocol
(ISL), VLAN Trunking Protocol (VTP), and many more. (Bisson, M. n.d.)
24

On the other hand, Cisco Global Exploiter or CGE is an advanced and fast
yet straightforward security testing tool that can exploit the most dangerous
vulnerabilities, precisely 14 vulnerabilities of Cisco Systems. By inputting two
simple parameters (e.g., target and the vulnerability to exploit), CGE has an
intuitive and straightforward user interface executable from the command line. To
be more specific, the fourteen (14) vulnerabilities in Cisco switches and routers are
namely: (1) Cisco 677/678 Telnet Buffer Overflow Vulnerability, (2) Cisco IOS
Router Denial of Service Vulnerability, (3) Cisco IOS HTTP Auth Vulnerability, (4)
Cisco IOS HTTP Configuration Arbitrary Administrative Access Vulnerability, (5)
Cisco Catalyst SSH Protocol Mismatch Denial of Service Vulnerability, (6) Cisco
675 Web Administration Denial of Service Vulnerability, (7) Cisco Catalyst 3500
XL Remote Arbitrary Command Vulnerability, (8) Cisco IOS Software HTTP
Request Denial of Service Vulnerability, (9) Cisco 514 UDP Flood Denial of Service
Vulnerability, (10) CiscoSecure ACS for Windows NT Server Denial of Service
Vulnerability, (11) Cisco Catalyst Memory Leak Vulnerability, (12) Cisco CatOS
CiscoView HTTP Server Buffer Overflow Vulnerability, (13) 0 Encoding IDS
Bypass Vulnerability (UTF), and (14) Cisco IOS HTTP Denial of Service
Vulnerability. (James, 2018)
The main goal of the wireless network test is to identify Wi-Fi networks (e.g.,
fingerprinting, information leakage, and signal leakage), and then determines the
weakness/es of the encryption (e.g., encryption cracking, wireless sniffing.
Furthermore, it identifies the chance to evade wireless local area networks
25

(WLANs) using wireless control measures. Moreover, it also includes identifying
the users' credentials in accessing their networks. One of the tools in this phase is
the Aircrack-ng wherein it concentrates on several aspects of Wi-Fi security like
monitoring, capturing of packets, and the exporting of data to text files for in-depth
processing by third-party tools. Furthermore, this can test or check Wi-Fi cards and
driver capabilities. (Robb, 2019)
Fern-Wi-Fi-Cracker is a Graphical User Interface or GUI-based penetration
testing tool under the gaining access phase with the same goal as other wireless
network password cracking tools such as Aircrack-ng created by Saviour
Emmanuel Ekiko; it is to crack WEP/WPA/WPS keys. However, Fern-WiFi-Cracker
can also recover those keys. Fern Wi-Fi Cracker is operated in a graphical user
interface feature. Furthermore, some of the features of Fern Wi-Fi Cracker include
cracking of WEP, WPA/WPA2, and brute-forcing HTTP, HTTPS, TELNET, and
FTP attacks. (Tutorialspoint, n.d.)
Another tool is the Karmetasploit, it is used to create access points, capture
passwords, collect information, and perform web browser attacks (by faking these)
on clients. For example, a fake modem or access point made by a hacker or a
pentester. The only requirement is the user should connect to the created fake
access point. There is the launching of a plethora of various servers as a result.
From Domain Name Server (DNS), Post Office Protocol 3 (POP3), Internet
Message Access Protocols (IMAP), to various Hypertext Transfer Protocol (HTTP)
26

servers, there is already a broad net cast to gather several types of information.
(Offensive Security, n.d.)
Last is the social engineering test, Allen (2021) defined social engineering
attacks as ethical hackers conducting social engineering attacks like phishing.
Furthermore, the social engineering test aims to point out a person's weaknesses
and even a group of people. As RS Security (2018) said, "The most easily
exploitable vulnerability is human nature." The Social-Engineer Toolkit (SEToolkit)
is a penetration testing tool for social engineering, free and open-source, created
by Dave Kennedy—the founder of TrustedSec. It is capable of social engineering
attacks such as phishing, cloning websites, sending SMS, and many more.
(Borges, 2020)
Penetration Test Laboratory
In the book of Wylie, P., & Crawley, K. (2021) entitled "In the Pentester
Blueprint," they stated three approaches when considering building a laboratory.
They called the first approach a Minimalist. The minimalist approach was the
easiest to set up for it only consists of one laptop running a hypervisor, making it
portable and capable of being run almost everywhere. However, one of the
disadvantages of this setup is the need for dongles or an adapter. Tools like
Aircrack-ng need a network adapter that supports promiscuous mode. Virtual
Machine network adapters do not have that kind of feature. The following approach
27

