To see the other types of publications on this topic, follow the link: Penetration testing (Computer security).
Journal articles on the topic 'Penetration testing (Computer security)'
Create a spot-on reference in APA, MLA, Chicago, Harvard, and other styles
Consult the top 50 journal articles for your research on the topic 'Penetration testing (Computer security).'
Next to every source in the list of references, there is an 'Add to bibliography' button. Press on it, and we will generate automatically the bibliographic reference to the chosen work in the citation style you need: APA, MLA, Harvard, Chicago, Vancouver, etc.
You can also download the full text of the academic publication as pdf and read online its abstract whenever available in the metadata.
Browse journal articles on a wide variety of disciplines and organise your bibliography correctly.
1
Singh, Tarandeep, Akshat Bajpai, and Samiksha Shukla. "Ethical Hacking and Penetration Testing." International Journal for Research in Applied Science and Engineering Technology 12, no. 4 (April 30, 2024): 2924–30. http://dx.doi.org/10.22214/ijraset.2024.60506.
Full textAbstract:
Abstract: Ethical hacking and penetration testing are crucial components of modern cyber security, aiming to identify and rectify security vulnerabilities in computer systems and networks. The huge number of inventions is constantly expanding. Information is getting doubled in less than a year. The advancement of technology has played an important role in our lives. In this era, the most important concern is computer security for companies and organizations. Unfortunately, the data we share over the internet is not secure in any way. Cyberattacks are getting complex and it is hard to detect them. This research paper provides a comprehensive analysis of ethical hacking and penetration testing, discussing their principles, methodologies, tools, legal aspects, and real-world applications.
2
Boyanov, Petar. "VULNERABILITY PENETRATION TESTING THE COMPUTER AND NETWORK RESOURCES OF WINDOWS BASED OPERATING SYSTEMS." Journal scientific and applied research 5, no. 1 (May 6, 2014): 85–92. http://dx.doi.org/10.46687/jsar.v5i1.113.
Full textAbstract:
In this paper a vulnerability penetration testing for several hosts in WLAN is made. The exploited operating systems were Microsoft Windows 7Enterprise and Microsoft Windows 8. It has been used an exploit named “Java storeImageArray () Invalid Array Index-ing Vulnerability”. Thanks to the open source penetration testing platform - Metasploit Framework the exploit was executed on the target hosts. The most important and critical rea-son the attack being successfully executed is connected with the human factor and interven-tion. Thereby, some security professionals and network administrators can use Metasploit Framework neither to run exploit nor to write security scripts in order to detect and protect the computer and network resources against various malicious cyber-attacks.
3
Narayana Rao, T. Venkat, and Vemula Shravan. "Metasploit Unleashed Tool for Penetration Testing." International Journal on Recent and Innovation Trends in Computing and Communication 7, no. 4 (April 26, 2019): 16–20. http://dx.doi.org/10.17762/ijritcc.v7i4.5285.
Full textAbstract:
In the recent era as the technology is growing rapidly, the use of internet has grown at an exponential rate. The growth has started increasing in between the years 1995-2000.The success of internet has brought great change to the world as we know; however, the problems are common as an obstacle to every productive growth. As the thousands of sites are launching daily and lakhs of people using it ,with limited sources of internet available to monitor the security and credibility of these sites. The security issues are growing rapidly and the existence of vulnerabilities are inevitable. As a result exploits became rampant causing the usage of information security fields. Eventually, the need for vulnerability scanning for a particular network or a particular site has increased and the result was pre-emptive existence of penetration testers whose sole purpose is to execute an exploit using a payload for scanning a vulnerability far before others got the opportunity. Metasploit is a computer security tool that works like a penetration tester. The Metasploit Framework was developed with the intentions of making lives of security experts easier.
4
Tang, Tian, Mu-Chuan Zhou, Yi Quan, Jun-Liang Guo, V. S. Balaji, V. Gomathi, and V. Elamaran. "Penetration Testing and Security Assessment of Healthcare Records on Hospital Websites." Journal of Medical Imaging and Health Informatics 10, no. 9 (August 1, 2020): 2242–46. http://dx.doi.org/10.1166/jmihi.2020.3138.
Full textAbstract:
At present, computer security is the flourishing field in the IT industry. Nowadays, the usage of computers and the Internet grows drastically, and hence, computers become vehicles for the attackers to spread viruses and worms, to distribute spam and spyware, and to perform denial-of-service attacks, etc. The IT engineers (even users) should know about network security threats, and at the same time, to some extent, they should know techniques to overcome the issues. The reliability and privacy of healthcare records of the patients are the most critical issue in the healthcare business industry sector. The security safeguards, such as physical, technical, and administrative safeguards, are crucial in protecting the information in all aspects. This article deals with the forty popular hospital portals in India related to the professional and network security related issues such as operating system guesses, number of open/closed/filtered ports, the name of the Web server, etc. The Nmap (network mapper) tool is used to analyze the results belong to the security perspective.
5
SriNithi, D., G. Elavarasi, T. F. Michael Raj, and P. Sivaprakasam. "Improving Web Application Security Using Penetration Testing." Research Journal of Applied Sciences, Engineering and Technology 8, no. 5 (August 5, 2014): 658–63. http://dx.doi.org/10.19026/rjaset.8.1019.
Full text
6
Li, Chengcheng. "Penetration Testing Curriculum Development in Practice." Journal of Information Technology Education: Innovations in Practice 14 (2015): 085–99. http://dx.doi.org/10.28945/2189.
Full textAbstract:
As both the frequency and the severity of network breaches have increased in recent years, it is essential that cybersecurity is incorporated into the core of business operations. Evidence from the U.S. Bureau of Labor Statistics (Bureau of Labor Statistics, 2012) indicates that there is, and will continue to be, a severe shortage of cybersecurity professionals nationwide throughout the next decade. To fill this job shortage we need a workforce with strong hands-on experience in the latest technologies and software tools to catch up with the rapid evolution of network technologies. It is vital that the IT professionals possess up-to-date technical skills and think and act one step ahead of the cyber criminals who are constantly probing and exploring system vulnerabilities. There is no perfect security mechanism that can defeat all the cyber-attacks; the traditional defensive security mechanism will eventually fail to the pervasive zero-day attacks. However, there are steps to follow to reduce an organization’s vulnerability to cyber-attacks and to mitigate damages. Active security tests of the network from a cyber-criminal’s perspective can identify system vulnerabilities that may lead to future breaches. “If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. But if you know the enemy and know yourself, you need not fear the result of hundred battles” (Sun, 2013). Penetration testing is a discipline within cybersecurity that focuses on identifying and exploiting the vulnerabilities of a network, eventually obtaining access to the critical business information. The pentesters, the security professionals who perform penetration testing, or ethical hackers, break the triad of information security - Confidentiality, Integrity, and Accountability (CIA) - as if they were a cyber-criminal. The purpose of ethical hacking or penetration testing is to know what the “enemy” can do and then generate a report for the management team to aid in strengthening the system, never to cause any real damages. This paper introduces the development of a penetration testing curriculum as a core class in an undergraduate cybersecurity track in Information Technology. The teaching modules are developed based on the professional penetration testing life cycle. The concepts taught in the class are enforced by hands-on lab exercises. This paper also shares the resources that are available to institutions looking for teaching materials and grant opportunities to support efforts when creating a similar curriculum in cybersecurity.
7
Mudiyanselage, Akalanka Karunarathne, and Lei Pan. "Security test MOODLE: a penetration testing case study." International Journal of Computers and Applications 42, no. 4 (November 13, 2017): 372–82. http://dx.doi.org/10.1080/1206212x.2017.1396413.
Full text
8
Yeo, John. "Using penetration testing to enhance your company's security." Computer Fraud & Security 2013, no. 4 (April 2013): 17–20. http://dx.doi.org/10.1016/s1361-3723(13)70039-3.
