BBT

INC.
Vulnerability Assessment &Penetration Test Report

Eric Gibson Jr
Joseph Pavlik
Rajani Gunda
R.E.J.
4/26/2012

Table of Contents
1 - EXECUTIVE SUMMARY
1.1 - Project Objective
1.2 - Scope
1.3 - Target Systems
1.4 - Network Testing Methodology
1.5 - Tools
1.6 - Network Diagram
1.7 - Network Diagram (DNS Resolution)
1.8 - Network Vulnerability Assessment (Authenticated)
1.9 - Network Vulnerability Assessment (Unauthenticated)

3
3
4
4
5
5
6
7
8
8

2 - FINDINGS
2.1 - 70.61.60.122
2.1.1 - Target Analysis
2.1.2 - Vulnerabilities
2.2 - 70.61.60.125

9
9

2.2.1 - Target Analysis

2.2.2 - Vulnerabilities
2.3 - 70.61.60.123

10-11
10-11

2.3.1 - Target Analysis

2.3.2 - Vulnerabilities
2.4 - 70.61.60.124

12
12

2.4.1 - Target Analysis

2.4.2 - Vulnerabilities
2.5 - 70.61.60.126

13
13

2.5.1 - Target Analysis

2.5.2 - Vulnerabilities

14

14

3 - RECOMMENDATIONS
3.1 - Software
3.2 - 70.61.60.122
3.3 - 70.61.60.125

15
16
16-17

4 - CONCLUSION

18

5 - PENETRATION TESTING LOG

19-20

R.E.J. | BBT Penetration Test 2012

1.0- Executive Summary

BBT, Inc. requested the services of R.E.J to conduct their bi-annual penetration testing.
This executive summary contains the results of the PENTEST that was performed
during the time period of April 5th 2012 through May 1st of 2012.
This report contains confidential information surrounding the amount of security risk
within the BBT, Inc. network infrastructure.
At the request of BBT Inc., R.E.J analysts have conducted authorized reconnaissance,
network mapping and vulnerability testing in an effort to report findings to BBT, Inc. The
results are intended to be an overall assessment of the conditions at the time of testing
and do not necessarily reflect current conditions.

1.1 Project Objective

The objective of BBT Inc.s network assessment is to determine the overall security of
the network by analyzing all IPs given to R.E.J analysts. For testing, R.E.J analyst
performed a number of tests as authenticated users (with log-in supplied credentials),
as well as unauthenticated users.

R.E.J. | BBT Penetration Test 2012

1.2 Scope
Attack Systems
Description

IP Address

Target Environment
(include any 3rd party systems/networks written permission must have been obtained in advance by the
target organization)
Description
IP Address(es)
Scan?
70.61.60.122-126
Yes

Assessment Type
Will any part of the assessment be performed against a live production
environment?
Assessment Timeline
List any black-out dates or times.
Is this a black box vulnerability scan
If not, what are the approved login credentials for an authenticated scan?

YES
May 1st 2012
April 3rd 2012
April 4rd 2012
NO - Greybox
Both (ask on April 17th)
Local Admin accounts

Testing Techniques
Ping sweep of network ranges
Dangerous/Unsafe checks allowed
Internal reconnaissance activities requested
External reconnaissance activities requested

YES
YES
YES
YES

Governance
What is the policy regarding viewing data (including
Notify of any sensitive information found.
potentially sensitive/confidential data)?
Will target organization personnel observe the testing
NO
team?

1.3 Target Systems

Target Environment
(include any 3rd party systems/networks written permission must have been obtained in advance by the
target organization)
Description
IP Address(es)
Scan?
70.61.60.122
Yes
70.61.60.123
Yes
70.61.60.124
Yes
70.61.60.125
Yes
70.61.60.126
Yes

R.E.J. | BBT Penetration Test 2012

1.4 Network Testing Methodology

Conduct reconnaissance
Scanning & enumeration
Identify all points of access within the network infrastructure
Report findings
Present recommendations

The following diagram illustrates the process used for performing the network assessment:

1.5 Tools
Activity
Port Scanning & Footprinting
Web Application Enumeration
Vulnerability Assessment
Network Penetration Test
Vulnerability Research & Verification

Tool
Nmap, Netcat, google
Nessus, Qualys
HydraGTK, Metasploit, Cain & Abel, Medusa
www.metasploit.com, cve.miter.org, www.uscert.gov

R.E.J. | BBT Penetration Test 2012

1.6 Network Diagram

R.E.J. | BBT Penetration Test 2012

1.7

Network Diagram (DNS Resolution)

