Designing and Developing Metasploit for the Cyber Security

Introduction

When the internet came for the first time, the world was experiencing much security (Rahman and Asyhari 2019, p. 3). Provided an individual could think about that as the fact that only a few people could access the internet, meaning there were just some small number of attackers who can be dealt with effectively (Bradshaw et al., 2015, p. 13). Back then, security was not a big concern; however, as years kept moving forward, people have got real big and fast, and ever since, the world has been trying to catch up with the new technologies coming up every year by designing new methods that can be used to detect and stop malicious activities launched against the systems (Rahman and Asyhari 2019, p. 10).

Is your time best spent reading someone else’s essay? Get a 100% original essay FROM A CERTIFIED WRITER!

Save 25%

According to Rahman and Asyhari (2019, p. 6), businesses need to continuously update their security measures and home professionals, particularly when dealing with the servers. Security has become extremely important in the everyday lives of the human race. When people show their concern o security matters, the message they are trying to put across is that they want a sense of security and nothing else. Essentially, it makes real sense when it can be thought of since a feeling of security does not necessarily mean the same as the essence of being secure (Bradshaw et al., 2015, p. 17).

This report will be based on penetration testing through Metaspoilt to ensure TechTex computer systems' security, with a Kali installed system being a vulnerable system chosen for this demonstration. The main aim of this paper is to demonstrate the different tools necessary for detecting system vulnerabilities. Using Metaspoilt for testing the system, it would be easy for the TechTex Company to detect system vulnerabilities that required fixing for better protection of the system.

Penetration Testing

Penetration testing captures many things, which may include hardware systems, software, networks, and Wi-Fi. Many systems exhibit vulnerabilities when they are launched, and such vulnerabilities can be best described as zero-day-exploits (McDermott, 2001, p. 15). Notably, organizations normally know zero-day-exploits, though they do not just consider fixing them or may lack the knowledge about them. There are countless issues associated with system hardware and software interactions that can continuously remain unnoticed for a long period before they are detected. In contrast, some remain unnoticed, provided they do not present themselves (Arkin et al., 2005, p. 84). Having said this, penetration testing can then be described as a means through which a business, organization, or a company can use to detect and access the vulnerabilities within a given system at a given point in time (McDermott, 2001, p. 16). With the change in systems, such as installing new software or adding some new hardware component, there is a high likelihood that more vulnerabilities may present themselves (McDermott, 2001, p. 15).

The best way through which vulnerabilities can be stopped is either by hiring somebody on a full-time basis to continuously perform penetration testing or if financials are in a tight situation, then an organization can hire somebody periodically to perform the penetration testing on its systems (Arkin et al., 2005, p. 86). Even though professionals' penetration testing may not be able to discover all vulnerabilities in the system, it is very important to ensure that every effort necessary is provided against the adversaries who might maliciously test the system. There are countless reasons why penetration testing is necessary. Some of these reasons include; information protection and, most importantly, system security issues (McDermott, 2001, p. 16). If an individual is to perform penetration testing on a system that he/she does not own, the individual needs to ensure that he/she gets approval to hack and non-disclosed the signed agreement (Arkin et al., 2005, p. 85).

When it comes to computer systems protection, this paper considers Metaspoilt as the best at doing penetration testing. Metaspoilt is perhaps one of the many penetration testing tools so far available in the world. By using it in this course, TechTex Company will surely be in a position to quickly detect any vulnerability that may be available in its computer systems by exploiting the system either automatically through a secure web-based GUI type or manually through command line style (Ramirez-Silva and Dacier, 2007, p. 198). There exist different types of tools for penetration testing that are available for exploration. Essentially, there are Wireshark, Metaspoilt, Kali Linux, Nessus, John the Ripper, w3af, BeEf, Nmap, and Dradis. The Kali installed system, which has been chosen to be TechTex’s vulnerable system in this design, is essentially an operating system (O.S.) that is filled with different open source programs specifically developed with a consideration of the hacker world's level of sophistication (Marquez 2010, p. 4). The Kali installed system is not an O.S. to be underestimated since in an instance that it is illegally used, then the perpetrator may find him/herself on the wrong side of the law and may result in a jail term.

