Penetration Testing in IoT Network

1
Rahul Johari, 2 Ishveen Kaur, 3 Reena Tripathi, 4 Kanika Gupta
1,2,3
SWINGER: Security, Wireless, IoT Network Group of Engineering and Research Lab
University School of Information, Communication and Technology (USIC&T)
Guru Gobind Singh Indraprastha University
Sector-16’C, Dwarka, Delhi-110078, India
1,2,3
[email protected]
4
ABES Engineering College, Ghaziabad, India, [email protected]

Abstract—Penetration testing, also known as Pen testing is the reason for this is the application which user runs on
usually performed by a testing professional in order to detect their mobile make use of internet which make the system,
security threats involved in a system. Penetration testing can application more vulnerable to attack or cyber attack. When a
also be viewed as a fake cyber Security attack, done in order
to see whether the system is secure and free of vulnerabilities. deliberate attempt is made to intrude into an application or into
Penetration testing is widely used for testing both Network and a system, then such a type of malicious intent made to enter
Software, but somewhere it fails to make IoT more secure. In into a system or an application is termed as cyber attack.While
IoT the security risk is growing day-by-day, due to which the IoT launching a cyber attack, the attacker makes use of self coded
networks need more penetration testers to test the security. In the programs to alter the logic in the original source code, due
proposed work an effort has been made to compile and aggregate
the information regarding VAPT(Vulnerability Assessment and to which the results obtained after running the code are not
Penetrating Testing) in the area of IoT the ones expected, a process termed as cyber crime[3]. The
Index Terms—Penetration Testing, IoT, Cyber Security Attack, technical process designed to detect the security bugs using
security risk testing is known as vulnerability assessment and penetration
testing. VAPT can be done for both Network as well as
I. I NTRODUCTION
software programs or system.For network it could be LAN or
Testing, a keyword or a term that is defined ’As an ability WAN where as for Software it could be an .exe file, web/cloud
to find fault and defects that may be present in a system or an application or application designed for mobile. Vulnerability
application whether mobile or web’. The defects or faults that assessment and penetration testing is at times considered a
are detected can be, with respect to security or functionality. single term but still they differ from each other in two aspects
When a tester (the person who finds these defects) tests the that could be
application in order to check for exploitable vulnerabilities
1) Vulnerability Assessment could be termed as a process
by cyber attacking into a system then such type of testing
that gives an idea on how big the vulnerability is, where
is termed as Penetration testing. Penetration testing involves
as Penetration testing tells or gives the priority of that
an attempt to breach the security of the application, which
defect i.e in simple words, Penetration testing tells how
a developer cannot do. It involves the process to detect
big the bug is.
the vulnerabilities using Proprietary and Open source tools
2) Vulnerability assessment is an automated process where
which generate a report containing the flaws that can cause
as penetration testing is a manual process.