R.E.J. | BBT Penetration Test 2012

1.8 Network Vulnerability Assessment - Authenticated

Qualys Application Scan

7 Application Vulnerabilities

1.9 Network Vulnerability Assessment - Unauthenticated

1.9 Network Vulnerability Assessment - Unauthenticated

Nessus Network Scan

1 Critical vulnerability was discovered
1 High vulnerability was discovered
3 Medium vulnerabilities were discovered
1 Low vulnerability was discovered

R.E.J. | BBT Penetration Test 2012

2.0 - FINDINGS
2.1 Target IP: 70.61.60.122
Operating System: Linux (Backtrack)
Total Open Ports: 9

Attacks Attempted
HydraGTK: Brute force attack used to gain access to the ssh server. This program uses a
password list to guess the username and password and manually tries
combinations to gain access to the machine. Our attempts were unsuccessful.
Medusa:
Another brute force attack used to gain access to the ssh server. This program also
uses a password list to guess the username and password and manually tries
combinations to gain access to the machine. Our attempts were unsuccessful.
DoS Attack: We were able to find a Denial of Service Exploit that coincided with the version
of OpenSSH this server was running. This exploit was called OpenSSH <= 4.3
p1 (Duplicate Block) Remote Denial of Service Exploit. Our attempts were
questionable. We received a IP cookie but were unclear of the next steps.

Vulnerabilities
Port 22

Synopsis: The remote service offers an insecure cryptographic protocol.

Description: The remote SSH daemon supports connections made using the
version 1.33 and/or 1.5 of the SSH protocol.
Risk Factor: Medium

Port 22

Synopsis: The remote service uses the default username for authentication.
Description: The remote service utilizes the default username root for
authentication. A remote user can login as the root user to the SSH server.
Risk Factor: Medium

R.E.J. | BBT Penetration Test 2012

2.2 Target IP: 70.61.60.125

Operating System: Windows
Total Open Ports: 4

Attacks Attempted
MS12-020:

We attempted to exploit the recently discovered vulnerability in Microsoft RDP

using RDPKill and a python script found in the Exploit Database. Exploit
appeared successful. We could not connect to the server after running the attack.
Server may have gone down or denied access to us at that point.

Vulnerabilities
Port 69

Synopsis: The remote host has probably been compromised.

Description: A TFTP server is running on this port. However, while trying to
fetch "/etc/passwd", we got an MS executable file. Many worms are known to
propagate through TFTP. This is probably a backdoor.

Port 3389

Risk Factor: Critical

Synopsis: The remote Windows host could allow arbitrary code execution.
Description: Arbitrary remote code vulnerability exists in the implementation
of the Remote Desktop Protocol (RDP) on the remote Windows host. The
vulnerability is due to the way that RDP accesses an object in memory that has
been improperly initialized or has been deleted. If RDP has been enabled on the
affected system, an unauthenticated, remote attacker could leverage this
vulnerability to cause the system to execute arbitrary code by sending a sequence
of specially crafted RDP packets to it. This plugin also checks for a denial of
service vulnerability in Microsoft Terminal Server.Note that this script does not
detect the vulnerability if the 'Allow connections only from computers running
Remote Desktop with Network Level Authentication' setting is enabled or the
security layer is set to 'SSL (TLS 1.0)' on the remote host.
Risk Factor: High

Port 3389

Synopsis: It may be possible to get access to the remote host.

Description: The remote version of the Remote Desktop Protocol Server
(Terminal Service) is vulnerable to a man-in-the-middle (MiTM) attack. The RDP
client makes no effort to validate the identity of the server when setting up
encryption. An attacker with the ability to intercept traffic from the RDP server

R.E.J. | BBT Penetration Test 2012

10

can establish encryption with the client and server without being detected. A
MiTM attack of this nature would allow the attacker to obtain any sensitive
information transmitted, including authentication credentials. This flaw exists
because the RDP server stores a hardcoded RSA private key in the mstlsapi.dll
library. Any local user with access to this file (on any Windows system) can
retrieve the key and use it for this attack.
Risk Factor: Medium
Port 3389

Port 3389

Synopsis: The remote host is using weak cryptography.