is the Dedicated Lab, which uses actual computers instead of Virtual Machines.
Also, they added that, if possible, the internet is needed so that remote access will
be possible. Lastly is the Advanced Lab, this approach follows the previous
laboratory, but network devices are now present. These network devices include
network switches, routers, and firewalls.
A virtual and real environment both have merits and drawbacks. The key
advantages of a virtual arrangement are cost and scalability. Inputting a single
physical machine or many network arrangements will strain a person's budget. On
the other hand, virtual machines may not always perfectly replicate the functionality
of physical computers; therefore, approaches that work on a real machine may not
work on a virtual machine and vice versa. Furthermore, enterprises and
organizations do not operate in a virtualized environment but relatively physically.
(Wylie & Crawley, 2021)
Another penetration laboratory book entitled "Penetration Testers Open-
Source Toolkit" authored by Faircloth (2017) discusses how to build up a
penetration testing laboratory and provides realistic situations. The book highlights
that there is a general approach to setting up this kind of laboratory. Those steps
will help you build a functional and essential penetration testing laboratory. The
first step is determining the objectives, which is vital for building a lab. The second
step is to design your lab's architecture or another way around. The design should
accurately represent your objective. The author highlighted that to test wireless
attacks, you should include these: wireless access points, a wireless and wired
28

client machine, and an attack machine as an element of the lab. After building
those essential elements is the time when you would decide what operating system
you will be using and the brands and models of the equipment. Also, one crucial
reminder must keep in mind is to isolate your lab from any network, for it can cause
problems for other networks. It is also essential to list the reports and findings after
the testing.
There are also five types of penetration testing mentioned in this book, first
is the virtual penetration test lab, the second is the internal penetration test lab, the
third is the external penetration test lab, the fourth is the project-specific
penetration test lab, and the fifth is the ad hoc lab. The virtual penetration lab is
the simplest with only having one virtual software system with multiple operating
systems. The internal penetration lab consists of two systems (one system is the
target, and another is the tester's machine) connected to a router where it provides
services like DNS and DHCP. The objective of this laboratory is to see the existing
vulnerabilities in a corporation or a business world. The external penetration lab's
objective, on the other hand, helps to ensure if there is a way to gain access to the
network or system, given the fact that defense tools or software are present.
Therefore, a system must include a firewall. The project-specific penetration lab
creates a replica of the target system or network. There is a need for the same
equipment used in real life. However, they are rarely built because the equipment
is expensive. The last one is the ad hoc lab which is only used to test a server,
whether the server's patch or the traffic being sent.
29

The third step is to build the lab where physical work is already associated.
Choosing the right hardware equipment concerning your budget is very vital.
Moreover, the last approach is to run the lab. This step is not just for installing the
software, operating system, and other tools to be used and testing. This step also
involves documenting the process of building the lab and writing the results
(Faircloth, 2017).
Students would benefit greatly from developing a laboratory that integrates
hardware and software components, according to Lunetta (1998) and Hofstein &
Lunetta (1982). Laboratories provide a variety of students' goals or objectives. One
of the goals includes developing practical skills for the students wherein students
may learn to use the tools or develop any skills regarding the equipment used
correctly and safely. Students can make observations also, take measurements,
and carry out well-defined procedures. Thus, students played a vital role in
assessing the subjective usability of the laboratory. This assessment will examine
the four (4) dimensions of usability which are usefulness, ease of use, ease of
learning, and satisfaction (Lund, 2001).
Several questionnaires are used to assess users' attitudes about different
consumer items. This USE questionnaire[1] is designed where users are asked to
grade agreement with the assertions, ranging from "strongly disagree" to "strongly
agree." Lund (2001) created a brief questionnaire that could assess the usability
of software, hardware, services, and other user-support materials while also
measuring the user-important aspects of usability. Both users and practitioners
[1]
See Appendix T for the USE questionnaire
30