vulnerability in the application. The major goal of penetration
testing is to find out the vulnerabilities in an application if Now the next question that might arise is, how to carry out
any, so it can be defined as the risk that an attacker could do the process of VAPT for an application?. For this, there are
to exploit and gain unauthorised access to the system or an certain tools which run the test execution, give the analysis
application[1]. Penetration testing is usually accomplishes in report and the combined result gives the vulnerability detection
different phases in order to find out the vulnerabilities and to confirmation, some of these tools are as :-
assure that the application is secure and bug-free. The differ- 1) Nmap (For vulnerability)[20]
ent phases that are followed while performing Vulnerability 2) Acunetix (For Vulnerability)[21]
Assessment and Penetration Testing are:- 3) Burpsuite (For penetration testing)[22]
• Reconnaise 4) Metasploit (For penetration testing)[23]
• Scanning IoT [4] can be termed as a network of physical objects
• Gaining access or ”things” embedded with electronics, software, sensors and
• Maintaining Access connectivity. In almost every field of IoT there is accumulation
• Analysis[2] of new knowledge and security risk for IoT is growing
In today’s time the usage of internet has become wide spread, day-by-day due to which the testing team specially security
as a result security of the data is of most importance and professionals and penetration testers somewhere lack skill to

Authorized licensed use limited to: AMRITA VISHWA VIDYAPEETHAM AMRITA SCHOOL OF ENGINEERING. Downloaded on August 05,2022 at 07:41:53 UTC from IEEE Xplore. Restrictions apply
 test the IoT environment properly due to the unavailability of
adequate methodology or tools.In 2018 OWASP (Open Web
Application Security Project) released top 10 vulnerabilities
as found in IoT Network[5]. These vulnerabilities are as :-
1) Weak , Guessable or hard coded password
2) Insecure Network Services
3) Insecure ecosystem interfaces
4) Lack of secure update mechanism
5) Use of insecure or outdated components
6) Insufficient privacy protection
7) Insecure Data transfer and storage
8) Lack of device management
9) Insecure Default settings
10) Lack of physical Hardening [5]
II. S OFTWARE T ESTING M ETRICS - T ESTING C ONCEPT
The software testing metric gives a quantitative way to the
development and validation of the software. It estimates the
progress quality and health of the software reduce error and
upgrade the acceptance of the paper. A software testing metric
is a measurement based technology that is applied to process,
product and services to improve and supply engineering and
management information.
A. Importance of Software Metrics
Testing metrics are important due to the following facts:- Fig. 1. Life cycle of Software Metrics
1) Enhances the quality and productivity of products and
services to achieve the desired goal.
2) Easy to manage.
3) Metric upgraded the current process.
4) Decision capability- It takes a decision, process accord-
ingly and follow new technology.
B. Software Metric Life Cycle
To understand software metric life cycle one need to under-
stand the flowchart as shown in figure 1:-
C. Type Of Software Testing Metrics
Testing broadly is categorised into various types like Manual
Testing, Automation Testing, Performance, Security Testing
etc. Every type of testing has its own meaning and im-
portance.Similarly we divide software metrics as :- Manual
Testing Metrics, Performance Testing Metrics and Automation Fig. 2. Software Metric Type
Testing Metrics as shown in figure 2.
D. How to Calculate Testing Metrics
4) Effective Management and Interpretation of the defined
To Calculate testing metrics one need to follow some metrics that is : The actual test Cases being executed
steps.Let us summarize the steps as along with some example per day.
in testing perspective :- 5) Identifying the improvements areas depending upon the
1) Identify the key software testing processes to be mea- interpretation of the metrics.Finally, test case execution
sured like : Testing Process being tracked for a project followed by suggesting the improvement areas for the
2) Tester will now use the data as baseline for testing using findings[25].
metrics like for instance : Number of test cases being
executed per day III. L ITERATURE S URVEY
3) Determination of the information being followed, the In [6] authors described that IoT is now became a hard
frequency of process being followed by a person, that is core part of computing technology which connect various
: Test case execution to be followed by the Test Manager things.IoT connected devices, systems and interacting with

Authorized licensed use limited to: AMRITA VISHWA VIDYAPEETHAM AMRITA SCHOOL OF ENGINEERING. Downloaded on August 05,2022 at 07:41:53 UTC from IEEE Xplore. Restrictions apply
 machine, environment, infrastructures, radio frequencies and finalized and the coding need to be initiated then, a
sensor network technology. IoT makes our day to day life proper designing of the software needs to be created,
much easier and safer by commanding and controlling and it which is basically done so as to have a proper flow of
also reduce the impact on environment. In the era of smart the project.It further defines the sequence of processes
technology most of the people have smart phone devices, sys- for risk management, planning, analysis of risk, identi-
tems and internet access is easily available, so that interfering fication and controlling on a project.
of the information can be much easier and cheaper. 5) Test plans :- Once the design is prepared, a proper vision
In [7] authors had described that IoT as the combination is provided after the final UI and a test report and plan
of two words first being internet and second being things, needs to be submitted so that no use cases is left for the
as no unique definition of IoT described by the community end user to complain about.