Full text
9
Bhardwaj, Barkha, and Shivam Tiwari. "Penetration Testing and Data Privacy: An In-Depth Review." Journal of Cyber Security in Computer System 2, no. 1 (February 23, 2023): 18–22. http://dx.doi.org/10.46610/jcscs.2023.v02i01.003.
Full textAbstract:
This research paper provides a comprehensive review of penetration testing and data privacy. Penetration testing is a simulation of an attack on a computer system, network, or web application to identify vulnerabilities and assess the level of security. The objective of this review is to highlight the importance of penetration testing in ensuring the privacy and security of sensitive data. The paper will cover the different types of penetration testing, the processes involved, and the tools and techniques used in the testing. Additionally, the paper will also discuss the various challenges faced by organizations in implementing penetration testing and the measures that can be taken to overcome them. Furthermore, the paper will delve into data privacy and the role of penetration testing in ensuring the confidentiality, integrity, and availability of sensitive data. The review concludes by highlighting the significance of penetration testing in today's increasingly digital world and the need for organizations to invest in it.
10
Gunawan, Teddy Surya, Muhammad Kasim Lim, Mira Kartiwi, Noreha Abdul Malik, and Nanang Ismail. "Penetration Testing using Kali Linux: SQL Injection, XSS, Wordpres, and WPA2 Attacks." Indonesian Journal of Electrical Engineering and Computer Science 12, no. 2 (November 1, 2018): 729. http://dx.doi.org/10.11591/ijeecs.v12.i2.pp729-737.
Full textAbstract:
Nowadays, computers, smart phones, smart watches, printers, projectors, washing machines, fridges, and other mobile devices connected to Internet are exposed to various threats and exploits. Of the various attacks, SQL injection, cross site scripting, Wordpress, and WPA2 attack were the most popular security attacks and will be further investigated in this paper. Kali Linux provides a great platform and medium in learning various types of exploits and peneteration testing. All the simulated attack will be conducted using Kali Linux installed on virtual machine in a compuer with Intel Core i5 and 8 GB RAM, while the victim’s machine is the host computer which run Windows 10 version 1709. Results showed that the attacks launched both on web and firewall were conducted successfully.
11
Kondelwar, Dr Mrs Anuradha, Nikhil Hingawe, Ankit Bachar, Greenkumar Bisen, Karan Bhosale, and Gajendra Tandekar. "CyberX: Own Server Based Windows OS and Penetration Testing." International Journal for Research in Applied Science and Engineering Technology 10, no. 3 (March 31, 2022): 1499–502. http://dx.doi.org/10.22214/ijraset.2022.40917.
Full textAbstract:
Abstract: Computer systems have faced the difficulty of protecting the data with which they work since the beginning, and as technology has advanced, computational security measures have become increasingly complex to counter potential threats. We're currently engaged in a war game with the traditional attackers and defenders. The attackers desire complete control of the systems. Defenders, on the other hand, virtualized systems to ensure the resources' safety in the event of an assault. Attackers have also developed increasingly complex strategies to circumvent such safeguards, necessitating the need to predict such events, which can be accomplished through the use of preventative measures. Simulating Penetration Testing is one way to accomplish this (PT). PT is a computer system attack that employs a series of specialized tools to search for security flaws. These tools may finally get access to the computer's features and data, allowing the finding of evidence of vulnerability. Cyber-attacks are more likely in virtual environments. The purpose of this paper is to present a framework for performing penetration testing in virtual environments. Keywords: Security, Penetration Testing (PT), Vulnerability, Virtual Environments, Cyber-attack.
12
Satria, Deni, Alde Alanda, Aldo Erianda, and Deddy Prayama. "Network Security Assessment Using Internal Network Penetration Testing Methodology." JOIV : International Journal on Informatics Visualization 2, no. 4-2 (October 6, 2018): 360. http://dx.doi.org/10.30630/joiv.2.4-2.190.
Full textAbstract:
The development of information technology is a new challenge for computer network security systems and the information contained in it, the level of awareness of the importance of network security systems is still very low. according to a survey conducted by Symantec, the desire to renew an existing security system within a year within a company has the result that only 13% of respondents consider changes to the security system to be important from a total of 3,300 companies worldwide as respondents. This lack of awareness results in the emergence of security holes that can be used by crackers to enter and disrupt the stability of the system. Every year cyber attacks increase significantly, so that every year there is a need to improve the security of the existing system. Based on that, a method is needed to periodically assess system and network security by using penetrarion testing methods to obtain any vulnerabilities that exist on the network and on a system so as to increase security and minimize theft or loss of important data. Testing is carried out by using internal network penetration testing method which tests using 5 types of attacks. From the results of the tests, each system has a security risk of 20-80%. From the results of these tests it can be concluded that each system has a security vulnerability that can be attacked.
13
Yusnanto, Tri, Muhammad Abdul Muin, and Sugeng Wahyudiono. "Analisa Infrastruktur Jaringan Wireless dan Local Area Network (WLAN) Meggunakan Wireshark Serta Metode Penetration Testing Kali Linux." Journal on Education 4, no. 4 (August 30, 2022): 1470–76. http://dx.doi.org/10.31004/joe.v4i4.2175.
Full textAbstract:
Computer networks and the internet play an important role for the smooth running of various fields of work. One example of information and communication technology is the Wireless Local Area Network (WLAN) or also called wireless local network technology. The method used in this research is the Penetration Testing method, with the intention of analyzing the Wireless Network computer security system in the STMIK Bina Patria Laboratory. Testing is carried out with several activities, including identifying and exploiting vulnerabilities in computer network security. In analyzing the security of the WLAN network, it is carried out using the Penetration Testing method where a form of attack on the network is simulated, one of the operating systems that has the right specifications in this regard is Kali Linux. Wireless network is a network that is widely used in institutions and public places. Even though it has a security system, wireless networks can still be attacked by attackers.
14
Yusuf, Rangga Renaldi, and Teguh Nurhadi Suharsono. "PENGUJIAN KEAMANAN DENGAN METODE OWASP TOP 10 PADA WEBSITE EFORM HELPDESK." Prosiding Seminar Sosial Politik, Bisnis, Akuntansi dan Teknik 5 (December 9, 2023): 402. http://dx.doi.org/10.32897/sobat.2023.5.0.3132.
Full textAbstract:
The development of modern technology has had a significant positive impact on various aspects of life. However, along with this progress, the threat from hackers is also increasing. Hackers are individuals or groups with the ability to breach computer systems or networks, whether for illegal purposes, stealing data, or spreading malware. To avoid this, there is a method called penetration testing. Penetration Testing is a series of methods carried out to test the security of a system. The penetration testing process involves analyzing a system to identify potential security vulnerabilities such as system configuration errors, flaws in software or hardware development, and weaknesses in the logic of a process. After conducting a penetration test using the OWASP TOP 10 2021 method on the Eformhelpdesk website, there were six security vulnerabilities identified in the OWASP TOP 10 2021 category, and one vulnerability that did not fall into that category.
15
Elstial, Ahmed, Khlifa Masoud, Nowh Saad, and Talal Gigma. "Enhancing Cybersecurity through Effective penetration testing and Vulnerability Scanning." International Science and Technology Journal 34, no. 1 (April 1, 2024): 1–16. http://dx.doi.org/10.62341/nakt1429.
Full textAbstract:
The number of computer network attacks today is increasing with the sophisticated attack tools and complicated methods hence, building secure systems is required. The demand for regular penetration testing and vulnerability scanning has become an urgent issue. This paper focuses on increase the security of the system resources being tested; Determine the weakness in the popular operating systems; Focus on methodologies and approaches to analyze the system for security that leads to protect the system against external threats. An experimental setup of a virtual penetration testing environment lab is created on a system using virtualization software. By using of the most powerful tools and techniques used today, a successful penetration testing and vulnerability scanning through three phases of processes are implemented. Eventually, the results of this process will help identify potential vulnerabilities in the operating systems and ways to patch them up. Keywords: Cybersecurity, penetration testing, vulnerability scanning tools.