would have some faith in the goods' appearance. It would be feasible to envision
the design elements that might affect how things are rated. Although usability
aspects would be treated as dependent variables, it would not be intended to be a
diagnostic tool. The USE questionnaire is a trustworthy and reliable questionnaire
tool, according to numerous research and articles. The validity or dependability of
the USE has been reported in a little amount of published research. One study
seeks to address the problem by examining the psychometric features of the USE,
and 151 Mechanical Turk (MTurk) users rated Amazon.com and Microsoft Word
using the USE and the System Usability Scale (SUS, Brooke, 1996). The study's
conclusion states that the USE is a valid and trustworthy instrument that still
requires improvement. Various studies also concluded that the USE questionnaire
proved to be the right choice for their study. USE questionnaire provides
information by the data gathered about which aspects of the system or the product
could improve. Furthermore, the analysis's conclusion revealed that the USE
Questionnaire was a legitimate and trustworthy tool for evaluating the system or
product in question. (Gao et.al, 2018)
31

RELATED STUDIES
Ethical Hacking
In a study by Hartley (2015) entitled "Ethical Hacking Pedagogy: An
Analysis and Overview of Teaching Students to Hack Students to Hack," the
researcher suggested teaching students about ethical hacking. The study's
primary purpose was to prepare students, especially those interested in pursuing
the field of cybersecurity. Teachings about ethical hacking must be hands-on,
which is the same as what Logan and Clarkson (2005) found out. According to
them, teaching ethical hacking should take the form of hands-on experience rather
than a textbook and lecture format. The study also stressed the necessity of soft
skills in ethical hacking. Soft skills pertain to how a person works. The skills
included were primarily social. In Trabelsi and McCoey's (2016) study, they listed
soft skills, specifically social engineering, as one of the skills needed by students.
The others were understanding of security and understanding how hackers work
or think. (Hartley, 2015)
32

Penetration Testing for Kali Linux
In the study conducted by V. Santhi et al. entitled, "Penetration Testing
using Linux Tools: Attacks and Defense Strategies," they used Kali Linux to
conduct their penetration testing. The study's objective was to investigate a range
of tools that will suit their needs. They also demonstrated basic penetration testing
and explained how to defend against such attacks. There are four steps in their
methodology: planning, discovery, exploitation, and reporting. They used Ettercap,
Driftnet, Nmap, Wireshark, and Metasploit. However, no information about the
target machine's characteristics or operating system is provided. (Santhi et al.,
2016)
Kali is one of the most popular operating systems for hackers. It offers many
tools that are already pre-installed in it. In a recent study, He-Jun Lu and Yang Yu
(2021) used Kali Linux and the available tools for penetration testing of a wireless
network. They followed four steps in conducting their penetration testing. First is
the preparation, next is information collection, then the simulation attack, and lastly
is the reporting. Some other methods were used also like scanning, monitoring,
capturing of packets, and many more attacks. Their experiment's findings
demonstrated that Kali Linux had a positive impact on enhancing wireless network
security. (He-Jun & Yang, 2021)
Another study on using Kali Linux was conducted by Denis et al. (2016).
They mainly used tools already packaged in Kali Linux for penetration testing. The
test is comprised of traffic sniffing, Wi-Fi hacking, Man-in-the-Middle attack
33

(MITM), surveillance or spying, penetration testing on smartphones, and hacking
remote personal computers or PCs as well as the phone’s bluetooth. (Denis et al.,
2016)
Furthermore, Filipino researchers conducted a related case study about
penetration testing entitled, "Penetration Test on Home Network Environments: A
Cybersecurity Case Study." Although the primary purpose of this research is to
determine how vulnerable the public and private telecommunication companies
give the default settings of SOHO routers to their customers, this study uses a Kali
Linux as their default operating system in testing the vulnerability. De-
authentication, dictionary and brute-forcing attacks, and many more are the kinds
of attacks used to discover risks that could damage the network. (Blancaflor et al.,
2016)
34