of users and also the best definition that could be given of 6) Coding :- Once the requirement gathering is done, use
IoT can be An open and comprehensive network of intel- cases are designed and the test plan are ready. Now the
ligent objects that have the capacity to auto-organize, share developer needs to apply the logic for the same and build
information, data and resources, reacting and acting in face the code which will be tested further according to the
of situations and changes in the environment”. Further after test plan made by the tester.
defining some terms one needs to give the architecture so as 7) Test Results :- The test plan created before the coding
to know what all combines to give rise to that particular thing part is now executed and the result for the same is
and as IoT is so vast, the particular architecture could not written as PASS and FAIL for a particular test case.
be given. But after certain researches, certain models were 8) End user feedback :- After the testing if the release is
given out and from those models, one model which can be PASSED by the tester then it is delivered to the end user
considered as a primary model architecture was European FP7 and their is feedback is awaited and appreciated[8].
research project. Furthermore, not only the architecture but the Once the application development is finished, end users
technologies which can be used by IoT (which were initially generally consider penetration testing as the final regimen for
initiated by the RFID members) and are used by IoT can be the approval of the product.
IP, Wi-Fi, Barcode and many more.Hence with this, it could In[9] authors had described penetration testing as the fun-
be concluded that IoT offers many technologies which helps damental security act for maintaining the security of the soft-
to make the today more smart and live a easy to go life. But ware.Authors researched about the attack net penetration test-
with the growing emergence of IoT, no particular definitions ing mechanism , Where penetration follows two approaches :-
could be provided, no architecture could be defined and also Flaw hypothesis and Attack tree.
IoT could not be used for security testing and was not helpful Now a days, penetration testing plays a vital role in security
in finding the vulnerabilities if any. of web applications as now a days our lives are mostly
To overcome the major drawback of IoT, researchers moved dependent on the web pages, so web pages need to be more
to the topic of penetration testing so as to get a secure appli- secure and should be free of vulnerabilities.The developers
cation and develop a vulnerable free software.To understand while developing cannot think of the use cases with respect to
the concept of penetration testing, user need to understand the security as their priority and job is to deliver the product on
software life cycle model as SDLC focuses on specific part time.When it comes to security, testers come into the scene and
of penetration testing and helps the user to understand how tests the application as a normal developers cannot. Penetration
is the product developed. SDLC contains the following parts tester basically guide the developers on how the vulnerability
described as :- flaws can be fixed and these flaws could be detected using
1) Requirements and use cases :- With the starting of various security testing tools that are offered such as Burp
the software development life cycle the very step to Suite[22], Selenium[24] and many more which generate a pen
proceed with is to gather the requirement and identify testing report after running the application with the severity of
the use cases that need to be handled while developing the flaw stated with each defect, then this report is handed over
a particular software.It is further categorized as to the developer and the developer fix those defects.These test
2) Abuse cases:- The unwanted use cases or corner cases scan the code for flaws such as : XSS injection, for HTML
that need to considered while testing or developing a code, for detecting injection based flaws and for cryptographic
software.Basically it is a type of complete interaction injections also.