Description: The remote Terminal Services service is not configured to use
strong cryptography. Using weak cryptography with this service may allow an
attacker to eavesdrop on the communications more easily and obtain screenshots
and/or keystrokes.
Risk Factor: Medium
Synopsis: The remote host is not FIPS-140 compliant.
Description: The encryption setting used by the remote Terminal Services service
is not FIPS-140 compliant.
Risk Factor: Low

Software Vulnerabilities (Authenticated Scan)

Windows Firewall Disabled
Windows XP Professional Service Pack 1 - Support retired
Internet Explorer 6.0.2800.1106 Insecure Version
Adobe Flash Player 10.0.22.87 Insecure Version
Adobe Reader 9.3.0.148 Insecure Version
Windows Media Player 9.0.0.2980 Insecure Version
Apple QuickTime 6.5.1.0 Insecure Version

R.E.J. | BBT Penetration Test 2012

11

2.3 Target IP: 70.61.60.123

Operating System: N/A
Total Open Ports: 5

Vulnerabilities
N/A

R.E.J. | BBT Penetration Test 2012

12

2.4 Target IP: 70.61.60.124

Operating System: N/A
Total Open Ports: 6

Vulnerabilities
N/A

R.E.J. | BBT Penetration Test 2012

13

2.5 Target IP: 70.61.60.126

Operating System: N/A
Total Open Ports: 7

Attacks Attempted
VNC: At one point during our reconnaissance, we found that a port running VNC was
open. However, after returning to the server we could not get consistent nMap
scans because the server appeared to go down several times. Need to
investigate more at a future time to establish which VNC service was running.
We have several exploits waiting to run pending more information.

Vulnerabilities
N/A

R.E.J. | BBT Penetration Test 2012

14

3.0 - RECOMMENDATIONS
Software Recommendations
During target analysis of host 70.61.60.126, there were a number of applications that
pose a risk to the machine and could make it possible for an attacker to compromise the
host via the insecure application. Below is a list of the unsecure applications complete
with recommendations on how to resolve each issue.
Windows Firewall Disabled
Enable the Windows firewall on the host machine.
Windows XP Professional Service Pack 1 - Support retired
Install Windows 7 and perform all MS required updates.
Internet Explorer 6.0.2800.1106 Insecure Version
Upgrade IE browser to latest compatible version which is 9.0
Adobe Flash Player 10.0.22.87 Insecure Version
Upgrade to the latest Flash Player version which is 11.2
Adobe Reader 9.3.0.148 Insecure Version
Upgrade to latest Adobe Reader X version 10.1.2
Windows Media Player 9.0.0.2980 Insecure Version
Upgrade to latest Windows Media Player which is version 12.0
Apple QuickTime 6.5.1.0 Insecure Version
Upgrade to latest QuickTime version which is 7.7.1

R.E.J. | BBT Penetration Test 2012

15

Host-Specific Recommendations
Target IP: 70.61.60.122
Port- 22: Medium
Attack: The remote service offers an insecure and cryptographic protocol.
Recommendation: Disable compatibility with version 1 of the protocol.
Port- 22: Medium
Attack: The remote service utilizes the default username root for authentication. A
remote user can login as the root user to the SSH server.
Recommendation: Many brute force attacks use the root username to try and gain
access to the target host machine. Disable remote login as the root user. Before
disabling this option, you may want to setup another account with root privileges.

Target IP: 70.61.60.125

Port-69: Critical
Attack: The remote host is compromised. TFTP Backdoor detection.
Recommendation: TFTP uses UDP on port 69, and since TFTP is insecure and should
never be used across the internet anyway thats compelling reason to block egressing
UDP traffic on that port.
Port- 3389: High
Attack: The remote windows host could allow arbitrary code execution.
Recommendation: Apply appropriate patches provided by Microsoft to vulnerable
systems immediately after appropriate testing. Block the TCP port 3389 at the network
perimeter.
Disable the Terminal Services, Remote Desktop, Remote Assistance, and Windows
Small Business Server 2003 Remote Web Workplace features if not required.
Enable Network Level authentication on systems running supported version of
Windows, Vista, Windows 7, Windows Server 2008 and Windows Server 2008 and
Windows Server R2.
Port-3389:Medium
Attack: The remote host is using weak cryptography. Terminal Services Encryption level
is medium.
Recommendation: Administrator of windows 2000 servers and Windows XP servers who
have enabled the Remote desktop should apply the Patch. Block port 3389 at the
firewall would be protected against this attack.
Port -3389: Medium
Attack: It may be possible to get access to the remote host.
Recommendation: Force the use of SSL as a transport layer for this service if supported,
or/and select the Allow connections only from computers running Remote Desktop with
Network Level Authentication setting if it is available.
R.E.J. | BBT Penetration Test 2012

16

Port -3389: Low

Attack: The remote host is not FIPS-140 compliant.
Recommendation: Change RDP encryption level:
to 4 FIPS compliant.

