Penetration testing is a well known methodology assessing security vulnerabilities by executing complex steps which form an attack. Professional pentesting is an expensive service that sometimes cannot fit in the budget of Small and Medium Enterprises. Automating this process means it can be executed even by inexperienced system administrators while it saves time for professionals.The difficulty of this problem consists in the heterogeneity of networks and systems so the techniques need to be adapted each time. Our approach is based on identifying system characteristics, search for existing vulnerabilities and applying machine learning for selecting the most appropriate exploit. The model was trained using data collected from exploited machines on the “Hack the Box” learning platform and delivers exploits from the Metasploit framework.The evaluation shows that the proposed framework can exploit a fair number of systems and can be extended to support new classes of exploits and new pentesting methodologies.
展开▼
机译:渗透测试是一种众所周知的方法,它通过执行构成攻击的复杂步骤来评估安全漏洞。专业的渗透测试是一项昂贵的服务,有时无法满足中小企业的预算。自动化该过程意味着即使没有经验的系统管理员也可以执行此过程,同时又可以节省专业人员的时间。此问题的困难在于网络和系统的异构性,因此每次都需要对技术进行调整。我们的方法基于识别系统特征,搜索现有漏洞并应用机器学习来选择最合适的漏洞。该模型使用从“ Hack the Box”学习平台上被利用机器收集的数据进行了训练,并提供了Metasploit框架的利用。评估表明,提出的框架可以利用相当数量的系统,并且可以扩展以支持新的类别。漏洞利用和新的渗透测试方法。
展开▼