between a system and one or more actors.The cases need In [10] authors had described penetration testing as a
to be considered so that the end user cannot complain tool for web services security attacks and how to define
or give a negative review. a framework for those attacks. The penetration testing is
3) Security requirements :- As the topic suggests, pene- currently adopted in Service Oriented Architectures, cloud
tration testing is the type of testing that is used to interfaces, management of federated identities, e-Government,
find the security faults in the software, hence security or military services. By applying different penetration tool
requirement are the functional security requirements of the developer specify the security of the system. Service
the software which can be directly tested and observed. oriented architecture (SOAs) is one of the tool which can be
4) Design :- Once the use cases and the requirements are used for the penetration testing which would enforce software

Authorized licensed use limited to: AMRITA VISHWA VIDYAPEETHAM AMRITA SCHOOL OF ENGINEERING. Downloaded on August 05,2022 at 07:41:53 UTC from IEEE Xplore. Restrictions apply
 modulation and reuse. There are some attacks in the system encryption and decryption process can also used as the SQL
which breaks cryptographic primitives defined in the XML statements are executed and the data was prevented using
messages. The various web service attacks in the system are encryption technique with a parser of SQL which created
categorized as follows :- a log file and the data was maintained to check for the
1) XML signature wrapping malicious content. The methodology which was proposed by
2) over size payload the system to penetrate the attack in which the tester blocking
3) SOAP action spoofing the data on the restricted IP. This approach helped the admin
4) WSDL scanning to control the data and to stop the malicious data to enter
5) attack about functions or monitor it. The flexibility to the admin was to provide
6) indirect flooding java runtime invocation therefore the data was changed during
7) middle ware hijacking runtime and the instance got automatically changed.By using
8) attack on XML encryption this methodology technique, and usage of RMI the SQL attack
9) metadata spoofing detection derivation time became easy. SQL injection attack
10) oversize cryptography is a type of cyber-attack, tester already gone through SQL
11) WS addressing spoofing injection and various methodologies which were followed to
find vulnerability assessment. SQL injection are sub part of
Web service attacks need penetration testing to recognize
cyber-attacks.
the vulnerable point on the web page.In [11] authors described
In [13] authors analysed more techniques for penetration
penetration testing more widely, by explaining more tools
testing that could be used in defense area too.The user always
and various injections(especially SQL injections). The author
thinks about how to protect the application, how to prevent
gave another dimension to penetration testing with respect to
the code from the hackers. They never have a thought how to
web page, by saying it is a technique which helps to find
answer these questions? but for testing a tester is needed to
the loopholes or vulnerabilities if any in web page,which can
answer few questions such as what method hacker used for
further also help to rule out the illegal access to the database.
hacking and what methodology they followed. What was the
With the increase usage of web page, now a days the threat
purpose of hacker, how the attack was planned? The success
of the web application getting hacked has also increased and
of the attacks could be measured on parameters such as : Com-
results in generic input validation problem(s) such as XSS,
plexity required to find vulnerability assessment, complexity to
SQL injection or weak password. The paper described the
launch, Complexity to detect the attack.The technique through
previous methods that were used to solve the security of
which attacks could be launched are summarized as :-
the page code and new method that can be embedded .The
main aim is to demonstrate pen testing methodology which 1) Attack by web implants
can run or detect the unexpected behavior of the source 2) Attack by virus
code outside or inside the application and prevent it from 3) SQL Injection
hacking. The present methodology focused for penetration 4) Present scenario
testing that demonstrated various scanning tools for identifying 5) Password guessing.
the SQL injection as : Blind SQL injection[25], Havij SQL 6) Brute force
injection[26] and Normal SQL injection[27]. According to the 7) Once the attack was identified and tester knows which
author [11] SQL injections can be performed in following technique or attack is used. After that tester perform
steps :- penetration testing on the site .These tests are performed
1) Load the web page. using useful penetration measurement tools that helps to
2) Set the target to be attacked. discover and analyze the vulnerability that exist in the
3) Gather all the required information about the target so network.
that user gets to know how to attack and when to start In[14] authors focused on performing penetration testing to
the scanning. detect the flaws in the windows service to better understand
4) Once the information is gathered, the penetration testing the attack that could be done on window (IOS for web
tool now scans the web page and the scanning results application). The researcher so far clearly indicated that web
create generic reports of the larger environment. server are more prior to vulnerabilities. Many researchers also
5) Now the final step was to attack on the target. Since user disclosed that the solution to prevent these vulnerabilities is
consider only SQL injection, so that attacker attack on to perform penetration testing and considered it as reliable,
the target. SQL injection attacks when injected, produce repeatable and reportable exercise .The authors did an experi-
poorly embedded data which could be executed or any ment to know the methods using which attack was possible and
action could never be taken. a data set was considered which was employed by intrusion
In [12] authors described another methodology to penetrate threat detect university technology Malaysia(ITDUTM)[15].