Penetration Testing Tools
In a study conducted by Palak & Aman (2017) entitled, "Analysis of
Penetration Testing Tools," penetration testing is the practice of impersonating an
attacker to find weaknesses in a system that could be used for malicious ends.
The research study also provides an outline of penetration testing and specifies
the factors considered in selecting the most appropriate tools for the task.
According to the role each tool serves, their study divided them into three
categories. To find open Transmission Control Protocol (TCP) and Universal
Datagram Protocol (UDP) ports, the first category of operations is port scanning.
Second is the vulnerability analysis, wherein it is the process of finding system
vulnerabilities before they may be exploited by someone with malicious intent to
harm the network. The last category is vulnerability exploitation. Nmap was one of
the tools mentioned in this story, alongside the other tools like Dmitry, Hping3, and
Unicornscan. Their evaluation criteria include how many ports each tool scanned,
the number of open ports found, the types of ports scanned, the scan time or the
time taken by the tool to perform the whole scanning, and Operating System (OS)
version. (Palak & Aman, 2017)
Chiem Trieu Phong (2014) from Auckland University of Technology in New
Zealand conducted a research study entitled "A Study of Penetration Testing Tools
and Approaches," wherein the research's objective is to study the performance of
the different penetration testing tools in terms of response time and coverage. The
amount of time it takes for a tool to complete a certain operation is referred to as
35

“response time,” whereas “coverage” refers to the number of open ports or
vulnerabilities that the tools detect. The collected data is combined and compared
to determine which is more effective. Furthermore, the use of attack tree model is
used in this study. This attack tree helped the researchers to determine which
attacks on the target machines are the most effective. In addition, the attack tree
model is applied to organize offensive events on victims to provide a more
comprehensive perspective of the attacking context. Furthermore, lastly, its
ultimate goal is to provide actual value to the security community by providing
trustworthy references on penetration testing tool performances. (Pong, 2014)
A similar study is conducted by Mamilla (2021) wherein it tests the various
penetration testing tools in a Kali Linux system to determine the most efficient one.
Different types of penetration testing are mentioned, these are network penetration
tests, application penetration tests, periodic network vulnerability assessments,
physical security tests, client-side penetration tests, wireless penetration tests, and
social engineering tests. Furthermore, the attack tree model for penetration testing
is highlighted in this study, which serves as the visual aid for weighing multiple
attacks on a system. The penetration testing process is also included in this study,
planning, reconnaissance, scanning, gaining access, maintaining access, covering
tracks, analysis, and reporting, respectively, are the phases of penetration testing
mentioned in this study. The penetration testing tools were divided depending on
the attack category. The network scanning tools used are Nmap, OpenVas, Dmitry,
Unicornscan, Sparta, Netcat, SolarWinds Port Scanner, Angry IP Scanner, and
36

ManageEngine OpUtils. The tools used for the password cracking attack were
John-the-Ripper, IMP 2.0, L0pht Crack, Crack 5, and Cain and Abel. The tools for
vulnerability assessment were Nessus, SARA, and SATAN. Lastly, the
miscellaneous tools are Wireshark, Metasploit Framework, Recon-ng, and Peach.
The researcher further discusses each tool mentioned in her research paper
alongside the results of each assessment and comparison. (Mamilla, 2021)
Another study about penetration testing by Bacudio, Xiaohong, Bei & Jones
(2011) is entitled "An Overview of Penetration Testing." They highlighted that
penetration testing helps determine whether or not security measures are
implemented effectively. Most importantly, this research presents the advantages,
strategies, and methodology for penetration testing. They said that penetration
testing has three phases. First is the test preparation phase, which follows specific
steps: the information gathering, the vulnerability analysis, and the vulnerability
exploit. They conducted a penetration testing process during the test phase, and
various penetration tools were used, described, and analyzed. The Nmap and
Metasploit frameworks are the two of them. There is a particular part of their study
wherein they listed three strategies for penetration testing namely the black box,
white box, and gray box. The testers in the black box do not know the target. They
need to figure out the system's flaws, for they have no prior knowledge of the target
victim. Contrary to the white box wherein the pentesters know the target and are
given all relevant info on the target. On the other hand, they defined the gray box
as "partial disclosure of information" about the target victim. Another penetration
37