16
Raja Sekhar, K., Pavanasurya M, Komal Bharti, and Dhanya G. "A systematic review of vulnerability analysis & penetration testing tools." International Journal of Engineering & Technology 7, no. 1.1 (December 21, 2017): 411. http://dx.doi.org/10.14419/ijet.v7i1.1.9944.
Full textAbstract:
In Computer Security, the term vulnerability refers as a flaw in the system which creates a hole, giving an attacker a chance of taking control over the system. Any Software, Web application or anything related to computer product is vulnerable to attack in different ways like code stealing, sniffing of packets, hijacking the network, making the system compromised etc. In order to avoid such attacks a constant check has to be done and the check has to be done through various Pen testing tools. Penetration tools are one which is used to perform security check on an application to find the presence of exploitable vulnerabilities. In this paper, we look over the penetration tools like CODEPULSE (the code stealer), ETTERCAP (the Sniffer and Hijacker) and made a systematic review of various websites which are vulnerable to SQL Injection and Cross-site Scripting.
17
Ashwini Bari, Anil Yadav, Sahil Suman, Ramit Ranjan. "Cyber Security Practices Ethical Hacking and its Significance in Modern." Tuijin Jishu/Journal of Propulsion Technology 43, no. 4 (November 26, 2022): 199–201. http://dx.doi.org/10.52783/tjjpt.v43.i4.2335.
Full textAbstract:
Someone who is an ethical hacker is a computer and network expert who breaks into security systems on behalf of their owners to find holes that a bad hacker could use. The internet's rapid rise has led to many good things, such as: shopping, e-mail, shared computers, and new Places for ads and information to be sent through What people in business and the government worry about most these days is ethical hacking, which is also called attack testing, penetration testing, or red teaming. Concerns about being "hacked" are raised by businesses, and possible customers are worried about keeping personal information safe.
18
Astrida, Deuis Nur, Agung Restu Saputra, and Akhmad Ikhza Assaufi. "Analysis and Evaluation of Wireless Network Security with the Penetration Testing Execution Standard (PTES)." Sinkron 7, no. 1 (January 13, 2022): 147–54. http://dx.doi.org/10.33395/sinkron.v7i1.11249.
Full textAbstract:
The use of computer networks in an agency aims to facilitate communication and data transfer between devices. The network that can be applied can be using wireless media or LAN cable. At SMP XYZ, most of the computers still use wireless networks. Based on the findings in the field, it was found that there was no user management problem. Therefore, an analysis and audit of the network security system is needed to ensure that the network security system at SMP XYZ is safe and running well. In conducting this analysis, a tool is needed which will be used as a benchmark to determine the security of the wireless network. The tools used are Penetration Testing Execution Standard (PTES) which is one of the tools to become a standard in analyzing or auditing network security systems in a company in this case, namely analyzing and auditing wireless network security systems. After conducting an analysis based on these tools, there are still many security holes in the XYZ wireless SMP that allow outsiders to illegally access and obtain vulnerabilities in terms of WPA2 cracking, DoS, wireless router password cracking, and access point isolation so that it can be said that network security at SMP XYZ is still not safe
19
Zhang, Haichun, Jie Wang, Yijie Wang, Minfeng Li, Jinghan Song, and Zhenglin Liu. "ICVTest: A Practical Black-Box Penetration Testing Framework for Evaluating Cybersecurity of Intelligent Connected Vehicles." Applied Sciences 14, no. 1 (December 25, 2023): 204. http://dx.doi.org/10.3390/app14010204.
Full textAbstract:
Intelligent connected vehicles (ICVs) are equipped with extensive electronic control units which offer convenience but also pose significant cybersecurity risks. Penetration testing, recommended in ISO/SAE 21434 “Road vehicles—Cybersecurity engineering”, is an effective approach to identify cybersecurity vulnerabilities in ICVs. However, there is limited research on vehicle penetration testing from a black-box perspective due to the complex architecture of ICVs. Additionally, no penetration testing framework has been proposed to guide security testers on conducting penetration testing for the whole vehicle. The lack of framework guidance results in the inexperienced security testers being uncertain about the processes to follow for conducting penetration testing. Moreover, the inexperienced security testers are unsure about which tests to perform in order to systematically evaluate the vehicle’s cybersecurity. To enhance the penetration testing efficiency of ICVs, this paper presents a black-box penetration testing framework, ICVTest. ICVTest proposes a standardized penetration testing process to facilitate step-by-step completion of the penetration testing, thereby addressing the issue of inexperienced testers lacking guidance on how to initiate work when confronted with ICV. Also, ICVTest includes 10 sets of test cases covering hardware and software security tests. Testers can select appropriate test cases based on the specific cybersecurity threats faced by the target object, thereby reducing the complexity of penetration testing tasks. Furthermore, we have developed a vehicle cybersecurity testing platform for ICVTest that seamlessly integrates various testing tools. The platform enables even novice testers to conduct vehicle black-box penetration testing in accordance with the given guidance which addresses the current industry’s challenge of an overwhelming number of testing tasks coupled with a shortage of skilled professionals. For the first time, we propose a comprehensive black-box penetration testing framework and implement the framework in the form of a cybersecurity testing platform. We apply ICVTest to evaluate an electric vehicle manufactured in 2021 for assessing the framework’s availability. With the aid of ICVTest, even testers with limited experience in automotive penetration can effectively evaluate the security risks of ICVs. In our experiments, numerous cybersecurity vulnerabilities were identified involving in-vehicle sensors, remote vehicle control systems, and in-vehicle controller area network (CAN) bus.
20
Gunawan, Teddy Surya, Muhammad Kassim Lim, Nurul Fariza Zulkurnain, and Mira Kartiwi. "On the Review and Setup of Security Audit using Kali Linux." Indonesian Journal of Electrical Engineering and Computer Science 11, no. 1 (July 1, 2018): 51. http://dx.doi.org/10.11591/ijeecs.v11.i1.pp51-59.
Full textAbstract:
The massive development of technology especially in computers, mobile devices, and networking has bring security issue forward as primarily concern. The computers and mobile devices connected to Internet are exposed to numerous threats and exploits. With the utilization of penetration testing, vulnerabilities of a system can be identified and simulated attack can be launched to determine how severe the vulnerabilities are. This paper reviewed some of the security concepts, including penetration testing, security analysis, and security audit. On the other hand, Kali Linux is the most popular penetration testing and security audit platform with advanced tools to detect any vulnerabilities uncovered in the target machine. For this purpose, Kali Linux setup and installation will be described in more details. Moreover, a method to install vulnerable server was also presented. Further research including simulated attacks to vulnerable server on both web and firewall system will be conducted.
21
Alanda, Alde, Deni Satria, M. Isthofa Ardhana, Andi Ahmad Dahlan, and Hanriyawan Adnan Mooduto. "Web Application Penetration Testing Using SQL Injection Attack." JOIV : International Journal on Informatics Visualization 5, no. 3 (September 27, 2021): 320. http://dx.doi.org/10.30630/joiv.5.3.470.
Full textAbstract:
A web application is a very important requirement in the information and digitalization era. With the increasing use of the internet and the growing number of web applications, every web application requires an adequate security level to store information safely and avoid cyber attacks. Web applications go through rapid development phases with short turnaround times, challenging to eliminate vulnerabilities. The vulnerability on the web application can be analyzed using the penetration testing method. This research uses penetration testing with the black-box method to test web application security based on the list of most attacks on the Open Web Application Security Project (OWASP), namely SQL Injection. SQL injection allows attackers to obtain unrestricted access to the databases and potentially collecting sensitive information from databases. This research randomly tested several websites such as government, schools, and other commercial websites with several techniques of SQL injection attack. Testing was carried out on ten websites randomly by looking for gaps to test security using the SQL injection attack. The results of testing conducted 80% of the websites tested have a weakness against SQL injection attacks. Based on this research, SQL injection is still the most prevalent threat for web applications. Further research can explain detailed information about SQL injection with specific techniques and how to prevent this attack.