SQL injection with respect to IP addresses. Cryptographic The experiment was done on the web server and followed
techniques encryption and decryption are also helpful to the following steps in order to find the method of attack.
protect the data. In order to find the malicious content then • Scanning Attackers port the network scanning.

Authorized licensed use limited to: AMRITA VISHWA VIDYAPEETHAM AMRITA SCHOOL OF ENGINEERING. Downloaded on August 05,2022 at 07:41:53 UTC from IEEE Xplore. Restrictions apply
 • Brute force Attempt to break the password. of process which includes several steps. The first step is to
• Gaining privilege Attacker give privilege to admin. describe the determined scope, then run all scans and after that
A new technology /security platform was developed to it parse tool’s output and generate result at the end and it in-
protect the threats in a window server and to prevent these cludes start Manual process. There are some more penetration
threats pen testing was performed. However this technology testing tools which are used by various companies like White
could fully identify the hidden data, new technology are being Hat, Black Hat or Gray Hat. The White Hat was used where
made or new experiments are persuing inward to find the the network corporation was full-fledged with the target. The
exact tool that could find the vulnerabilities for IoT code, web Black Hat was used by few network administration, this was
application and Web server. mainly done to know about the human behavior towards the
In[16] authors described, In todays world the IoT is growing attack. The Gray Hat was a combination of both tools, despite
rapidly with many implementation. IoT had ability to perform the another penetration testing tools using penetration testing
various tasks and handle sensitive information and also the methodology which include standalone information gathering
scarcity of user security awareness. In this paper the developer methodology. There are few steps used in testing which are
developed a penetration technique called PENTOS for the not basically methodology but these are basic steps to get start
user security purpose .It worked upon KALI LINUX which with ethical hacking like :-
was specifically designed for ethical hacking. The PENTOS
1) Foot-Printing: With the help of this tool a hacker might
automatically gather the information through wireless devices
use various tools and technology, basically this tool
like Bluetooth, Wi-Fi.By the help of this tool user could do
is used to collect the information about the computer
several type of testing like password attack, web attack, and
system.
wireless attack. The internet security is a biggest challenge
2) Scanning: In the era of information security, scanning is
now a days. There are so many IoT devices which are devel-
a very important part of testing technique. In penetration
oped and deployed without security consideration. There was
testing tester uses Port scanning, it is a part of active
an incident in a past history in which a website was attacked
reconnaissance, and similarly Ping scan is used for scrub
by DDOS of 665 Gbps probably, it was a biggest attack ever
a whole network block.
made and after this the user became more aware about the
3) Enumeration: the enumeration tool is different from
security. The vulnerability risk increases that could affect the
network mapping. In this username and information on
IoT. The security expertise advice was still lacking behind in
groups, shares and services of network computers are
the case of protecting the security and privacy of IoT products,
improved.
because of all these issues the penetration testing comes in
light. It had a potential solution to support and enhance the The penetration testing methodology was proposed as follows
security PENTOS was purely worked upon wireless devices :-
and penetrate the target IoT devices. Working of PENTOS
1) Information gathering.
had a various steps. Firstly the PENTOS collaborate with
2) Vulnerability analysis.
IoT recommendation provide basic information, and it took
3) Definition of secondary target.
top 10 IoT vulnerability[4]. The second step is information
4) Penetration /Attack.
gathering, in this live scanning of the network, checking of
5) Result analysis.
opening ports, checking the type of security, checking the
6) Final analysis.
