International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395-0056 Volume: 05 Issue: 12 | Dec 2018 www.irjet.net p-ISSN: 2395-0072 © 2018, IRJET | Impact Factor value: 7.211 | ISO 9001:2008 Certified Journal | Page 193 RESEARCH PAPER A study on Penetration Testing Using Metasploit Framework Pawan Kesharwani 1 , Sudhanshu Shekhar Pandey 2 , Vishal Dixit 3 , Lokendra Kumar Tiwari 4 1,2,3,4 Center for Computer Sciences, Ewing Christian College, Prayagraj ---------------------------------------------------------------------***--------------------------------------------------------------------- Abstract - The process of performing a penetration test is to verify that networks and systems are not vulnerable to a security risk that could allow unauthorized access to resources. This paper will review the steps involved in preparing for and performing a penetration test. The intended audience for this paper is project directors or managers who might be considering having a penetration test performed. The process of performing a penetration test is complex. Each company must determine if the process is appropriate for them or not. Key Words: Security Testing, Vulnerability Assessment, Penetration Testing, Web Application Penetration Testing. 1. INTRODUCTION Over the last few years, companies have been adding additional functionality to existing applications and implementing new applications in an effort to provide more convenience or better service for customers and/or employees. Examples of this functionality could be in the form of World Wide Web access for bank customers or telecommuting options for employees who work at home. Additionally, companies have also determined that a presence on the World Wide Web is a way to increase brand awareness and establish a top-of -mind awareness for their product or service for potential customers. Security is a significant concern for World Wide Web servers. The World Wide Web servers have added a new set of vulnerabilities that companies should consider. However, vulnerabilities are not limited to World Wide Web servers. Vulnerabilities exist and can be unintentionally induced in systems or resources that have been in operation for an extended period. 1.1 What Is Penetration Testing? Penetration testing also called pen testing or ethical hacking is the practice of testing a computer system, network or web application to find security vulnerabilities that an attacker could exploit. Penetration testing can be automated with software applications or performed manually. Either way, the process involves gathering information about the target before the test, identifying possible entry points, attempting to break in -- either virtually or for real -- and reporting back the findings. 1.2 WHY PERFORM A PENETRATION TEST? If vulnerability is utilized by an unauthorized individual to access company resources, company resources can be compromised. The objective of a penetration test is to address vulnerabilities before they can be utilized. 2. PHASES IN PENETRATION TESTING: 1) INFORMATION GATHERING: In this phase we shall gather all information related to server like what is correct domain of web server and how many sub-domains are connected to this domain. Is any firewall is setup for web server or not? In our information gathering phase, we have found that web server’s IP - 192.168.43.236. For detection of firewall we will use the tool WAFW00F (Web Application Firewall Detection Tool). 2) SCANNING: In the scanning phase, we identify that what type of services is running on the web server and what is the version of that particular service. We also identify that at which port this service is running. We identify that all services is running on which Operating system. For doing this we mainly use NMAP (Network MAPPER) tool and METASPLOIT’s AUXILIARY/SCANNER facility. 3) DISCOVER VULNERABILITY: For find vulnerability in web server or any system pentester mainly use Nikto, Nessus or Metasploit’s Auxiliary/scanner facility. In my work I mainly use auxiliary’s Scanner Facility. 4) EXPLOITATION: After find vulnerability, a pentester’s main goal is Breach all type of security and take remote access of server. For doing this we use METASPLOIT. 5) REPORT GENERATION: In this phase we just generate full report of our Penetration testing process.