22
Lu, He-Jun, and Yang Yu. "Research on WiFi Penetration Testing with Kali Linux." Complexity 2021 (February 27, 2021): 1–8. http://dx.doi.org/10.1155/2021/5570001.
Full textAbstract:
Aiming at the vulnerability of wireless network, this paper proposed a method of WiFi penetration testing based on Kali Linux which is divided into four stages: preparation, information collection, simulation attack, and reporting. By using the methods of monitoring, scanning, capturing, data analysis, password cracking, fake wireless access point spoofing, and other methods, the WiFi network penetration testing with Kali Linux is processed in the simulation environment. The experimental results show that the method of WiFi network penetration testing with Kali Linux has a good effect on improving the security evaluation of WiFi network.
23
Akhilesh, Rohit, Oliver Bills, Naveen Chilamkurti, and Mohammad Jabed Morshed Chowdhury. "Automated Penetration Testing Framework for Smart-Home-Based IoT Devices." Future Internet 14, no. 10 (September 27, 2022): 276. http://dx.doi.org/10.3390/fi14100276.
Full textAbstract:
Security testing is fundamental to identifying security vulnerabilities on smart home-based IoT devices. For this, penetration testing is the most prominent and effective solution. However, testing the IoT manually is cumbersome and time-consuming. In addition, penetration testing requires a deep knowledge of the possible attacks and the available hacking tools. Therefore, this study emphasises building an automated penetration testing framework to discover the most common vulnerabilities in smart home-based IoT devices. This research involves exploring (studying) different IoT devices to select five devices for testing. Then, the common vulnerabilities for the five selected smart home-based IoT devices are examined, and the corresponding penetration testing tools required for the detection of these vulnerabilities are identified. The top five vulnerabilities are identified from the most common vulnerabilities, and accordingly, the corresponding tools for these vulnerabilities are discovered. These tools are combined using a script which is then implemented into a framework written in Python 3.6. The selected IoT devices are tested individually for known vulnerabilities using the proposed framework. For each vulnerability discovered in the device, the Common Vulnerability Scoring System (CVSS) Base score is calculated and the summation of these scores is taken to calculate the total score (for each device). In our experiment, we found that the Tp-Link Smart Bulb and the Tp-Link Smart Camera had the highest score and were the most vulnerable and the Google Home Mini had the least score and was the most secure device of all the devices. Finally, we conclude that our framework does not require technical expertise and thus can be used by common people. This will help improve the field of IoT security and ensure the security of smart homes to build a safe and secure future.
24
Semenov, Serhii, Cao Weilin, Liqiang Zhang, and Serhii Bulba. "AUTOMATED PENETRATION TESTING METHOD USING DEEP MACHINE LEARNING TECHNOLOGY." Advanced Information Systems 5, no. 3 (October 18, 2021): 119–27. http://dx.doi.org/10.20998/2522-9052.2021.3.16.
Full textAbstract:
The article developed a method for automated penetration testing using deep machine learning technology. The main purpose of the development is to improve the security of computer systems. To achieve this goal, the analysis of existing penetration testing methods was carried out and their main disadvantages were identified. They are mainly related to the subjectivity of assessments in the case of manual testing. In cases of automated testing, most authors confirm the fact that there is no unified effective solution for the procedures used. This contradiction is resolved using intelligent methods of analysis. It is proposed that the developed method be based on deep reinforcement learning technology. To achieve the main goal, a study was carried out of the Shadov system's ability to collect factual data for designing attack trees, as well as the Mulval platform for generating attack trees. A method for forming a matrix of cyber intrusions using the Mulval tool has been developed. The Deep Q - Lerning Network method has been improved for analyzing the cyber intrusion matrix and finding the optimal attack trajectory. In the study, according to the deep reinforcement learning method, the reward scores assigned to each node, according to the CVSS rating, were used. This made it possible to shrink the attack trees and identify an attack with a greater likelihood of occurring. A comparative study of the automated penetration testing method was carried out. The practical possibility of using the developed method to improve the security of a computer system has been revealed.
25
Altulaihan, Esra Abdullatif, Abrar Alismail, and Mounir Frikha. "A Survey on Web Application Penetration Testing." Electronics 12, no. 5 (March 4, 2023): 1229. http://dx.doi.org/10.3390/electronics12051229.
Full textAbstract:
Websites are becoming increasingly effective communication tools. Nevertheless, web applications are vulnerable to attack and can give attackers access to sensitive information or unauthorized access to accounts. The number of vulnerabilities in web applications has increased dramatically over the past decade. Many are due to improper validation and sanitization of input. Identifying these vulnerabilities is essential for developing high-quality, secure web applications. Whenever a website is released to the public, it is required to have had penetration testing to a certain standard to ensure the security of the information. Application-level security vulnerability detection is possible for many commercial and open-source applications. However, developers are curious about which tools detect security vulnerabilities and how quickly they do so. The purpose of this study is to discuss penetration testing and how it can be implemented. This paper also explores the hazards and vulnerabilities associated with the web environment as well as the protective measures that can be taken. In addition, a comprehensive review and comparison of common web penetration testing tools is provided. The aim of this paper is to help web penetration testers choose a technology that is optimal for their requirements. The paper also sets out to guide and provide recommendations to users for choosing the best web penetration test tool and increasing their awareness of secure web environments. The study results indicate that not all web penetration testing tools offer the same features and that combining analysis tools can provide detailed information about web vulnerabilities.
26
Alhamed, Mariam, and M. M. Hafizur Rahman. "A Systematic Literature Review on Penetration Testing in Networks: Future Research Directions." Applied Sciences 13, no. 12 (June 9, 2023): 6986. http://dx.doi.org/10.3390/app13126986.
Full textAbstract:
Given the widespread use of the internet at the individual, governmental, and nongovernmental levels, and the opportunities it offers, such as online shopping, security concerns may arise. Cyber criminals are responsible for stopping organizations’ access to internet, for stealing valuable and confidential data, and causing other damage. Therefore, the network must be protected and meet security requirements. Network penetration testing is a type of security assessment used to find risk areas and vulnerabilities that threaten the security of a network. Thus, network penetration testing is designed to provide prevention and detection controls against attacks in the network. A tester looks for security issues in the network operation, design, or implementation of the particular company or organization. Thus, it is important to identify the vulnerabilities and identify the threats that may exploit them in order to find ways to reduce their dangers.The ports at risk are named and discussed in this study. Furthermore, we discuss the most common tools used for network penetration testing. Moreover, we look at potential attacks and typical remediation strategies that can be used to protect the vulnerable ports by reviewing the related publications. In conclusion, it is recommended that researchers in this field focus on automated network penetration testing. In the future, we will use machine learning in WLAN penetration testing, which provides new insight and high efficiency in performance. Moreover, we will train machine learning models to detect a wide range of vulnerabilities in order to find solutions to mitigate the risks in a short amount of time rather that through manual WLAN penetration testing, which consumes a lot of time. This will lead to improving security and reducing loss prevention.
27
Al-Khannak, Rafid, and Sajjan Singh Nehal. "Penetration Testing for the Cloud-Based Web Application." WSEAS TRANSACTIONS ON COMPUTERS 22 (August 29, 2023): 104–13. http://dx.doi.org/10.37394/23205.2023.22.13.
Full textAbstract:
This paper discusses methods, tools, approaches, and techniques used for the penetration testing on the cloud-based web application on Amazon AWS platform. The findings of a penetration test could be used to fix weaknesses and vulnerabilities, and significantly improve security. The testing is implemented by undertaking a malicious attack aiming to breach system networks and thereby confirm the presence of cloud infrastructure. The research focuses on cloud-based web applications' high-risk vulnerabilities such as unrestricted file upload, command injection, and cross-site scripting. The outcomes expose and approved some vulnerabilities, flaws, and mistakes in the utilised cloud based web application. It is concluded that some vulnerabilities haveto be considered before architecting the cloud system. Recommendations are proposing solutions to testing results.
