Cloud computing environment Virtual machine vulnerability and its

proposed solutions.

Rajni Kumari , M.Tech Research Scholar ,Center of Cloud Infrastructure and Security, Suresh
Gyan Vihar University , Jaipur , Rajasthan.
E-mail-: [email protected]
Dr. Manish Sharma , HOD, Center of Cloud Infrastructure and Security, Suresh Gyan Vihar
University , Jaipur , Rajasthan.
E-mail-: [email protected].
Dr. Rashid Hussian, Associate Prof., Electronic and communication, Suresh Gyan Vihar
University, Jaipur, Rajasthan.
E-mail-: [email protected].

Abstract an allowance for hacking and could have bad

effect.
In the field of cloud computing lack of
security are available because its work on The main purpose of the research is to show

virtual environments. When we talking about the various tools used when trying to find

security that make the discussion of Ethical vulnerability in the metasploitable 2.By using

hacking. In this paper describing cloud NMAP to test a target, we can find the

computing, virtual machine, ethical hacking vulnerabilities that need to be fixed so as to

and security issue in the field of better protect the target. Certain area like

virtualization. open port and services.

In this paper, In general will be discussed Even as Penetration testing is done by lot of

about penetration testing, as well as how to different way but I have chosen to use NMAP

penetration test using Metasploitable 2. because of the wide acceptability. This paper

Metasloitable 2 is a vulnerable virtual shows how to well identify the vulnerability

machine that I chose to use, as using any within a system of your choice. Once going

other system to do this on would be making through all of the steps in this paper, anyone
should be able to try and exploit any system
they feel is vulnerable.
 initially consider every possible exploit
Keywords -: vulnerabilities, penetration available, when people set out to make
testing, Metasploit, Metasploitable 2, pen- computer systems. When it comes to making
testing, exploits, Nmap, and Kali Linux. a system, there are a lot of moving parts and
it’s everyone’s job to explore all the options
they have in order to provide a secure and
I. INTRODUCTION
safe system. This is where penetration testing
The state of Internet has been very poor at the
tools comes in practical.
beginning, in terms of security. As long as we
knows about that as the reality that not many
When it comes to the security of virtual
people had access to the internet, so there
systems, we can never leave anything to
were less attackers to deal with. Security
chance. By all its vulnerability hacker trying
wasn’t very essential back then, but as the
to exploit a system to gain access to personal
years moved on, we got real huge real fast
and private data for its users. By using these
and have been playing draw level ever since.
penetration testing techniques described in
With latest technology being developed
this paper, we can get a jump on the hacker
every year, we constantly have to approach
looking to harm and infiltrate systems that do
with new ways to stop malicious activity
not belong to them. The things that are put
within our systems. It is not only do home
into this paper are to only be used for the
professionals are well, but businesses need
suitable manner and are no way planned to
constant keep in security especially when
lead one to become a hacker. The methods
dealing with servers. So, Security is play vital
described are meant to help one if they were
role in our daily lives. When people say they
intending in learning certain goals that be
want security, what is probably heard is that
relevant to penetration testing of one’s own
they want a good arrangement of security.
system or a system that you have permission
When we think about it, in fact makes sense.
for. There are far too many people that are
Feeling secure isn’t essentially the same
taking what they are learning and applying it
thing as being secure. This vital points to
in an unethical way, which will create
understand everyone that what kinds of
confusion and attain a financial gain. No one
threats are out there then they would make
should take what they learn and use it against
real security their first priority. We don’t
anyone in that manner.
 them. The best way to try and stop these
vulnerabilities from being found is to either
hire someone full-time to constantly do
II. PENETRATION
penetration testing or if money is tight, hire
TESTING someone occasionally to do the testing.
When it comes to protecting computer
systems, NMAP is a good what to do that.
Many different things encapsulates in
NMAP is only one of many penetration
penetration testing. A few of those things
testing programs available in the world. By
include Wifi, networks, software, and
using this program, you will surely be able to
hardware systems. Penetration testing mostly
quickly identify any vulnerability through the
use in determines open services, Identify
exploitation of the system, either manually
network topology, determine operating
(command line style) or automatically (GUI
system, identify app, determine server,
type) [2].
identify risk and report end result. When we
There are many different types of penetration
launched a system, most systems have some
testing tools available to explore. Metasploit,
form of vulnerabilities present. The
Kali Linux, Wireshark, John the Ripper,
vulnerabilities are called as zero day exploits.
Nessus, Nmap, and BeEf are a few of them
Zero day exploits are frequently either known
[3]. Some of the various types of attacks that
by the companies or just don’t think it’s bad
can be done on a system include BlueTooth,
enough to fix or don’t know about them at all.
PC microphone, wifi(Wpa-protected), and
There are many issues with the interactions
man in the middle attacks[4].
between software and hardware that can
Kali Linux is an operating system [5] filled
remain unknown for years before they are
with various open source programs strictly
found and some are never found because that
developed with the hacker world in its mind.
issue has not presented itself.
It’s not an operating system to be taken
Penetration testing can be defined as being a
lightly as any use of it illegally could get you
means for a company or business to access
jailed if you were ever caught. The two main
the vulnerabilities within its system at any
penetration testing is either overt or covert
given time [1]. As systems change, like the
[6]. Overt testing is when you have the
addition of new software or hardware
complete cooperation of the owners of the
changes, more vulnerability can present
systems in which you are testing on and using NMAP as discussed previously. In
covert is when you are basically testing the order to set up the vulnerable machine, you
staff’s ability to figure out the exploits being need to download it from the website open
done on the system[7]. the virtual machine file inside of a virtual box
Some of the other things to consider when of your choice. After having done these steps,
having a business are the financial aspects. you are on your way to test the vulnerabilities
There are a lot of companies out there that are of this system and also on your way to
being crippled due to lack of testing or becoming a penetration tester. All you then
preparation. Sometimes it could be the cause need to do is enter msfadmin for the
of trying to get the product out before it is username and password and you will be
ready. If that is the case, then one might connected shortly to the Metasploitable
consider giving the project another few 2[10]. Even though this is just a test system,
weeks in order to make sure the bugs are all it has all the capabilities of any operating
worked out, because putting software out into system that would wish to test in the future.
the world before it’s ready could result in
catastrophic failure. As companies become
bigger over the years, we owe it to ourselves
to conduct testing on all of the systems in
order to show our products at its finest hour
and not have to worry about the possible zero
day exploits that have been left behind [8].

