Beruflich Dokumente
Kultur Dokumente
Reconnaissance Report
Honeywell
V 2.0
July 25, 2016
This report was created for educational purposes and is entirely fictional. The
systems herein have been created and maintained by this team in a virtual
environment. All information in this document is confidential and may not be
disclosed to unauthorized personnel.
StarDotStar 2
Document Properties
Title Reconnaissance Report Honeywell
Version 2.0
Classification Confidential
Version Control | | |
Version Date Author Description
Executive Summary
asdf
StarDotStar 4
Contents
1.2 Objective ..................................................................................... 8
1.3 Timeline ...................................................................................... 8
1.4 Summary of Findings .................................................................... 9
2. Recon Lab 1 ................................................................................... 10
2.1 Summary of Findings .................................................................. 10
2.2 Recommendations ...................................................................... 10
2.3 Detail of Findings........................................................................ 10
3. Recon Lab 2 ................................................................................... 12
3.1 Summary of Findings .................................................................. 12
3.2 Recommendations ...................................................................... 12
3.3 Detail of Findings........................................................................ 13
4. Recon Lab 3 ................................................................................... 15
4.1 Summary of Findings .................................................................. 15
4.2 Recommendations ...................................................................... 15
4.3 Detail of Findings........................................................................ 15
5. Scanning Lab 1 ............................................................................... 18
5.1 Summary of Findings .................................................................. 18
5.2 Recommendations ...................................................................... 18
5.3 Detail of Findings........................................................................ 18
6. Scanning Lab 2 ............................................................................... 22
6.1 Summary of Findings .................................................................. 22
6.2 Recommendation........................................................................ 22
6.3 Detail of Findings........................................................................ 22
7. Penetration Lab .............................................................................. 25
7.1 Summary of Findings .................................................................. 25
7.2 Recommendation........................................................................ 25
7.3 Detail of Findings........................................................................ 25
7.3.1 Windows XP.......................................................................... 25
7.3.2 Windows Server 2003 ............................................................ 27
7.3.3 Ubuntu (pWnOS)................................................................... 29
StarDotStar 5
List of Figures
No table of figures entries found.
StarDotStar 8
1.2 Objective
1.3 Timeline
Recon
o Company email addresses
o Employee personal information
Position
Address
Phone number
Salary
o Physical facility locations and security
o IP address ranges and domains owned
o Website setup
Languages
Frameworks
Software
o Social media accounts:
Facebook
LinkedIn
o Confidential Documents
Letters
Spreadsheets
StarDotStar 10
2. Recon Lab 1
We found out software being run of the Honeywell web servers, frameworks
used, net ranges, and other services hosted by Honeywell. We also found a
handful of confidential documents containing personal information for
employees and executives.
2.2 Recommendations
Updating all IIS 7.5 servers to 8.0. Searching for and removing any
potentially harmful documents posted publicly.
1. What is the name of the organization you chose? What do they do?
a. Honeywell Aerospace is a company that develops and sells
aerospace technology for commercial and military use.
2. What operating systems do they use on their web server? Why?
a. Most of their web servers are running windows, which we are
able to tell by the fact that they are using IIS, which shows in
their headers.
3. What web server are they using (Apache, IIS, etc.)? What version is
it?
a. IIS version 7.5 & 8.0.
4. Does it appear they are hosting their own web server?
a. Yes, they own their own net range and have a large selection of
servers.
5. What programming languages are used on the site?
a. HTML, CSS, Javascript, JQuery
6. What are the networks in use by the organization? List Ranges?
a. 129.30.0.0/16
7. Does it appear they are hosting any other services from their network
ranges? (Do Not Scan network segments)
a. Yes, Shodan told us they have their own DNS servers, as well as
IKE (Internet Key Exchange) VPN servers.
StarDotStar 11
3. Recon Lab 2
3.1 Summary of Findings
3.2 Recommendations
Searching for and removing confidential files posted publicly on the internet.
Educating employees about using their company email for non-company
activities, such as at conferences.
StarDotStar 13
a. The list of emails from the attendance list and letter helped us
immensely.
