Beruflich Dokumente
Kultur Dokumente
INC.
Vulnerability Assessment &Penetration Test Report
Eric Gibson Jr
Joseph Pavlik
Rajani Gunda
R.E.J.
4/26/2012
Table of Contents
1 - EXECUTIVE SUMMARY
1.1 - Project Objective
1.2 - Scope
1.3 - Target Systems
1.4 - Network Testing Methodology
1.5 - Tools
1.6 - Network Diagram
1.7 - Network Diagram (DNS Resolution)
1.8 - Network Vulnerability Assessment (Authenticated)
1.9 - Network Vulnerability Assessment (Unauthenticated)
3
3
4
4
5
5
6
7
8
8
2 - FINDINGS
2.1 - 70.61.60.122
2.1.1 - Target Analysis
2.1.2 - Vulnerabilities
2.2 - 70.61.60.125
9
9
10-11
10-11
12
12
13
13
14
14
3 - RECOMMENDATIONS
3.1 - Software
3.2 - 70.61.60.122
3.3 - 70.61.60.125
15
16
16-17
4 - CONCLUSION
18
19-20
1.2 Scope
Attack Systems
Description
IP Address
Target Environment
(include any 3rd party systems/networks written permission must have been obtained in advance by the
target organization)
Description
IP Address(es)
Scan?
70.61.60.122-126
Yes
Assessment Type
Will any part of the assessment be performed against a live production
environment?
Assessment Timeline
List any black-out dates or times.
Is this a black box vulnerability scan
If not, what are the approved login credentials for an authenticated scan?
YES
May 1st 2012
April 3rd 2012
April 4rd 2012
NO - Greybox
Both (ask on April 17th)
Local Admin accounts
Testing Techniques
Ping sweep of network ranges
Dangerous/Unsafe checks allowed
Internal reconnaissance activities requested
External reconnaissance activities requested
YES
YES
YES
YES
Governance
What is the policy regarding viewing data (including
Notify of any sensitive information found.
potentially sensitive/confidential data)?
Will target organization personnel observe the testing
NO
team?
Conduct reconnaissance
Scanning & enumeration
Identify all points of access within the network infrastructure
Report findings
Present recommendations
The following diagram illustrates the process used for performing the network assessment:
1.5 Tools
Activity
Port Scanning & Footprinting
Web Application Enumeration
Vulnerability Assessment
Network Penetration Test
Vulnerability Research & Verification
Tool
Nmap, Netcat, google
Nessus, Qualys
HydraGTK, Metasploit, Cain & Abel, Medusa
www.metasploit.com, cve.miter.org, www.uscert.gov
1.7
2.0 - FINDINGS
2.1 Target IP: 70.61.60.122
Operating System: Linux (Backtrack)
Total Open Ports: 9
Attacks Attempted
HydraGTK: Brute force attack used to gain access to the ssh server. This program uses a
password list to guess the username and password and manually tries
combinations to gain access to the machine. Our attempts were unsuccessful.
Medusa:
Another brute force attack used to gain access to the ssh server. This program also
uses a password list to guess the username and password and manually tries
combinations to gain access to the machine. Our attempts were unsuccessful.
DoS Attack: We were able to find a Denial of Service Exploit that coincided with the version
of OpenSSH this server was running. This exploit was called OpenSSH <= 4.3
p1 (Duplicate Block) Remote Denial of Service Exploit. Our attempts were
questionable. We received a IP cookie but were unclear of the next steps.
Vulnerabilities
Port 22
Port 22
Synopsis: The remote service uses the default username for authentication.
Description: The remote service utilizes the default username root for
authentication. A remote user can login as the root user to the SSH server.
Risk Factor: Medium
Attacks Attempted
MS12-020:
Vulnerabilities
Port 69
Port 3389
Port 3389
10
can establish encryption with the client and server without being detected. A
MiTM attack of this nature would allow the attacker to obtain any sensitive
information transmitted, including authentication credentials. This flaw exists
because the RDP server stores a hardcoded RSA private key in the mstlsapi.dll
library. Any local user with access to this file (on any Windows system) can
retrieve the key and use it for this attack.
Risk Factor: Medium
Port 3389
Port 3389
11
Vulnerabilities
N/A
12
Vulnerabilities
N/A
13
Attacks Attempted
VNC: At one point during our reconnaissance, we found that a port running VNC was
open. However, after returning to the server we could not get consistent nMap
scans because the server appeared to go down several times. Need to
investigate more at a future time to establish which VNC service was running.
We have several exploits waiting to run pending more information.