28
Chamberlain, David, and Ellis Casey. "Capture the Flag with ChatGPT: Security Testing with AI ChatBots." International Conference on Cyber Warfare and Security 19, no. 1 (March 21, 2024): 43–54. http://dx.doi.org/10.34190/iccws.19.1.2171.
Full textAbstract:
Penetration testing, commonly referred to as pen testing, is a process of assessing the security of a computer system or network by simulating an attack from an external or internal threat actor. One type of pen testing exercise that has become popular among cybersecurity enthusiasts is called Capture the Flag (CTF). This involves solving a series of challenges that simulate real-world hacking scenarios, with the goal of capturing a flag that represents a piece of sensitive information. Recently, there has been a growing interest in the use of natural language processing (NLP) and machine learning (ML) technologies for penetration testing and CTF exercises. One such technology that has received significant attention is ChatGPT, a large language model (LLM) trained by OpenAI based on the GPT-3.5 architecture. The use of ChatGPT in CTFs has several potential benefits for participants and organisers, including more dynamic and realistic scenarios and enhanced learning experiences, and enhance the effectiveness and realism of CTFs.. Future research can explore more sophisticated models and evaluate the effectiveness of ChatGPT in improving the performance of participants in CTFs.
29
Tran, Khuong, Maxwell Standen, Junae Kim, David Bowman, Toby Richer, Ashlesha Akella, and Chin-Teng Lin. "Cascaded Reinforcement Learning Agents for Large Action Spaces in Autonomous Penetration Testing." Applied Sciences 12, no. 21 (November 7, 2022): 11265. http://dx.doi.org/10.3390/app122111265.
Full textAbstract:
Organised attacks on a computer system to test existing defences, i.e., penetration testing, have been used extensively to evaluate network security. However, penetration testing is a time-consuming process. Additionally, establishing a strategy that resembles a real cyber-attack typically requires in-depth knowledge of the cybersecurity domain. This paper presents a novel architecture, named deep cascaded reinforcement learning agents, or CRLA, that addresses large discrete action spaces in an autonomous penetration testing simulator, where the number of actions exponentially increases with the complexity of the designed cybersecurity network. Employing an algebraic action decomposition strategy, CRLA is shown to find the optimal attack policy in scenarios with large action spaces faster and more stably than a conventional deep Q-learning agent, which is commonly used as a method for applying artificial intelligence to autonomous penetration testing.
30
Abdulghaffar, Khaled, Nebrase Elmrabit, and Mehdi Yousefi. "Enhancing Web Application Security through Automated Penetration Testing with Multiple Vulnerability Scanners." Computers 12, no. 11 (November 15, 2023): 235. http://dx.doi.org/10.3390/computers12110235.
Full textAbstract:
Penetration testers have increasingly adopted multiple penetration testing scanners to ensure the robustness of web applications. However, a notable limitation of many scanning techniques is their susceptibility to producing false positives. This paper presents a novel framework designed to automate the operation of multiple Web Application Vulnerability Scanners (WAVS) within a single platform. The framework generates a combined vulnerabilities report using two algorithms: an automation algorithm and a novel combination algorithm that produces comprehensive lists of detected vulnerabilities. The framework leverages the capabilities of two web vulnerability scanners, Arachni and OWASP ZAP. The study begins with an extensive review of the existing scientific literature, focusing on open-source WAVS and exploring the OWASP 2021 guidelines. Following this, the framework development phase addresses the challenge of varying results obtained from different WAVS. This framework’s core objective is to combine the results of multiple WAVS into a consolidated vulnerability report, ultimately improving detection rates and overall security. The study demonstrates that the combined outcomes produced by the proposed framework exhibit greater accuracy compared to individual scanning results obtained from Arachni and OWASP ZAP. In summary, the study reveals that the Union List outperforms individual scanners, particularly regarding recall and F-measure. Consequently, adopting multiple vulnerability scanners is recommended as an effective strategy to bolster vulnerability detection in web applications.
31
Anuththara, G. H. N., S. S. U. Senadheera, S. M. T. V. Samarasekara, K. M. G. T. Herath, M. V. N. Godapitiya, and Dr D. I. De Silva. "A Study of The Effectiveness of Code Review in Detecting Security Vulnerabilities." International Journal of Recent Technology and Engineering (IJRTE) 12, no. 2 (July 30, 2023): 11–19. http://dx.doi.org/10.35940/ijrte.b7671.0712223.
Full textAbstract:
Software flaws pose a severe danger to the security and privacy of computer systems and the people who use them [1]. For software systems to be reliable and available, vulnerabilities must be found and fixed before they may be used against the system [2]. Two popular methods for finding weaknesses in software systems are code review and penetration testing [3]. Which method is better for identifying vulnerabilities, nevertheless, is not widely agreed upon [4]. The usefulness of code reviews and penetration tests in locating vulnerabilities is reviewed in detail in this study. We evaluate much empirical research [5] and contrast the benefits and drawbacks of each method. According to our research, both code reviews and penetration tests are useful for uncovering vulnerabilities [6], despite the fact that their effectiveness varies based on the kind of vulnerability, the complexity of the code, and the testers' or reviewers' experience [7][8]. Additionally, we discovered that doing both penetration testing and code review together may be more efficient than using each approach alone [9]. These results may help software engineers, security experts, and researchers choose and use the right approach for locating weaknesses in software systems.
32
Quroturohman, Denis. "PENETRATION TESTING DALAM FORENSIK DIGITAL PADA JARINGAN FAKULTAS TEKNIK UNIVERSITAS IBN KHALDUN BOGOR DENGAN PING OF DEATH." Jurnal Inovatif : Inovasi Teknologi Informasi dan Informatika 4, no. 2 (November 3, 2021): 81. http://dx.doi.org/10.32832/inova-tif.v4i2.5812.
Full textAbstract:
<p><em>Network forensics is a computer security investigation to find sources of the attack s on the network by examining data log evidence, identifying, analyzing, and reconstructing the incidents. Types of attack s againist a computer or server on the network by spending resources that are owned by the computer until computer is not able to function properly, thus indirectly preventing other users to obtain access to network services that were attack ed is Distributed Denial of Service attack (DDoS). Network Forensics Research conducted in Research Laboratory of Information Engineering Master of Ahmad Dahlan University Yogyak arta. Detection of attacks carried out by Winbox RouterOS v3,6 where the software shows resources, attack er (IP Address), data pack ets, and when attack doing. Simulated attack s carried out by LOIC software to determine performance of safety system in computer network . To anticipate DDoS attack s,then developed a computer network security system.</em></p>
33
Nedyalkov, Ivan. "Study the Level of Network Security and Penetration Tests on Power Electronic Device." Computers 13, no. 3 (March 19, 2024): 81. http://dx.doi.org/10.3390/computers13030081.
Full textAbstract:
This work demonstrates the feasibility of using Kali Linux in the process of power electronic device research. The novelty in this work is the use of Kali Linux in the process of power electronic device research. This operating system is mainly used for the penetration testing of various communication devices but not for power electronic device research. The aim of this work is to study the level of network security (the type of security vulnerabilities that a power electronic device has) and whether the data exchange between the power electronic device and the monitoring and control center is secure. Additionally, penetration testing has been carried out. Kali Linux was used to implement these tasks. Penetration testing was performed to verify how the studied power electronic device reacted to various TCP DoS attacks—could it be accessed, was it blocked, etc. Kali Linux and some of the tools built into the operating system—Nmap, hping3, Wireshark, Burp Suite Community Edition—were used for this study. During the penetration tests, a characterization of the traffic being processed/generated by the studied power electronic device was carried out to evaluate and analyze what impact each TCP DoS attack had on the device’s performance. In order to conduct the study, an experimental setup was designed. This experimental network was not connected to other networks, so the cyber attacks were controlled and confined within the experimental network. The research carried out validated the use of Kali Linux for the study of power electronic devices. From the obtained results, it is found that the studied power electronic device provides a certain level of network security, but the data exchange is insecure.