6. Does your target company have any associations with other
companies? e.g.partners
a. Honeywell has dozens of other areas of business, including
appliances, housing, and technology.
7. Enumerate your targets Domain Name. Document all additional IP
addresses that you have discovered. (Add them to your current list)
a. See Appendix C for DNS enumeration results.
8. Use Maltego to search your company's domain, e-mail, social media,
etc....
a. See Appendix B for some of the information we pulled from
Maltego.
9. Create a visual map of your selected target's discovered systems.
Identify network address ranges, possible target systems and their
purpose, routers, switches, etc...... Is this their DMZ?
10. Document your advanced Google search strings and their
results.
a. Here are some of our searches:
i. Inurl:@honeywell.com filetype:xls (gave us the
attendance list)
ii. Intext:Tim Mahoney intext:Confidentual (gave us the
letter)
iii. Site:Honeywell.com (Helped start DNS enumeration)
iv. Intext:carey.smith@honeywell.com (Gave us another
attendance spreadsheet)
StarDotStar 15
4. Recon Lab 3
4.2 Recommendations
Upgrading the wireless router for better encryption, and ensure employees
understand the risk of connecting to open wireless network.
i. No
e. Web Cams?
i. Shodan returned no results.
f. Digital dumpster diving.
i. Several dumpsters around the back near the fence, which
is only a couple feet high.
g. How does the typical employee dress? Dress code?
i. Some business casual, workers in jeans with hard hats.
5. Scanning Lab 1
5.2 Recommendations
5.3.2 Port scan the hosts on your network range with Nmap. If
you have more than 10 hosts, only provide the results of the 10
with the most ports open.
a. We used the command nmap sS -iL networkhosts.txt using
the text file containing the host from the ping sweep. This
scan uses partial TCP handshakes to determine which ports
are open on those hosts (the ones that respond to the SYN
packet), which were possibly filtered by a firewall (no
response), and which were closed (responded with RST
packet). In addition to this command, more precise scans
were performed with the commands nmap sS T2
172.16.112.20,25 v (TCP Port scan), nmap sU T2
172.16.112.20,25 v (UDP Port Scan).
5.3.4 Use Nmap to sweep your network for systems running web
servers on port 80 and port 443.
a. Using the command nmap sS T2 -iL networkhosts.txt -
p80,433 we scanned all the hosts on port 80 and 443 to try
and discover which host were running web services on default
ports.
5.3.5 Run a scan on a host and tell Nmap to display the reason it
finds the port in the state it does.
a. Adding double verbosity to command gives the reason for
state; --reason after the host/range address also works for
improved output regarding open ports; example: nmap -sS -
sU -T2 172.16.112.1.20,25 --reason
b. No-response from an open port represents the presence of a
firewall.
5.3.8 Port scan on a host for open ports 1 through 500 with
Netcat. Yes, Netcat. When do you think you might use Netcat vs
Nmap?
a. nc -z -v 172.16.112.20 1-500 attempts a TCP handshake with
the given port numbers, in this case 1-500.
i. Netcat is used to create a connection and move data
across that connection.
ii. Nmap is used to map networks and scan address
ranges and ports.
StarDotStar 20
5.3.13 Take a couple of the hosts from your network and put them
in a plain text file. Put the IP addresses in the file so there is only
one per line. Name this file networkhosts.txt Use Nmap with the
appropriate command line argument to import this file and scan the
contents.
a. nmap -sS -sU iL networkhosts.txt
i. [-iL] is used to specify a list of hosts, from file, for
input.
b. We utilized this technique in an earlier portion of this section.
(See 5.3.2)
StarDotStar 22
6. Scanning Lab 2
6.2 Recommendation
6.3.2 Fire up one of your vulnerable VMs (target) that you have
been working with so you can scan it.
a. VMs are up and ready to scan.