testing strategy they mentioned is external and internal testing. The term "external
testing" refers to an attack on the test target using techniques from outside the
company or organization that controls the test target. Additionally, it seeks to
ascertain whether an outside attacker can gain access and how far he may
advance once he does. Internal testing, on the other hand, comes from the
company that controls the test target. Internal testing is concerned with figuring out
what would occur if a legitimate user with standard access privileges managed to
breach the target. (Bacudio et al., 2011)
In the research paper of Kesharwani et al. (2018) entitled, "A study on
Penetration Testing Using Metasploit Framework," the phases used by the
researchers are information gathering, scanning, and discovering the vulnerability,
exploitation, and report generation. They employed Nmap, a network mapper, and
Metasploit's auxiliary/ scanner for their scanning phase to determine the type of
services running on the webserver, their versions, the port on which they are
running, and the services that are running on the operating system. One of the
tools they used for the exploitation phase is John-the-Ripper, alongside the
Nessus, Firewalk, and Crack / Libcrack. (Kesharwani et al., 2018)
38

RESEARCH PARADIGM
Action Research
Design Science
Systems Grounded Theory

Development
Figure 1. Research Paradigm of the Study
This research paradigm shown in figure 1 was adapted from Dr. Napoleon
Meimban, a former Pangasinan State University – Urdaneta City faculty and a
former Dean of PSU – Graduate Studies. Dr. Kenneth Oliver S. Lopez then revised
this paradigm to fit the needs of the Bachelor of Science in Computer Engineering's
research paradigm. Together with their adviser, the researchers think of a problem
that could address through this research. One problem they have thought about is
that having a penetration testing laboratory in a hypervisor could limit the students,
especially when their devices have low CPU processing speed and slow RAM.
Therefore, the researchers and the adviser developed a penetration testing
laboratory. Design Science, the developed penetration testing laboratory will aid
Computer Engineering students of Pangasinan State University – Urdaneta City
Campus (PSU-UC) in learning ethical hacking. Action Research, the data collected
were speed and coverage for the penetration testing tools and reliability of the
39

developed laboratory through average weighted mean. Grounded Theory, the
developed laboratory eliminates some problems stated beforehand, such as the
low CPU speed and slow RAM. Systems Development, the developed laboratory
consists of one (1) Raspberry Pi 4 Model B as attacker machine; two (2) Raspberry
3 Model B+ as target server and target desktop; two (2) Cisco 2811 routers wherein
one (1) was the target router; two (2) Cisco Catalyst 3750 switch; and a TP-Link
TL-WR840N access point. After the penetration testing laboratory is developed, a
test on different tools will be staged.
CONCEPTUAL FRAMEWORK
Figure 2 shows the conceptual framework of the study. The study has three
phases: input, process, and output. The input phase will be composed of all the
penetration testing tool software and hardware equipment used in the study. The
process phase will be the integration. Hence, the researcher will develop a
penetration testing laboratory to analyze further the effectiveness of the
penetration testing tools and the future consumption of the Computer Engineering
students of PSU-UCC.
40

INPUT PROCES OUTPUT
Penetration
Testing
Integration Penetration
Software Tools
Testing Laboratory
& Hardware
Equipment
Figure 2. Conceptual Framework of the Study
41

CHAPTER 3
METHODOLOGY
This section presents the procedures and methodologies applied to the
study, including the detail of the tools used for analysis and the method of research
and gathering data.
RESEARCH DESIGN
Construction
Design Testing
Requirements Deployment
Feedback
Figure 3. Agile Process Model of the Study
Figure 3 shows the agile process model used throughout the study (Isaac
S, 2022). The requirements phase was utilized to identify what hardware
components and technical specifications of these devices were incorporated in the
penetration testing laboratory. After recognizing these requirements, the second
phase includes the design. These hardware components were arranged according
to how these devices functioned later. The laboratory was divided into two (2)
terminals; some of the devices served as the attacker, and the others were
operated as the targets. The third phase, construction, was where the researchers
42
CHAPTER III: METHODOLOGY