Vulnerabilities
N/A
14
3.0 - RECOMMENDATIONS
Software Recommendations
During target analysis of host 70.61.60.126, there were a number of applications that
pose a risk to the machine and could make it possible for an attacker to compromise the
host via the insecure application. Below is a list of the unsecure applications complete
with recommendations on how to resolve each issue.
Windows Firewall Disabled
Enable the Windows firewall on the host machine.
Windows XP Professional Service Pack 1 - Support retired
Install Windows 7 and perform all MS required updates.
Internet Explorer 6.0.2800.1106 Insecure Version
Upgrade IE browser to latest compatible version which is 9.0
Adobe Flash Player 10.0.22.87 Insecure Version
Upgrade to the latest Flash Player version which is 11.2
Adobe Reader 9.3.0.148 Insecure Version
Upgrade to latest Adobe Reader X version 10.1.2
Windows Media Player 9.0.0.2980 Insecure Version
Upgrade to latest Windows Media Player which is version 12.0
Apple QuickTime 6.5.1.0 Insecure Version
Upgrade to latest QuickTime version which is 7.7.1
15
Host-Specific Recommendations
Target IP: 70.61.60.122
Port- 22: Medium
Attack: The remote service offers an insecure and cryptographic protocol.
Recommendation: Disable compatibility with version 1 of the protocol.
Port- 22: Medium
Attack: The remote service utilizes the default username root for authentication. A
remote user can login as the root user to the SSH server.
Recommendation: Many brute force attacks use the root username to try and gain
access to the target host machine. Disable remote login as the root user. Before
disabling this option, you may want to setup another account with root privileges.
16
17
4.0 - Conclusion
Outlined above you will see several security issues that could have devastating impacts
for your company, if exploited. A few of the risks are critical and severe; these should be
addressed in a timely manner. Other risks are not as severe, but should be looked into
none the less. If the issues are confronted, your company should see a substantial
increase in security.
That said, an organizations information and confidentiality is imparity to its success and
survival. Several policies should to put into place to maintain your companys data
integrity and security. Security flaws will continue to develop as exploits are discovered.
With this, your company should continue to make improvements and policies to address
future issues.
We have enjoyed working with BBT evaluate your information technology security. If
there should be any questions or you require further information, please contact any of
the agents that worked with your company.
18
Target
70.61.60.
122
70.61.60.
123
70.61.60.
124
70.61.60.
125
70.61.60.
126
70.61.60.
122
70.61.60.
123
70.61.60.
124
70.61.60.
125
70.61.60.
126
70.61.60.
122
70.61.60.
122
70.61.60.
123
70.61.60.
124
70.61.60.
125
70.61.60.
126
70.61.60.
122
70.61.60.
123
Host Up
Other
Information
9 Ports up Vulnerabilities
found
Host Down
5 Ports up
EGJ
Host Down
EGJ
Host Up
Host Up
6 Ports up
4 Ports up Vulnerabilities
found
7 Ports up Vulnerabilities
found
Host Up
9 Ports up
EGJ
Host Down
5 Ports up
EGJ
Host Down
6 Ports up
EGJ
Host Up
4 Ports up
EGJ
Host Up
EGJ
Date
Attempt
result
Analyst
EGJ
EGJ
EGJ
HydraGTK Brute
10-Apr Force Attack
Unsuccessf
ul
Host Up
7 Ports up
need to put
together a better
password list file
9 Ports up Vulnerabilities
found
Host Down
5 Ports up
RG
Host Down
RG
Host Up
Host Up
6 Ports up
4 Ports up Vulnerabilities
found
7 Ports up Vulnerabilities
found
Host Up
9 Ports up
RG
Host Down
5 Ports up
RG
EGJ, JP, RG
RG
RG
RG
19
70.61.60.
124
70.61.60.
125
70.61.60.
126
70.61.60.
122
70.61.60.
122
70.61.60.
125
70.61.60.
125
70.61.60.
122
70.61.60.
122
70.61.60.
123
70.61.60.
124
70.61.60.
125
70.61.60.
126
Host Down
6 Ports up
RG
Host Up
4 Ports up
EGJ
Host Up
7 Ports up
EGJ
Successful
Can no longer
connect to server
JP
Medusa Brute
17-Apr Force Attack
Unsuccessf
ul
Successful
Unsuccessf
ul
Unsuccessf
ul
Successful
Successful
Successful
Successful
Successful
Used new
password list
7 Vulnerabilities
found
EGJ
EGJ
JP
Next steps
unknown
Final scan up
Final scan up
Final scan up
Final scan up
Final scan up
JP
9 ports
EGJ, RG
5 ports
EGJ, RG
6 ports
EGJ, RG
4 ports
EGJ, RG
7 ports
EGJ, RG
20