6.3.2 Enter the IP address of the target system into Nessus and
Scan it.
a. First scan performed was against the whole range,
172.16.112.0/24 using the Basic Network Scan. It
immediately started populating the Hosts section with
results; it appears that Nessus does host discovery on its own
StarDotStar 23
6.3.4 Scan the IP address of the target system again using the
new MyPolicy that you created.
a. We scanned specific addresses the second time using
MyPolicy, 172.16.112.20, 172.16.112.25; WINVUL and the
2003 Server respectively.
6.3.5 Do you see any items you suspect as false positives? Why do
you believe them to be false?
a. There are several items that only appear in either Nessus or
OpenVas.
i. MS08-067: Microsoft Windows Server Service Crafted
RPC Request Handling Remote Code Execution
(958644) (uncredentialed check)
ii. Web Application Potentially Vulnerable to Clickjacking
iii. Web Server Transmits Clear-text Credentials
b. These are the most likely candidates of being false positive,
however several of them are easily validated. Clear-text
credentials for example is due to the site using unencrypted
http. The clickjacking one is probably due to the many web
vulnerabilities that show up, including XSS and SQLi. However
the RPC vulnerability only turned up in OpenVas and therefore
is most suspect of being a false positive. Further testing such
as exploitation is required to determine accuracy.
StarDotStar 24
7. Penetration Lab
We found several remote, web, and client side attacks on two Windows
computers on the company network. Using these, we were able to view
sensitive information such as password hashes and database entries, as well
as install a python backdoor on the network. These could result in loss of
sensitive information and/or business operations. See Appendix F for
discovered sensitive information.
7.2 Recommendation
7.3.1 Windows XP
a. IP: 172.16.112.20
i. CVE-2008-4250
1. Severity: HIGH
2. This vulnerability allows remote code execution
via a crafted RPC request to the SMB NetBIOS
service running on port 445. Worse, this
vulnerability grants full System access if
exploited.
3. Microsoft has released a patch for the
vulnerability. It is recommended to patch to the
latest version of XP. If that is not possible,
StarDotStar 26
iv. CVE-2006-0003
1. Severity: MEDIUM
2. This vulnerability in the Internet Explorer program
is leveraged when the user visits an attackers
specially created web server, which then exploits
a vulnerability in ActiveX data object.
3. Microsoft has released a patch for the
vulnerability. It is recommended to patch to the
latest version of XP.
One of the files uploaded was a backdoor that we wrote. This was written in
Python 2.7, and performs a reverse connection to our attack platform and
provides access to the system whenever wanted. The source code of this
script is included in the zipfile with this report.
Name: pythonBD.py (Note: The entire code is commented out to negate
risk during code-review)
7.4.2 SQLMap
7.4.4 Hashcat
7.4.5 Hydra
While we did not get any results, we used hydra to test for weak
credentials in smtp on the Ubuntu (Hackerdemia) box. We did this using
leaked users from the smtp service.
Appendix A
www.peekyou.com
www.411.com
www.spokeo.com
www.rehold.com
www.whitepages.com
http://people.equilar.com/
Tools used
Recong-ng
Maltego
Burp Suite
dnsenum.pl
Python
Bash
StarDotStar 33
Appendix B
James james.mcqueeney@honeywell.com
Mcqueeney
Samantha samantha.tiger@honeywell.com
Tiger
Naseeba naseeba.ali@honeywell.com
Ali
Appendix C