R.E.J. | BBT Penetration Test 2012

17

4.0 - Conclusion
Outlined above you will see several security issues that could have devastating impacts
for your company, if exploited. A few of the risks are critical and severe; these should be
addressed in a timely manner. Other risks are not as severe, but should be looked into
none the less. If the issues are confronted, your company should see a substantial
increase in security.
That said, an organizations information and confidentiality is imparity to its success and
survival. Several policies should to put into place to maintain your companys data
integrity and security. Security flaws will continue to develop as exploits are discovered.
With this, your company should continue to make improvements and policies to address
future issues.
We have enjoyed working with BBT evaluate your information technology security. If
there should be any questions or you require further information, please contact any of
the agents that worked with your company.

R.E.J. | BBT Penetration Test 2012

18

5.0 Penetration Testing Log

Target
70.61.60.
122
70.61.60.
123
70.61.60.
124
70.61.60.
125
70.61.60.
126
70.61.60.
122
70.61.60.
123
70.61.60.
124
70.61.60.
125
70.61.60.
126
70.61.60.
122
70.61.60.
122
70.61.60.
123
70.61.60.
124
70.61.60.
125
70.61.60.
126
70.61.60.
122
70.61.60.
123

5-Apr Nessus Scan

Host Up

Other
Information
9 Ports up Vulnerabilities
found

5-Apr Nessus Scan

Host Down

5 Ports up

EGJ

5-Apr Nessus Scan

Host Down

EGJ

5-Apr Nessus Scan

Host Up

5-Apr Nessus Scan

Host Up

6 Ports up
4 Ports up Vulnerabilities
found
7 Ports up Vulnerabilities
found

5-Apr Nmap Scan

Host Up

9 Ports up

EGJ

5-Apr Nmap Scan

Host Down

5 Ports up

EGJ

5-Apr Nmap Scan

Host Down

6 Ports up

EGJ

5-Apr Nmap Scan

Host Up

4 Ports up

EGJ

5-Apr Nmap Scan

Host Up

EGJ

Date

Attempt

result

Analyst
EGJ

EGJ
EGJ

HydraGTK Brute
10-Apr Force Attack

Unsuccessf
ul

10-Apr Nessus Scan

Host Up

7 Ports up
need to put
together a better
password list file
9 Ports up Vulnerabilities
found

10-Apr Nessus Scan

Host Down

5 Ports up

RG

10-Apr Nessus Scan

Host Down

RG

10-Apr Nessus Scan

Host Up

10-Apr Nessus Scan

Host Up

6 Ports up
4 Ports up Vulnerabilities
found
7 Ports up Vulnerabilities
found

10-Apr Nmap Scan

Host Up

9 Ports up

RG

10-Apr Nmap Scan

Host Down

5 Ports up

RG

R.E.J. | BBT Penetration Test 2012

EGJ, JP, RG
RG

RG
RG

19

70.61.60.
124
70.61.60.
125
70.61.60.
126
70.61.60.
122
70.61.60.
122
70.61.60.
125
70.61.60.
125
70.61.60.
122
70.61.60.
122
70.61.60.
123
70.61.60.
124
70.61.60.
125
70.61.60.
126

10-Apr Nmap Scan

Host Down

6 Ports up

RG

10-Apr Nmap Scan

Host Up

4 Ports up

EGJ

10-Apr Nmap Scan

Host Up

7 Ports up

EGJ

17-Apr RDPKill Exploit

Successful

Can no longer
connect to server

JP

Medusa Brute
17-Apr Force Attack

Unsuccessf
ul

17-Apr Qualys Scan

Cain & Abel
24-Apr Exploit

Successful
Unsuccessf
ul
Unsuccessf
ul

24-Apr DoS Exploit

24-Apr Nessus Scan
24-Apr Nessus Scan

Successful
Successful

24-Apr Nessus Scan

Successful

24-Apr Nessus Scan

Successful

24-Apr Nessus Scan

R.E.J. | BBT Penetration Test 2012

Successful

Used new
password list
7 Vulnerabilities
found

EGJ
EGJ
JP

Next steps
unknown
Final scan up
Final scan up
Final scan up
Final scan up
Final scan up

JP
9 ports
EGJ, RG
5 ports
EGJ, RG
6 ports
EGJ, RG
4 ports
EGJ, RG
7 ports
EGJ, RG

20