34
Fitriana, Dina Nurika Fitriana, Putri Elfa Mas’udia, and Mila Kusumawardani. "NIST SP 800-115 Framework Implementation using Black Box Method on Security Gaps Testing on JTD Polinema’s Official Website." jartel 13, no. 4 (December 22, 2023): 328–35. http://dx.doi.org/10.33795/jartel.v13i4.557.
Full textAbstract:
The internet is one example of a computer network that can make it easier to obtain information. According to BSSN's December 2021 report, there were 3,483,706 web application attacks. According to the BSSN monthly report, there were 3,483,706 web application attacks at the end of December 2021. The JTD Study Program's official website (psjtd.polinema.ac.id) faced recurrent hacking incidents, exposing it to DDOS assaults and defacing. As a result, security testing must be carried out in accordance with particular standards, such as the National Institute of Standards and Technology (NIST) SP 800-115 framework. Penetration testing was performed in this investigation using the Black Box testing method approach and hardening. The results of testing and analyzing security gaps on the website reveal 10 open ports and 11 various types of security holes with varying levels of vulnerability categorized as 1 high, 3 medium, 5 low, and 2 informational. During penetration testing, one ping packet was sent that could not cause any problems, and then one of the Syn Flooding attacks was carried out, which resulted in the number of shipments reaching 10,000 packets per second.
35
Schiller, Thomas, Bruce Caulkins, Annie S. Wu, and Sean Mondesire. "Security Awareness in Smart Homes and Internet of Things Networks through Swarm-Based Cybersecurity Penetration Testing." Information 14, no. 10 (September 30, 2023): 536. http://dx.doi.org/10.3390/info14100536.
Full textAbstract:
Internet of Things (IoT) devices are common in today’s computer networks. These devices can be computationally powerful, yet prone to cybersecurity exploitation. To remedy these growing security weaknesses, this work proposes a new artificial intelligence method that makes these IoT networks safer through the use of autonomous, swarm-based cybersecurity penetration testing. In this work, the introduced Particle Swarm Optimization (PSO) penetration testing technique is compared against traditional linear and queue-based approaches to find vulnerabilities in smart homes and IoT networks. To evaluate the effectiveness of the PSO approach, a network simulator is used to simulate smart home networks of two scales: a small, home network and a large, commercial-sized network. These experiments demonstrate that the swarm-based algorithms detect vulnerabilities significantly faster than the linear algorithms. The presented findings support the case that autonomous and swarm-based penetration testing in a network could be used to render more secure IoT networks in the future. This approach can affect private households with smart home networks, settings within the Industrial Internet of Things (IIoT), and military environments.
36
Yi, Junkai, and Xiaoyan Liu. "Deep Reinforcement Learning for Intelligent Penetration Testing Path Design." Applied Sciences 13, no. 16 (August 21, 2023): 9467. http://dx.doi.org/10.3390/app13169467.
Full textAbstract:
Penetration testing is an important method to evaluate the security degree of a network system. The importance of penetration testing attack path planning lies in its ability to simulate attacker behavior, identify vulnerabilities, reduce potential losses, and continuously improve security strategies. By systematically simulating various attack scenarios, it enables proactive risk assessment and the development of robust security measures. To address the problems of inaccurate path prediction and difficult convergence in the training process of attack path planning, an algorithm which combines attack graph tools (i.e., MulVAL, multi-stage vulnerability analysis language) and the double deep Q network is proposed. This algorithm first constructs an attack tree, searches paths in the attack graph, and then builds a transfer matrix based on depth-first search to obtain all reachable paths in the target system. Finally, the optimal path for target system attack path planning is obtained by using the deep double Q network (DDQN) algorithm. The MulVAL double deep Q network(MDDQN) algorithm is tested in different scale penetration testing environments. The experimental results show that, compared with the traditional deep Q network (DQN) algorithm, the MDDQN algorithm is able to reach convergence faster and more stably and improve the efficiency of attack path planning.
37
Andria, Andria, and Ridho Pamungkas. "Penetration Testing Database Menggunakan Metode SQL Injection Via SQLMap di Termux." Indonesian Journal of Applied Informatics 5, no. 1 (April 18, 2021): 1. http://dx.doi.org/10.20961/ijai.v5i1.40845.
Full textAbstract:
<p class="infAbstract"><em>Abstrak : </em></p><p class="infAbstract">Penetration testing (Pentesting) merupakan sebuah metode evaluasi terhadap keamanan pada suatu sistem dan jaringan komputer dengan melakukan suatu pengujian, salah satu metode pengujian yang dapat digunakan adalah SQL Injection. SQL Injection merupakan suatu teknik hacking dengan fokus pengujian pada database sebagai media penyimpanan data pada sistem. Tool yang digunakan pada penelitian ini ialah SQLMap yang merupakan tool open source yang dapat menganalisa, mendeteksi dan melakukan exploit (sebuah kode yang dapat menyerang keamanan sistem komputer secara spesifik) pada bug SQL Injection. Pengujian dilakukan menggunakan perangkat Smartphone bersistem operasi Android dengan program aplikasi Termux sebagai emulator terminal berbasis linux. Tujuan dari penelitian ini untuk pengujian keamanan database web server dan membantu pengelola atau admin situs web untuk dapat memeriksa adanya celah kerentanan database yang dapat dieskploitasi oleh peretas.</p><p class="infAbstract">____________________________</p><p class="infAbstract">Abstract :</p><p><em>Penetration testing</em><em> (Pentest</em><em>ing</em><em>) is a method of evaluating the security of a computer system and network by conducting a test, one of the testing methods that can be used is SQL Injection . SQL Injection is a hacking technique that focuses on testing the database as a data storage medium on the system. The tool used in this study is SQLMap which is an open source tool that can analyze, detect and exploit (a code that can specifically attack computer system security) on the SQL Injection bug. Testing was carried out using a Smartphone device with the Android operating system with the Termux application program as a linux-based terminal emulator. The purpose of this research is to test the security of the web server database and help the website manager or admin to be able to check for any database vulnerabilities that can be exploited by hackers.</em></p><p class="infAbstract"><em><br /></em></p>
38
Dyce, Keir, and Mary Barrett. "Taking Care of (E)-Business?: Australian IT Professionals’ Views of Wireless Network Vulnerability Assessments." Journal of Theoretical and Applied Electronic Commerce Research 1, no. 2 (August 1, 2006): 79–89. http://dx.doi.org/10.3390/jtaer1020015.
Full textAbstract:
M-commerce, a growing sub-category of E-business, allows business to be done ‘anywhere, anytime’. However security of wireless devices remains problematic. It is unclear whether protocols to alleviate security problems, such as wireless vulnerability assessments (WNVAs), are being used or are effective. The paper reports on a survey-based study of Australian computer security professionals’ use of and opinions about two types of WNVA: wireless monitoring and penetration testing. An initially surprising finding was how little both types are used, despite the ease with which wireless networks can be attacked and the fact that penetration testing is fairly well understood. In the light of organizational culture the survey findings become more explicable. Senior management, and even IT staff, may still hold a traditional, ‘wired network’ view of their organization. Aspects of organizational culture also appear to limit the way WNVA users go about the assessment process. A cultural shift could help change users’ perceptions about the risks and rewards of WNVAs. This could threaten IT staff’s professional identity, however, and needs further research.
39
Hamza, Sahriar, Nur Humaira Abri, and Abdul Haris Muhammad. "Analisis Keamanan Jaringan Wireless Lan Menggunakan Tiga Metode Penetration Testing, Wardriving Attack, And Square Studi Kasus : PT. Telekomunikasi Cabang Ternate." Jurnal Teknik Informatika (J-Tifa) 6, no. 1 (March 30, 2023): 7–11. http://dx.doi.org/10.52046/j-tifa.v6i2.1599.