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/public/whoisinaccuracy/index.xhtml
#
#
# The following results may also be obtained via:
#
https://whois.arin.net/rest/nets;q=199.64.218.61?showDetails=true&showARIN=false&showNon
ArinTopLevelNet=false&ext=netref2
StarDotStar 39
OrgAbuseHandle: ABUSE106-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-480-592-1137
OrgAbuseEmail: abuse@honeywell.com
OrgAbuseRef: https://whois.arin.net/rest/poc/ABUSE106-ARIN
OrgNOCHandle: CERF-HM-ARIN
OrgNOCName: ATand T Enhanced Network Services
OrgNOCPhone: +1-858-812-5000
OrgNOCEmail: notify@attens.com
OrgNOCRef: https://whois.arin.net/rest/poc/CERF-HM-ARIN
OrgTechHandle: RTE57-ARIN
OrgTechName: Eddings, Roth T
OrgTechPhone: +1-480-287-4158
OrgTechEmail: roth.eddings@honeywell.com
OrgTechRef: https://whois.arin.net/rest/poc/RTE57-ARIN
OrgTechHandle: DGW24-ARIN
OrgTechName: welch, douglas grant
OrgTechPhone: +1-602-436-0406
OrgTechEmail: douglas.welch@honeywell.com
OrgTechRef: https://whois.arin.net/rest/poc/DGW24-ARIN
StarDotStar 40
OrgTechHandle: CV136-ARIN
OrgTechName: Vaughan, Cliff
OrgTechPhone: +1-480-592-5125
OrgTechEmail: clifford.vaughan@honeywell.com
OrgTechRef: https://whois.arin.net/rest/poc/CV136-ARIN
RTechHandle: CV136-ARIN
RTechName: Vaughan, Cliff
RTechPhone: +1-480-592-5125
RTechEmail: clifford.vaughan@honeywell.com
RTechRef: https://whois.arin.net/rest/poc/CV136-ARIN
RNOCHandle: CV136-ARIN
RNOCName: Vaughan, Cliff
RNOCPhone: +1-480-592-5125
RNOCEmail: clifford.vaughan@honeywell.com
RNOCRef: https://whois.arin.net/rest/poc/CV136-ARIN
RAbuseHandle: ABUSE106-ARIN
RAbuseName: Abuse
RAbusePhone: +1-480-592-1137
RAbuseEmail: abuse@honeywell.com
RAbuseRef: https://whois.arin.net/rest/poc/ABUSE106-ARIN
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/public/whoisinaccuracy/index.xhtml
#
honeywell.com 199.64.218.61
dns1.honeywell.com 199.64.220.7
dns2.honeywell.com 199.61.24.26
honeywell-com.mail.protection.outlook.com 207.46.163.170
honeywell-com.mail.protection.outlook.com 207.46.163.138
honeywell-com.mail.protection.outlook.com 207.46.163.215
ads.honeywell.com 23.5.216.142
san2.honeywell.com.edgekey.net 23.5.216.142
e11442.x.akamaiedge.net 23.5.216.142
apps.honeywell.com 77.73.98.236
dns1.honeywell.com 199.64.220.7
dns2.honeywell.com 199.61.24.26
StarDotStar 41
dns3.honeywell.com 199.64.74.200
extranet.honeywell.com 199.61.20.164
mail1.honeywell.com 199.64.220.25
mail2.honeywell.com 199.61.24.28
nova.honeywell.com 137.135.129.175
portal.honeywell.com 199.64.2.222
projects.honeywell.com 199.64.218.48
rcs.honeywell.com 199.61.20.118
search.honeywell.com 199.64.2.164
stats.honeywell.com 66.235.139.17
honeywell.com.112.2o7.net 66.235.139.18
honeywell.com.112.2o7.net 66.235.139.17
honeywell.com.112.2o7.net 66.235.139.206
honeywell.com.112.2o7.net 66.235.138.193
honeywell.com.112.2o7.net 192.243.250.88
honeywell.com.112.2o7.net 66.235.138.195
honeywell.com.112.2o7.net 66.235.139.207
honeywell.com.112.2o7.net 192.243.250.72
honeywell.com.112.2o7.net 66.235.139.19
honeywell.com.112.2o7.net 66.235.139.205
honeywell.com.112.2o7.net 66.235.138.194
vps.honeywell.com 23.96.252.52
vpshoneywell.azurewebsites.net 23.96.252.52
ssl.vpshoneywell.azurewebsites.net 23.96.252.52
webmail.honeywell.com 199.64.200.150
www.honeywell.com 40.114.43.40
prod.honeywell.trafficmanager.net 40.114.43.40
ent-prd-dcx-webcd.cloudapp.net 40.114.43.40
StarDotStar 42
Appendix D
Ping Sweep Results (From Section 5.3.1):
Appendix E
Nessus MyPolicy.txt
I Summary
=========
All dates are displayed using the timezone "Coordinated Universal Time",
which is abbreviated "UTC".
