SYMBIOSIS CENTRE FOR INFORMATION

TECHNOLOGY
Symbiosis International University
(Established under section 3 of the UGC Act, 1956 vide notification No. F 9-12/2001-U 3 of Government of India)

Accredited by NAAC with 'A' Grade

Project Progress Report (PPR-11)

Submission Date:June 10,2016
Name of the Student
PRN
Batch

:
:
:

Lovepreet Singh Sidhu

15030241171
2015-17

1. Methodology of the Project :

Methodology used in my Project is the five phases of VAPT that are:
Reconnaissance :This process is probably the longest phase . In this Phase
we mainly perform Data gathering by Various Methods . Some of them are Like
social engineering , scanning through various tools like nmap , sqlmapwizard ,
skipfish etc
Scanning : this is the second process after Information Gathering . Now in this
process we look for the vulnerabilities , weaknesses , and backdoors by
looking for Open ports, open services , versions , encrypted methods etc. by
various commercial tools like Acunetix , Nessus , Burpsuite ,etc
Gaining Access : In this we this phase we trying to gain the Access by using
the weakness or backdoor
Maintaining Access : In this phase we try to maintain the access after gaining
it for long enough to complete our objective.
Reporting : Putting every word of scan in Professional scan report showing
list of Vulnerabilities , Solutions to them and their Cves
2. Details of the Progress in terms of Work done:
Studied about What is Ethical hacking and studied about the Network and
Ports. Then Studied about what is Exactly Penetration Testing . What are
the Different Types of tools Used for the this. Scanned College website ,
Performed manual Sql injection and defaced Website. Also Performed
Sniffing And Found Clear Text Vulnerability.
Also studied about Metasploit and Its various commands.(First 2 weeks)
Learning and Practicing various tools which are used for Finding
Vulnerabilities and then How to exploit them.Also Learned About brute force
attack.
Various Tools learned are Nessus Acunetix , Metasploit , Burpsuite
,Sqlmap , uniscan , GIF lan guard , Netsparker etc.(week 3rd and 4th )
As in May we have been Asked to Pen Test Clients Website . My Client was
Educational University website. I have to scan their website , find
vulnerabilities and then look for then exploits and have to provide best
solution for that.

SYMBIOSIS CENTRE FOR INFORMATION

TECHNOLOGY
Symbiosis International University
(Established under section 3 of the UGC Act, 1956 vide notification No. F 9-12/2001-U 3 of Government of India)

Accredited by NAAC with 'A' Grade

Made a professional Report for the scanning and submitted in the end of
the month (May,2016)
Studied about wireless Security Attacks and how they can be exploited (1st
week june)
Learning about social engineering and Role Playing
3. Reviews of the Technical or Business or Managerial aspects to problems
identified:
I have observed that in Hacking , 80% hacks occurs because of social
engineering . Social engineering is one of the biggest vulnerability and
exploit. In this it requires trust gaining , shoulder surfing etc.
Second thing I observed is that most of the website can be hacked just
because of the small vulnerabilities . Organizations some times ignores
small vulnerabilities while taking care of bigger vulnerabilities.
Next I observed is the most of the websites are Vulnerable to top 10
OWASP Vulnerabilties.
Most of Old organizations dont care about upgrading their systems and
versions .
Week code can lead to source code disclosure and can create back door
entries
4. Approches to above problems:
Social engineering is tough to coup up but some measure can be taken like
a background check of employ before joining , Dont share your passwords
with anyone no matter how close he/she is
Organizations should keep on updraging their systems and their webserver
and services version with time to avoid attacks.
Organizations should scan their website on regular intervals for any new
discovered vulnerabilities and should keep their database updated.
Codes should be tested properly and then checked that source code is not
being disclosed.
5. Analysis of work Done :
(April 2016)
Studied about Ethical hacking
About networks
About Ports
Basics of penetration Testing , all its phases and about different tools
Learning about various tools used:
1. Nessus Online vulnerability scanner
2. Nmap for Scanning Ports , Services
3. Uniscan scan system for Vulnerabilties , sourcecode, backdoors ,
versions, ports
4. Acunetix Vulnerability Scanner

SYMBIOSIS CENTRE FOR INFORMATION

TECHNOLOGY
Symbiosis International University
(Established under section 3 of the UGC Act, 1956 vide notification No. F 9-12/2001-U 3 of Government of India)

Accredited by NAAC with 'A' Grade

5. Burpsuite Vulnerability Scanner and tool for taking PoC

6. Skipfish Vulnerabilty Scanner
7. Metasploit used for penetration Testing which includes various
scanners and exploits
8. Crunch tool for bruteforcing
(MAY 2016)
A client site was given to perform Penetration testing on that, using
various tools.
My Client site was a educational medical university site.
Scanned for various Vulnerabilities and Vulnerabilities found were like
source code disclosure , version disclourse , encryption method , list of
Ports opened and services on them , cross site scripting , click jacking
etc
POC were taken for all vulnerabilities and detail report was prepared
with their CVE and CWE
Found solutions for all vulnerabilities
Submitted detail report for that
Studying about social engineering and who role plays work in social
engineering
6. Outcomes and Learnings based on work done:
Theoretical and Practical Knowledge Of VAPT
What solutions to be given to vulnerabilities
How to exploit any Vulnerability to take any POC