service provide OS and fingerprints and at the end it report
the gathered information. In third step the password attack, In[18] authors described that Penetration testing tools can
password security issue are to be handle. Now in fourth step be emphasized as software testing tool such as NMAP[20]
wireless testing was to be done which includes penetration (Network mapper) and Metaspliot[23]. The penetration testing
testing for Wi-Fi and Bluetooth and at the end it report the tools provided security protection by ISD/IPS which were
results. In fifth step the web hacking was done, scans the defense tools whose task is to monitor traffic upon net-
component management, SQL database injection was included work.IDS/IPS tools divided into two parts anomaly-based and
at last stage, it report all the result of a PENTOS.This was signature based. The anomalybased tool establish a compari-
basically the structural chart of a PENTOS. son between how data had deviated and behavior of network
In[17] authors explained that the penetration testing per- traffic against the statically normal network state or profile.
forms various steps while testing are to followed by every The advantage of this tool was to know about the previous
company.Some tools used for penetration testing focus only attack. On the other hand signature based tool detect and
on specific range from information gathering to exploitation. distinguish between common system state and database of
This paper described about scripting certain tools that are used unknown pattern. It had error rate but it could not find unde-
by customer to make process more effective and efficient. fined type of attack. The system further divided as host based
The concept that tool uses was python as a language and IDS and network based IDS. Both HIDS and NIDS monitor
the purpose of this tool was to improve efficiency of current inbound and out bound traffic.Port scanning, specific packets
penetration testing companies, so that they could explore and response testing, DNS spoofing eavesdropping, unauthorized
expand coverage of penetration testing.The tool had high level connections or communication with non-standard IP address.

Authorized licensed use limited to: AMRITA VISHWA VIDYAPEETHAM AMRITA SCHOOL OF ENGINEERING. Downloaded on August 05,2022 at 07:41:53 UTC from IEEE Xplore. Restrictions apply
 In[19] IIoT (industrial internet of things) is one of the Finding bugs using PMD, one need to create a java project
application of internet of things. The IoT integrate both and add the PMD class in src, a detailed working example can
physical and digital object to improve daily task and uses be viewed in [24].
in their applications.IIoT environment involves multiple vul-
nerabilities and exploitation identification technique.The term
IIoT was proposed in 2012. It differentiate between consumer
and industrial based application. In this the physical network
transformed into cloud based service, the IoT deployed in
conjunction with middle ware tool such as Arduino IDE.The
IIoT had three main issues due to which security could
be challenged. Firstly, IoT device made them vulnerable to
different cyber attacks. Secondly, the security tool includes
encryptions, firewalls, intrusion and detection system due to
these issues penetration testing tools and system are employed
to find the loopholes in the system and prevent them from
exploitation.

IV. C ODE A NALYSIS U SING P ENETRATION T ESTING T OOL

Penetration Testing is another term for Security testing. Usu-

ally it is observed that testing is done for a whole application
for a whole project but not for the code which is developing
the project.So let us look into a tool which can help us to
find the issues in our source code. To see whether our code
is secure or not? Is there any vulnerability in our code? On Fig. 4. Configure PMD
the many tools available in Open Source domain,in the current
work ’Programming Mistake Detector’ a PMD Source Code V. C ONCLUSION AND F UTURE W ORK
Penetration Testing tool has been explored. PMD is a free
This seems to be the first of its kind, effort in compiling
open-source source tool available for the sake of testing and
and aggregating the information regarding Penetrating Testing
find the code coverage for java programs. It is used unused
in the area of IoT. As an extension of current work, in
variables, empty catch blocks, unnecessary object creation, and
the future, code would be simulated in Java Programming
so forth. Its mainly concerned with JavaApex but also supports
language for routing of the message using MQTT(Message
other languages also. The installation is depicted in figure 3
Queue Telemetry Transport) and COAP(Constrained Applica-
and 4 respectively.
tion Protocol) Protocols in IoT Network. The test cases would
then be designed to test the effectiveness and efficiency of the
code(both manually) and using tools such as Find Bugs and
Sonarqube.