configured the hardware components into a working laboratory—establishing a
connection within different networks through routing protocols, VLAN
management, and some basic configurations like setting the IP addresses,
hostnames, usernames, and passwords. During the testing, nineteen (19) different
penetration testing tools were simulated in the laboratory through the attacker. The
researchers then assessed the effectiveness of these penetration testing tools.
The configuration steps done on the attacker were turned in as a laboratory
manual. After testing, the laboratory equipment, and manual were deployed to the
students of the Computer Engineering Department, Major in Systems and Network
Administration of Pangasinan State University – Urdaneta City Campus (PSU –
UCC) for evaluation of the reliability and acceptability of the developed laboratory.
Lastly, the researchers received feedback about the developed penetration testing
laboratory, which was in the form of survey questionnaire.
DATA COLLECTION
Observation
For this part, the main focus was on the penetration testing tools. Speed
and coverage of the tools were observed. Most of the penetration testing tools do
not display the time it took to generate a result, therefore the researchers used a
device to measure or monitor the speed of the penetration testing tools. The
researchers relied on the time (in seconds or minutes) it takes the tool to finish a
43

task. While the coverage is taken on the premise of the tools' ability to pass through
the penetration testing phases: information gathering, scanning vulnerabilities, and
gaining access.
Data Gathering
The first data to be collected in the study was the speed of the penetration
testing tools to process a task and to determine if some variables affect the results
generation. In addition, the researchers also collected data on whether these tools
can operate in their designated penetration testing phase and whether these tools
can aid or affect other tools' performance. Furthermore, a survey questionnaire
using the Likert Scale was used to gather data for the reliability of the penetration
testing laboratory. There were thirty (30) respondents, whereas all of them were
students of Bachelor of Science in Computer Engineering, major in Systems and
Network Administration at Pangasinan State University—Urdaneta City (PSU-
UCC).
Tools for Analysis
As already discussed in the preceding chapter, there are five (5) stages of
ethical hacking (Imperva, 2021). In this study, the researchers will only apply the
first three (3) phases of penetration testing: information gathering, scanning, and
gaining access. Each phase corresponds to specific penetration testing tools used
44

in the study. For reconnaissance, the tools Recon-ng and theHarvester were used.
However, these tools could be unnecessary since both tools' purpose was to
search for domains and emails available on the target. The researchers included
these tools so the readers would have specific knowledge on using these tools.
For the scanning phase, the tools used are NMap, Nikto, Wireshark, TCPDump,
and ExploitDB.
Furthermore, in the third phase of penetration testing, which is gaining
access, the tool used was Metasploit which was used for automated exploitation.
Brutespray, THC-Hydra, and John-the-Ripper were utilized for brute-forcing and
password cracking. BurpSuite and Sqlmap were used for Web Application Testing.
In addition, Yersinia and Cisco-Global-Exploiter were used for Network
Infrastructure Testing. At the same time, Aircrack-ng, Fern-WiFi-Cracker, and
Karmetasploit were applied for Wireless Network Infrastructure Testing. Lastly,
Social Engineering Toolkit (SEToolkit) was used for Social Engineering Testing.
Testing
In the testing phase, penetration testing tools were used in the developed
penetration testing laboratory. For the reconnaissance phase, the laboratory was
connected to the Internet and using passive reconnaissance; thus, the researchers
did not directly engage in the target system, Google (google.com). Next, in the
scanning phase, the target could be any device within the target-side portion of the
45

laboratory structure. The goal for this phase was to find vulnerabilities, such as
open ports, outdated software, and other existing vulnerabilities that could be
available. The third phase is gaining access. In this phase, scanned vulnerabilities
from the previous phase were used to gain access to each possible device.
Statistical Treatment
The third specific statement of the problem was to determine the reliability
and acceptability of the penetration testing laboratory to the students. The average
weighted mean was utilized to determine the designed laboratory equipment's
reliability and acceptability. The formula was:
X= ∑𝑿/𝑵
Wherein: ∑X = sum of the quantitative variables
N = total sample size
Respondents were provided a chance to rate each statement in the
questionnaire. The researchers used the Likert Scale, depicted in table 1, to
measure respondents' attitudes toward a particular question or statement. A Likert
Scale was composed of a series of three (3) or more Likert-type items represented
in similar questions combined into a single variable. Their answers were given a
corresponding number as follows:
46

