- Burp Suite Community Edition: Manual and automated web testing
- OWASP ZAP: Web app fuzzing and vulnerability detection
- Metasploit Framework: Exploit deployment and session control
- Python-Nmap: Automated scanning via scripting
- Kali Linux: Attacker operating system
- DVWA / XVWA: Deliberately vulnerable web apps for testing
- Hydra: Brute-force password attack tool
- Python 3.8+: Core scripting engine
- Nmap 7.91: Vulnerability database
- Metasploitable2: Target environment
Vulnerability Overview
Exploited critical OWASP vulnerabilities:
- Input validation failures including SQL Injection and Cross-Site Scripting
- Session management flaws such as session fixation and cookie theft
- Authentication weaknesses by brute forcing weak credentials
Exploitation Summary
SQL Injection with payload ' OR '1'='1 on DVWA:
Stored XSS:
Brute-force attack to crack SSH credentials:
Tools Used
Burp Suite Intruder:
OWASP ZAP Fuzzing:
Vulnerability Overview
Targeted outdated and poorly configured services:
- CVE-2011-2523: VSFTPD backdoor exploit
- Default credentials allowing SSH admin access
- Nmap enumeration using vulnerability scripts
Exploitation Summary
VSFTPD exploit with Python reverse shell:
UnrealIRCd remote code execution:
Nmap vulnerability scan:
Tools Used
Metasploit Framework:
Python-Nmap for Automated Service Enumeration:
Used Python to automate nmap -sV --script vuln scans across Metasploitable2 hosts.
- Script:
import nmap
scanner = nmap.PortScanner()
scanner.scan(hosts='192.168.1.0/24', arguments='-sV -O --script vuln')
- CSV Report Output:
- Vulnerability Confirmation:
- All attacks were conducted in a controlled Metasploitable2 lab environment
- Tools were used ethically for educational purposes