R EFERENCES
[1] https://www.geeksforgeeks.org/software-testing-penetration-testing
[2] https://opensourceforu.com/2017/06/basics-vulnerability-assessment-
penetration-testing
[3] https://www.techopedia.com/definition/24748/cyberattack
[4] https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-
Miessler.pdf
[5] https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf
[6] Sharma, V. and Tiwari, R. A review paper on IoT It’s Smart Appli-
cations. International Journal of Science, Engineering and Technology
Research (IJSETR) 5(2), pp.472-476., 2016.
[7] Madakam, S., Ramaswamy, R. and Tripathi, S. Internet of Things (IoT):
A literature review. Journal of Computer and Communications 3(05),
p.164., 2015.
[8] https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=arnumber=1392709
[9] McDermott, J.P. Attack net penetration testing. In NSPW (pp. 15-21).,
September 2000
[10] Mainka, C., Somorovsky, J. and Schwenk, J. Penetration testing tool for
web services security. In 2012 IEEE Eighth World Congress on Services
(pp. 163-170). IEEE. , 2012, June.
[11] Ibrahim, A.B. and Kant, S. Penetration Testing Using SQL Injection to
Recognize the Vulnerable Point on Web Pages. International Journal of
Fig. 3. PMD Installation Applied Engineering Research, 13(8), pp.5935-5942. , 2018.

Authorized licensed use limited to: AMRITA VISHWA VIDYAPEETHAM AMRITA SCHOOL OF ENGINEERING. Downloaded on August 05,2022 at 07:41:53 UTC from IEEE Xplore. Restrictions apply
 [12] Kaushik, M. and Ojha, G. Attack penetration system for SQL injection.
International journal of advanced computer research, 4(2), p.724. , 2014.
[13] Stiawan, D., Idris, M.Y., Abdullah, A.H., Aljaber, F. and Budiarto, R.
Cyber-Attack Penetration Test and Vulnerability Analysis. International
Journal of Online Engineering, 13(1)., 2017.
[14] Stiawan, D., Idris, M.Y.B., Abdullah, A.H., AlQurashi, M. and Budiarto,
R. Penetration Testing and Mitigation of Vulnerabilities Windows Server.
IJ Network Security, 18(3), pp.501-513., 2016.
[15] D. Stiawan, M. Y. Idris, and A. H. Abdullah Penetration testing and
network auditing: Linux Journal of Information Processing Systems,
vol. 11, pp. 104115, 2015
[16] Visoottiviseth, V., Akarasiriwong, P., Chaiyasart, S. and Chotivatunyu,
S. PENTOS: Penetration testing tool for Internet of Thing devices.
In TENCON 2017-2017 IEEE Region 10 Conference (pp. 2279-2284).
IEEE.,2017, November.
[17] Haubris, K.P. and Pauli, J.J. Improving the efficiency and effectiveness of
penetration test automation. In 2013 10th International Conference on
Information Technology: New Generations (pp. 387-391). IEEE., 2013,
April
[18] Zitta, T., Neruda, M., Vojtech, L., Matejkova, M., Jehlicka, M., Hach,
L. and Moravec, J. Penetration Testing of Intrusion Detection and
Prevention System in Low-Performance Embedded IoT Device. In 2018
18th International Conference on Mechatronics-Mechatronika (ME) (pp.
1-5). IEEE., 2018, December.
[19] Moustafa, N., Turnbull, B. and Choo, K.K.R. Towards Automation of
Vulnerability and Exploitation Identification in IIoT Networks. In 2018
IEEE International Conference on Industrial Internet (ICII) (pp. 139-
145). IEEE., 2018, October.
[20] https://nmap.org/bennieston-tutorial/
[21] https://www.acunetix.com/
[22] https://portswigger.net/burp
[23] https://www.metasploit.com/
[24] https://www.javatips.net/blog/pmd-in-eclipse-tutorial/
[25] https://www.guru99.com/software-testing-metrics-complete-
tutorial.html/

Authorized licensed use limited to: AMRITA VISHWA VIDYAPEETHAM AMRITA SCHOOL OF ENGINEERING. Downloaded on August 05,2022 at 07:41:53 UTC from IEEE Xplore. Restrictions apply