Overrides are on. When a result has an override, this report uses the
threat of the override.
This report might not show details of all issues that were found.
It only lists hosts that produced issues.
Issues with the threat level "Debug" are not shown.
Issues with the threat level "False Positive" are not shown.
Host Summary
************
Host 172.16.112.20
******************
Scanning of this host started at: Wed Jun 22 07:33:44 2016 UTC
Number of results: 46
StarDotStar 50
Issue
-----
NVT: Vulnerabilities in SMB Could Allow Remote Code Execution (958687) - Remote
OID: 1.3.6.1.4.1.25623.1.0.900233
Threat: High (CVSS: 10.0)
Port: 445/tcp
Summary:
This host is missing a critical security update according to
Microsoft Bulletin MS09-001.
Impact:
Successful exploitation could allow remote unauthenticated attackers
to cause denying the service by sending a specially crafted network message
to a system running the server service.
Impact Level: System/Network
Solution:
Solution type: VendorFix
Run Windows Update and update the listed hotfixes or download and
update mentioned hotfixes in the advisory from the below link,
http://www.microsoft.com/technet/security/bulletin/ms09-001.mspx
Affected Software/OS:
Microsoft Windows 2K Service Pack 4 and prior.
Microsoft Windows XP Service Pack 3 and prior.
Microsoft Windows 2003 Service Pack 2 and prior.
Vulnerability Insight:
The issue is due to the way Server Message Block (SMB) Protocol software
StarDotStar 51
References:
CVE: CVE-2008-4114, CVE-2008-4834, CVE-2008-4835
BID: 31179
Other:
http://www.milw0rm.com/exploits/6463
http://www.microsoft.com/technet/security/bulletin/ms09-001.mspx
Issue
-----
NVT: Microsoft Windows SMB Server NTLM Multiple Vulnerabilities (971468)
OID: 1.3.6.1.4.1.25623.1.0.902269
Threat: High (CVSS: 10.0)
Port: 445/tcp
Summary:
This host is missing a critical security update according to
Microsoft Bulletin MS10-012.
Impact:
Successful exploitation will allow remote attackers to execute arbitrary
code or cause a denial of service or bypass the authentication mechanism
via brute force technique.
Impact Level: System/Application
Solution:
Solution type: VendorFix
Run Windows Update and update the listed hotfixes or download and
update mentioned hotfixes in the advisory from the below link,
http://www.microsoft.com/technet/security/bulletin/ms10-012.mspx
Affected Software/OS:
Microsoft Windows 7
Microsoft Windows 2000 Service Pack and prior
Microsoft Windows XP Service Pack 3 and prior
Microsoft Windows Vista Service Pack 2 and prior
Microsoft Windows Server 2003 Service Pack 2 and prior
Microsoft Windows Server 2008 Service Pack 2 and prior
Vulnerability Insight:
- An input validation error exists while processing SMB requests and can
be exploited to cause a buffer overflow via a specially crafted SMB packet.
StarDotStar 52
- An error exists in the SMB implementation while parsing SMB packets during
the Negotiate phase causing memory corruption via a specially crafted SMB
packet.
- NULL pointer dereference error exists in SMB while verifying the 'share'
and 'servername' fields in SMB packets causing denial of service.
- A lack of cryptographic entropy when the SMB server generates challenges
during SMB NTLM authentication and can be exploited to bypass the
authentication mechanism.
References:
CVE: CVE-2010-0020, CVE-2010-0021, CVE-2010-0022, CVE-2010-0231
CERT: DFN-CERT-2010-0192
Other:
http://secunia.com/advisories/38510/
http://support.microsoft.com/kb/971468
http://www.vupen.com/english/advisories/2010/0345
http://www.microsoft.com/technet/security/bulletin/ms10-012.mspx
Issue
-----
NVT: Microsoft Security Bulletin MS07-040
OID: 1.3.6.1.4.1.25623.1.0.101005
Threat: High (CVSS: 9.3)
Port: 80/tcp
Summary:
Microsoft .NET is affected by multiples criticals vulnerabilities.