Full textAbstract:
Sistem computer security merupakan sebuah system informasi penting dalam menjaga kesesuaian dan terintegrasinya data dan ketersediaan pelayanan untuk penggunanya. Untuk menjaga security data, sistem perlu penjagaan dari bermacam-macam penyusupan terutama pada komputer yang terhubung dengan jaringan. Dengan pengendalian security network yang baik maka, celah keamanan terlindungi dengan baik. tujuan penelitian ini adalah menganalisis jaringan dan keamannya dengan tiga model yang terkait resiko penggunaan ilegal keamanan networking pad telkom pada networking nirkabelnya. penggunaan Penetration Testing, Wardriving Attack and Square sebagai sebuah model Security dalam mengelola infrastruktur Networking supaya selfty dari penggunaan yang beresiko tinggi. Hasil dari ke tiga metode ini dapat dihindari dan mengecilkan akses ilegal.
40
Shahid, Jahanzeb, Muhammad Khurram Hameed, Ibrahim Tariq Javed, Kashif Naseer Qureshi, Moazam Ali, and Noel Crespi. "A Comparative Study of Web Application Security Parameters: Current Trends and Future Directions." Applied Sciences 12, no. 8 (April 18, 2022): 4077. http://dx.doi.org/10.3390/app12084077.
Full textAbstract:
The growing use of the internet has resulted in an exponential rise in the use of web applications. Businesses, industries, financial and educational institutions, and the general populace depend on web applications. This mammoth rise in their usage has also resulted in many security issues that make these web applications vulnerable, thereby affecting the confidentiality, integrity, and availability of associated information systems. It has, therefore, become necessary to find vulnerabilities in these information system resources to guarantee information security. A publicly available web application vulnerability scanner is a computer program that assesses web application security by employing automated penetration testing techniques that reduce the time, cost, and resources required for web application penetration testing and eliminates test engineers’ dependency on human knowledge. However, these security scanners possess various weaknesses of not scanning complete web applications and generating wrong test results. Moreover, intensive research has been carried out to quantitatively enumerate web application security scanners’ results to inspect their effectiveness and limitations. However, the findings show no well-defined method or criteria available for assessing their results. In this research, we have evaluated the performance of web application vulnerability scanners by testing intentionally defined vulnerable applications and the level of their respective precision and accuracy. This was achieved by classifying the analyzed tools using the most common parameters. The evaluation is based on an extracted list of vulnerabilities from OWASP (Open Web Application Security Project).
41
Zhao, Letao. "Navigating the Cyber Kill Chain: A modern approach to pentesting." Applied and Computational Engineering 38, no. 1 (January 22, 2024): 170–75. http://dx.doi.org/10.54254/2755-2721/38/20230549.
Full textAbstract:
The Cyber Kill Chain is a strategic model that outlines the stages of a cyberattack, from initial reconnaissance to achieving the final objective. This framework is often mirrored in penetration testing (pentest), a legal and authorized simulated attack on a computer system performed to evaluate its security. By understanding the steps in the Cyber Kill Chain, penetration testers can mimic the strategies of malicious attackers, exploring vulnerabilities at each stage of the chain. This approach allows organizations to evaluate their defensive measures across the full spectrum of an attack, identifying weaknesses and enhancing their security protocols accordingly. In essence, the Cyber Kill Chain provides a roadmap for pen-testers to systematically evaluate an organization's cyber defences. The research method of this article involves a systematic analysis of the Cyber Kill Chain model, examining how penetration testers can employ this strategic framework to emulate the tactics of malicious attackers and identify methodology at each stage of the chain.
42
Jovanović, Siniša, Danijela Protić, Vladimir Antić, Milena Grdović, and Dejan Bajić. "Security of wireless keyboards: Threats, vulnerabilities and countermeasures." Vojnotehnicki glasnik 71, no. 2 (2023): 296–315. http://dx.doi.org/10.5937/vojtehg71-43239.
Full textAbstract:
Introduction/purpose: This paper provides an overview of research on computer system vulnerabilities caused by compromised electromagnetic radiation by wireless keyboards. Wireless devices that use event-triggered communication have been shown to have critical privacy issues due to the inherent leakage associated with radio frequency emissions. Wireless connectivity technology is a source of signal emanation that must be protected in terms of performance and security. Methods: Wireless device vulnerabilities and side-channel attacks are observed, along with electromagnetic emission of radio waves. Results: The findings highlight a specific wireless keyboard's security and encryption flaws. The results of penetration testing reveal vulnerabilities of targeted wireless keyboards in terms of outdated firmware, encryption, wireless reliability, and connection strength. Conclusion: Wireless keyboards have security flaws that disrupt radio communication, giving a malicious user complete access to the computer to which the keyboard is connected. An attacker can steal sensitive data by observing how the system works using compromised electromagnetic emissions.
43
Riadi, Imam, and Eddy Irawan Aristianto. "An Analysis of Vulnerability Web Against Attack Unrestricted Image File Upload." Computer Engineering and Applications Journal 5, no. 1 (January 31, 2016): 19–28. http://dx.doi.org/10.18495/comengapp.v5i1.161.
Full textAbstract:
The development of computer security technology is very rapidly. Web security is one of the areas that require particular attention related to the abundance of digital crimes conducted over the web. Unrestricted file upload image is a condition in the process of uploading pictures is not restricted. This can be used to make the attacker retrieve the information that is contained in a system. This research developed with several stages, such as, data collection, analysis of the current conditions, designing improvements to the program code, testing and implementation of the results of patch. Security testing is performed to find out the difference between before and after conditions applied patch unrestricted image file upload. Based on the results of testing done by the method of penetration testing results obtained before the application of patch unrestricted image file upload results respondents said 15% strongly disagree, 85% did not agree. Testing after applying patch unrestricted image file upload results respondents said 7.5% strongly agree, 92.5% agree, so it can be concluded that the development of the patch that has been done has been running smoothly as expected.
44
Korniyenko, Bogdan, and Liliya Galata. "MODELING OF INFORMATION SECURITY SYSTEM IN COMPUTER NETWORK." Information systems and technologies security, no. 1 (1) (2019): 36–41. http://dx.doi.org/10.17721/ists.2019.1.36-41.
Full textAbstract:
This article presents simulation modeling process as the way to study the behavior of the Information Security system. Graphical Network Simulator is used for modeling such system and Kali Linux is used for penetration testing and security audit. To implement the project GNS3 package is selected. GNS3 is a graphical network emulator that allows you to simulate a virtual network of more than 20 different manufacturers on a local computer, connect a virtual network to a real one, add a full computer to the network, Third-party Applications for network packet analysis are supported. Depending on the hardware platform on which GNS3 will be used, it is possible to build complex projects consisting of routers Cisco, Cisco ASA, Juniper, as well as servers running network operating systems. Using modeling in the design of computing systems, you can: estimate the bandwidth of the network and its components; identify vulnerability in the structure of computing system; compare different organizations of a computing system; make a perspective development forecast for computer system; predict future requirements for network bandwidth; estimate the performance and the required number of servers in the network; compare various options for computing system upgrading; estimate the impact of software upgrades, workstations or servers power, network protocols changes on the computing system. Research computing system parameters with different characteristics of the individual components allows us to select the network and computing equipment, taking into account its performance, quality of service, reliability and cost. As the cost of a single port in active network equipment can vary depends on the manufacturer's equipment, technology used, reliability, manageability. The modeling can minimize the cost of equipment for the computing system. The modeling becomes effective when the number of workstations is 50-100, and when it more than 300, the total savings could reach 30-40% of project cost
45
Zhang, Yue, Jingju Liu, Shicheng Zhou, Dongdong Hou, Xiaofeng Zhong, and Canju Lu. "Improved Deep Recurrent Q-Network of POMDPs for Automated Penetration Testing." Applied Sciences 12, no. 20 (October 14, 2022): 10339. http://dx.doi.org/10.3390/app122010339.