III. METASPLOITABLE 2
Metasploitable 2 is the system that is
vulnerable virtual machine. It is a linux based
OS that is made particularly with NMAP in
mind to be exploited by its users. It is Figure: Metasploitable 2
available to download on the website for
anyone who wishes to use do penetration
IV. Issue in the virtual
testing [9]. Although users could use any
machine metasploitable 2
penetration testing program I wish, I will be
By using NMAP tools scan the
metasploitable 2 which IP address is
192.168.1.36. Here -T4 command is using for
set timing and the range of –T is (0 to 5)
higher is faster, -A command to scan and
search for the OS (and the OS version) on a
host. This command will provide valuable
information for the enumeration phase of
your network security assessment and –v for
verbose. We can see in the figure below that
there are number of ports and services are
open and which OS is in use, gathering all the
information about that OS.
 V. Solution:
1. We can close the open port and
service using IPtables. In the given
figure below show how to close and
open the port.

Figure: Closing and opening the port

2. When attacker attacks the system

during the state of open port then we
use TCP dump or wireshark. By this
packet tracer, we analysis the packet
Figure: Scanning of Metasloitable 2
 and know about the attacker, prevent take a little bit longer. Penetration testing is
system from hacking just one of the multiple ways to make sure the
VI. CONCLUSION information on your systems is secure and not

There are a lot of penetration testing open to hacking. When you plan on doing

programs out there and NMAP just so penetration testing, I suggest you give NMAP

happens to be the best one that I could think a shot and you won’t be disappointed. When

of to share with you. It has a lot of nice looking into what programs that is available

options and you can use it either manually or to use across the internet, there are a lot of

automatically. Although the reasons for and different options to choose from. If you are

against the two have already been shown not alert with any of the programs, you could

throughout the paper, I’d like to reiterate a ground yourself into some serious trouble.

few things. By doing the entire exploiting

manual, you are able to control the way you
try to exploit a given system, it just might

Reference

[1]. Bhawana Sahare1, Ankit Naik2, [4].https://gadgets.ndtv.com/internet/news/aad

Shashikala Khandey3 International Journal of haar-cant-be-hacked-vested-interests-
Computer Science Trends and Technology spreading-lies-uidai-1915189
(IJCST) – Volume 2 Issue 4, Nov-Dec
2014www.ijcstjournal.org [5]. Bharath Kumar Koopari Roopkumar
Louisiana State University and Agricultural
[2]. K.Bala Chowdappa , S.Subba Lakshmi , and Mechanical College, [email protected]
P.N.V.S.Pavan Kumar Ethical Hacking
Techniques with Penetration Testing K.Bala [6]. Susidharthaka Satapathy , Dr.Rasmi
Chowdappa et al, / (IJCSIT) International Ranjan Patra CSA, CPGS, OUAT,
Journal of Computer Science and Information Bhubaneswar, Odisha, IndiaInternational
Technologies, Vol. 5 (3) , 2014, 3389-3393 Journal of Scientific and Research
Publications, Volume 5, Issue 6, June 2015 1
[3]. Making the Case for Ethical Hacking Ball ISSN 2250-3153
State University Muncie, Indiana June 2009
[7]. IRACST - International Journal of Mobile Computing, Vol.4 Issue.6, June- 2015,
Computer Science and Information pg. 230-234
Technology & Security (IJCSITS) Vol. 1, No. [9]. “Security Guidance for Critical Areas of
2, December 2011 Focus in Cloud computing”, April 2009,
[8]. International Journal of Computer Science presented by Cloud Security Alliance (CSA).
and Mobile Computing Varsha et al, [10]. Penetration Testing and Metasploit
International Journal of Computer Science and Michael D. Moore Computer Science Department
Jackson State University Jackson, MS USA