The focus of this design is on the two fundamental penetration testing types; covert and overt. For an overt penetration testing type, Chen (2018, p. 218) points out that overt is when an individual has a complete corporation of system owners whose system he/she is testing. For covert testing type, the authors point out that when an individual tests the staff's capability to figure out the exploitations being performed in the company’s system. Some of the things that are worth consideration when starting a company such as TechTex is majorly its financial aspects (Ramirez-Silva and Dacier, 2007, p. 201). Many business organizations out there have been crippled because they lack any necessary preparation or testing. Perhaps, this might be the potential result for those who do not want to create a product for their use and try to get it elsewhere before it is even ready. If this is the case, some companies may consider in their wisdom to give the project additional few weeks or even months to ensure that the bugs are all removed. Since TechTex company is becoming bigger and bigger over the years, it owes it to itself to design and develops a testing system to test its systems continuously.

The Kali installed the system

The Kali installed system is the metasploitable system that is being used in this design. The Kali installed system is a Linux-based operating system designed specifically with Metaspoilt in mind to be exploited by its users. The Kali installed system is readily available for download from the Metaspoilt website for everyone who needs to use the penetration testing tool. Even though there is no limitation on which penetration testing program to use, Metaspoilt is preferred, as earlier stated in this paper. In the process of setting up the vulnerable machine, it will first be downloaded from the Metaspoilt website (www.metasploit.com), after which the virtual machine file will be opened from the inside of a virtual box, preferable as shown in the diagrams below.

After following these steps, this process will be on its way to testing the vulnerabilities of the company's systems and becoming closer to confirm as a working penetration tester. All that is so far required to be done is to enter “msfadmin" for both username and password and then be connected in a few seconds. Although this is just a test system, it should be remembered that it can operate its systems, which it would need to test in the future and consistently.

Methods and Methodologies

For this Metaspoilt design and development, some of the methods and methodologies that have been considered appropriate include Open Source Security Testing Methodology Manual and Open Web Application Security Project (Ramirez-Silva and Dacier, 2007, p. 202). According to Bradshaw et al. (2015 p. 25), not all methods may be appropriate for a process. Some methodologies are only designed for specific things and not in everything. Both methods and methodologies mentioned above are still integrated into the contemporary world standards. Marquez (2010, p. 4) points out that Open Source Security Testing Methodology Manual is a methodology applicable in operating systems (O.S.), data networks, telecommunication, wireless communication, human factor, and physical security. Through the use of something such as Kali Linux is very important because it comes with many uses such as in web application testing, manipulating of user data, denial of service attacks, network stress testing, network infrastructure attack, and SQL injection (Kennedy et al., 2011, p. 16).

Automated and Manual Testing

There exist differences between when manual testing is used and when automated testing is used. For automated testing, one may not necessarily get a good understanding of the workability of everything or reasons why things happen the way they do (Kennedy et al., 2011, p. 19). However, when manual testing is used, one would have absolute control over whatever happens in the entire process and would have the ability to learn the working process of the system step-by-step. Therefore, it is evident that manual testing is much preferable to automated testing, even without diving into the financial issues associated with the two methodologies of penetration testing (Bradshaw et al. 2015 p. 29).

Nevertheless, it is important to note that one thing to consider, no matter what testing approach is chosen, is the duration it requires to do the task. While both methodologies have various advantages, it is much faster when automatic testing is done than when it is done manually (Chen, 2018, p. 230). Through automatic penetration testing, the coding used can cover different platforms; however, when the same is done through a manual penetration testing approach, one has to constantly change the code to cover different platforms (Marquez 2010, p. 6). Unless one is a seasoned expert, he/she ought to leave the manual penetration testing approach to the advantages. “Expert hackers are used to writing their own scripts or even automating one of the stages, so as to proceed swiftly and find more safety seepages in the target systems” (Ramirez-Silva and Dacier, 2007, p. 211).

Metasploit on Stuxnet

Whereas Metaspoilt has many areas of use, one of the best-known areas of its use is on Stuxnet. Stuxnet worm has been used to launch an attack against the controllers of programmable logic and has been able to exploit the zero-day-vulnerabilities, particularly in Windows (Karnouskos, 2011, p. 4490). For example, in 2010, it was used to launch an attack against Iranian Nuclear facilities (Kerr et al. 2010, p. 7). It is important to note that the Stuxnet worm one of the main debacles of this century. If TechTex Company does not properly use it for learning purposes, it may face difficulties related to system security in the future. There are tons of PLCs around the entire universe; therefore, it is very scary to think that a worm of this nature can cause an effect on any kind of network. Stuxnet worm has two fundamental phases. The first phase is the propagation phase, which is essentially the characteristics exhibited by each worm. The second phase is the injection phase. Therefore, the Stuxnet worm propagates into a local network in the first phase and gets its files updated using peer-to-peer communication (Karnouskos, 2011; p. 4498).