Table 1. Likert Scale Response Options

Numerical Value Descriptive Equivalent
5 – 4.50 Strongly Agree
4.49 – 3.50 Agree
3.49 – 2.50 Neutral
2.49 – 1.50 Disagree
1.49 - 0 Strongly Disagree
47

Sample

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Sample

Uploaded by

Copyright:

Available Formats

DEVELOPING A PENETRATION TESTING LABORATORY AS A BASIS FOR

The Design Project entitled “DEVELOPING A PENETRATION TESTING

LABORATORY AS A BASIS FOR NETWORK SECURITY,” was prepared and

submitted by ELLYSA BALANZA, JAE ANNE V. EBORA, and CLARK JR. P.

NONES in partial fulfillment of the requirements for the degree of Bachelor of

Science in Computer Engineering Major in Systems and Network Administration

has been examined and recommended for acceptance.

FEVICLENE L. VILLAMOR, CpE KENNETH OLIVER S. LOPEZ, Ph.D.

Approved by the Committee on Oral Examination

EMMERSON A. CANUEL, MSME

KHAYZELLE C. CAYABYAB, CpE JAY-AR PENTECOSTES, CpE

Accepted in partial fulfillment of the requirements for the degree of

Bachelor of Science in Computer Engineering Major in Systems and Network

Administration this June 2022.

REX B. BASUEL, Meng’g, CCpE HONORIO L. CASCOLAN, Ph.D.

wisdom to undertake this thesis project.

individuals and institutions. It is a great honor and pleasure to acknowledge the

various ways for the success of this study.

Firstly, we would like to express our sincerest gratitude to our project

and ideas in this study helped us go through this.

We would also like to thank our advisory committee, Engr. Emmerson A.

ideas with this project.

Engineering Faculty. They motivated us and gave us some techniques to go

response regarding this study.

during rough times. You are our inspiration.

We want to owe our deepest gratitude to the Department of Science and

strength, guidance, and knowledge, and for giving us a healthy life.

throughout our college life up until to finish this study.

effort, and support in making this study possible.

Jae Anne V. Ebora

Clark Jr. P. Nones

TITLE PAGE …………………………………………………………………i

APPROVAL SHEET ………………………………………………………...ii

TABLE OF CONTENTS …………………...………………………,………...vi

LIST OF TABLES ……………………………………………………,………… xi

LIST OF FIGURES ………………………………………………,,………… xiii

ABSTRACT ……………………………………………………,,………... xvi

Background of the Study …………………………….………………….. 1

Statement of the Problem …………………………….………………….. 4

Significance of the Study …………………………….………………….. 6

Scope and Delimitation of the Study ….……………..…………….….. 7

Definition of Terms and Variable …………………………………………. 9

CHAPTER 2: REVIEW OF RELATED LITERATURE AND STUDIES

Ethical Hacking ……………………………………………….. 13

Cybersecurity in the Philippines .………………………………. 14

Kali Linux ……………………………………………………….. 14

Penetration Testing …..………………………………………….... 15

Scanning for Vulnerabilities Tools.………………………………. 17

Gaining Access Tools….………………………………………….. 20

Penetration Test Laboratory……………………………………… 27

Penetration Testing for Kali Linux.…………….………………… 33

Penetration Testing Tools.……………………….………………. 35

Research Paradigm ………………………………….……………….. 39

Conceptual Framework ……………………………….……………… 40

Research Design …………………….…………………..…………….. 42

Data Gathering ……………………………………………………. 44

Tools for Analysis ………………………………………………. 44

Statistical Treatment …………………………………………… 46

CHAPTER 4: PRESENTATION AND DISCUSSION

Network Topology and Configurations ...…………………………….. 48

Penetration Testing Tools …….………………………………….…… 51

Cisco-Global-Exploiter …………………………………… 101