Full textAbstract:
With the development of technology, people’s daily lives are closely related to networks. The importance of cybersecurity protection draws global attention. Automated penetration testing is the novel method to protect the security of networks, which enhances efficiency and reduces costs compared with traditional manual penetration testing. Previous studies have provided many ways to obtain a better policy for penetration testing paths, but many studies are based on ideal penetration testing scenarios. In order to find potential vulnerabilities from the perspective of hackers in the real world, this paper models the process of black-box penetration testing as a Partially Observed Markov Decision Process (POMDP). In addition, we propose a new algorithm named ND3RQN, which is applied to the automated black-box penetration testing. In the POMDP model, an agent interacts with a network environment to choose a better policy without insider information about the target network, except for the start points. To handle this problem, we utilize a Long Short-Term Memory (LSTM) structure empowering agent to make decisions based on historical memory. In addition, this paper enhances the current algorithm using the structure of the neural network, the calculation method of the Q-value, and adding noise parameters to the neural network to advance the generalization and efficiency of this algorithm. In the last section, we conduct comparison experiments of the ND3RQN algorithm and other recent state-of-the-art (SOTA) algorithms. The experimental results vividly show that this novel algorithm is able to find a greater attack-path strategy for all vulnerable hosts in the automated black-box penetration testing. Additionally, the generalization and robustness of this algorithm are far superior to other SOTA algorithms in different size simulation scenarios based on the CyberBattleSim simulation developed by Microsoft.
46
Haeruddin, Haeruddin. "Analisa dan Implementasi Sistem Keamanan Router Mikrotik dari Serangan Winbox Exploitation, Brute-Force, DoS." JURNAL MEDIA INFORMATIKA BUDIDARMA 5, no. 3 (July 31, 2021): 848. http://dx.doi.org/10.30865/mib.v5i3.2979.
Full textAbstract:
The advancement of technology development makes it easier to find and share any information using computer networks. Computer networks have been widely applied in homes and offices. The ease of exchanging data on the network makes the availability of computer networks and information security are vulnerable to attacks by threats. On a computer network, the device which has the vulnerability is a router. A router is the outermost device that connects the Local Area Network (LAN) to the internet so that it can be easily attacked by irresponsible parties. The Mikrotik router is a product that is widely used as a gateway router that connects LANs and the Internet. There are so many tools that can be used to carry out attacks on Mikrotik routers such as Hping3 (DoS), Hydra (Brute-Force), and Exploitation Script (Winbox Exploitation). To find out the security loop in Mikrotik routers, this study uses penetration testing methods and attack techniques such as Winbox Exploit, Brute-force, and DoS. After knowing the security gap, the next step is to provide and implementation recommendations so that similar attacks do not occur any more in the future.
47
Albahar, Marwan, Dhoha Alansari, and Anca Jurcut. "An Empirical Comparison of Pen-Testing Tools for Detecting Web App Vulnerabilities." Electronics 11, no. 19 (September 21, 2022): 2991. http://dx.doi.org/10.3390/electronics11192991.
Full textAbstract:
Today, one of the most popular ways organizations use to provide their services, or broadly speaking, interact with their customers, is through web applications. Those applications should be protected and meet all security requirements. Penetration testers need to make sure that the attacker cannot find any weaknesses to destroy, exploit, or disclose information on the Web. Therefore, using automated vulnerability assessment tools is the best and easiest part of web application pen-testing, but these tools have strengths and weaknesses. Thus, using the wrong tool may lead to undetected, expected, or known vulnerabilities that may open doors for cyberattacks. This research proposes an empirical comparison of pen-testing tools for detecting web app vulnerabilities using approved standards and methods to facilitate the selection of appropriate tools according to the needs of penetration testers. In addition, we have proposed an enhanced benchmarking framework that combines the latest research into benchmarking and evaluation criteria in addition to new criteria to cover more ground with benchmarking metrics as an enhancement for web penetration testers and penetration testers in real life. In addition, we measure the tool’s abilities using a score-based comparative analysis. Moreover, we conducted simulation tests of both commercial and non-commercial pen-testing tools. The results showed that Burp Suite Professional scored the highest out of the commercial tools, while OWASP ZAP scored the highest out of the non-commercial tools.
48
Xu, Xiao Bin. "Research on the Actual Combat-Oriented Mode of Network Security Supervision Based on Networked Resources." Advanced Materials Research 791-793 (September 2013): 1710–15. http://dx.doi.org/10.4028/www.scientific.net/amr.791-793.1710.
Full textAbstract:
With the rapid growth of Internet penetration, it is the disclosure problems of network information that frequently appears .At the same time, the problem of Internet safety has been attached great importance to by the countries. Thus, it is of great significance to build an Internet safety supervision mechanism. Based on white box testing technology and black box testing technology theory of network security detection, this paper proposes a WEB interface detection algorithm based on Internet resources and sets up a safety assessment model for computer security and supervision mechanism. In addition, this paper also designs the algorithm experiment by taking the data detection which considers WEB as the connector for example. Through the algorithm experiment, the following conclusions are obtained: Network interface has a higher recognition rate for E-BPM-BM algorithm which has different types and different characteristics. Among them, registered network interface owns the highest recognition rate which is up to 98.46%. When the network test node matrixa0 is 9, its matching rate reaches the maximum, namely 0.97 9.
49
Wang, Xinli, and Yan Bai. "Introducing Penetration Test with Case Study and Course Project in Cybersecurity Education." Journal of The Colloquium for Information Systems Security Education 9, no. 1 (March 8, 2022): 6. http://dx.doi.org/10.53735/cisse.v9i1.148.
Full textAbstract:
Teaching college students ethical hacking skills is considered a necessary component of a computer security curriculum and an effective method for teaching defensive techniques. However, there is a shortage of textbooks and technical papers that describe the teaching materials and implementation of penetration testing techniques for hands-on exercises. In our teaching practice, we have been using case studies and course projects as a means to help students learn the fundamental concepts of, primary techniques and commonly used tools for penetration testing. We think this is a beneficiary complement of a cybersecurity course that is taught in a defensive approach. Through these activities, students have gained hands-on experience and developed their ethical hacking skills. Feedback from them is positive and student learning outcomes are promising. In this paper, we describe the principles of developing and implementing case studies and course projects along with associated considerations for specified educational objectives when introducing penetration test. An example case study and course project that we have been using in our courses are described to introduce the major design ideas and activities to complete them. Experience, lessons and the feedback from students are discussed. Our results will provide a good point of reference for those educators who teach a cybersecurity course at a college or university and would like to offer an introduction to ethical hacking. This work can also be a reference for a college that wants to integrate
50
Liao, Yan. "Enhancing Industrial Control Network Security Through Vulnerability Detection and Attack Graph Analysis." Scalable Computing: Practice and Experience 25, no. 1 (January 4, 2024): 65–74. http://dx.doi.org/10.12694/scpe.v25i1.2254.
Full textAbstract:
Insufficient communication attack defense capabilities within industrial control networks is a serious problem that is addressed in this study. The author proposes a methodology that focuses on creating attack graphs to ease security and vulnerability studies in industrial control network systems in order to address this issue. The article provides thorough construction guidance and techniques for attack graphs, which are used for penetration testing and vulnerability analysis of networks for industrial control systems. On the created attack graph, experimental evaluations utilizing the ``earthquake net'' virus were carried out. The findings point to four main attack routes where the ``Zhenwang'' virus is most likely going to attack and cause the most damage. With a loss value of 12.2 and an attack success chance of 0.096, the first path involves cumulative attack stages. The second path consists of cumulative attack steps, with a loss value of 10.2 and an attack success probability of 0.072. The third path encompasses cumulative attack steps, with a loss value of 16.6 and an attack success probability of 0.063. The fourth path comprises cumulative attack steps, with a loss value of 18.6 and an attack success probability of 0.084.