Two of these vulnerabilities could allow remote code execution on client systems!
with .NET Framework installed,
and one could allow information disclosure on Web servers running ASP.NET.
Solution:
Microsoft has released an update to correct this issue,
you can download it from the following web site:
http://www.microsoft.com/technet/security/bulletin/ms07-040.mspx
References:
CVE: CVE-2007-0041, CVE-2007-0042, CVE-2007-0043
Issue
-----
NVT: Microsoft IIS WebDAV Remote Authentication Bypass Vulnerability
OID: 1.3.6.1.4.1.25623.1.0.900711
Threat: High (CVSS: 7.6)
Port: 80/tcp
Summary:
The host is running Microsoft IIS Webserver with WebDAV Module and
is prone to remote authentication bypass vulnerability.
Impact:
Successful exploitation will let the attacker craft malicious UNICODE characters
and send it over the context of IIS Webserver where WebDAV is enabled. As a
result due to lack of security implementation check it will let the user fetch
password protected directories without any valid authentications.
Impact Level: Application
Solution:
Solution type: VendorFix
Run Windows Update and update the listed hotfixes or download and
update mentioned hotfixes in the advisory from the below link,
http://www.microsoft.com/technet/security/Bulletin/MS09-020.mspx
Affected Software/OS:
Microsoft Internet Information Services version 5.0 to 6.0
Workaround:
Disable WebDAV or Upgrade to Microsoft IIS 7.0
http://www.microsoft.com/technet/security/advisory/971492.mspx
Vulnerability Insight:
Due to the wrong implementation of UNICODE characters support (WebDAV extension)
for Microsoft IIS Server which fails to decode the requested URL properly.
Unicode character checks are being done after IIS Server internal security
check, which lets the attacker execute any crafted UNICODE character in the
HTTP requests to get information on any password protected directories without
any authentication schema.
References:
CVE: CVE-2009-1535
StarDotStar 54
BID: 34993
Other:
http://view.samurajdata.se/psview.php?id=023287d6&page=2
http://www.microsoft.com/technet/security/advisory/971492.mspx
http://blog.zoller.lu/2009/05/iis-6-webdac-auth-bypass-and-data.html
http://downloads.securityfocus.com/vulnerabilities/exploits/34993.rb
http://downloads.securityfocus.com/vulnerabilities/exploits/34993.txt
Issue
-----
NVT: Microsoft Windows SMTP Server DNS spoofing vulnerability
OID: 1.3.6.1.4.1.25623.1.0.100624
Threat: Medium (CVSS: 6.4)
Port: 25/tcp
Summary:
The Microsoft Windows Simple Mail Transfer Protocol (SMTP) Server is
prone to a DNS spoofing vulnerability.
Successfully exploiting this issue allows remote attackers to spoof
DNS replies, allowing them to redirect network traffic and to launch
man-in-the-middle attacks.
Solution:
This issue is reported to be patched in Microsoft security advisory
MS10-024
please see the references for more information.
References:
CVE: CVE-2010-1690, CVE-2010-1689
BID: 39910, 39908
Other:
http://www.securityfocus.com/bid/39910
http://www.securityfocus.com/bid/39908
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0058.html
http://www.microsoft.com
http://www.coresecurity.com/content/CORE-2010-0424-windows-stmp-dns-query-id-
bugs
http://www.microsoft.com/technet/security/Bulletin/MS10-024.mspx
Issue
-----
NVT: http TRACE XSS attack
StarDotStar 55
OID: 1.3.6.1.4.1.25623.1.0.11213
Threat: Medium (CVSS: 5.8)
Port: 80/tcp
Summary:
Debugging functions are enabled on the remote HTTP server.
The remote webserver supports the TRACE and/or TRACK methods. TRACE and TRACK
are HTTP methods which are used to debug web server connections.
It has been shown that servers supporting this method are subject to
cross-site-scripting attacks, dubbed XST for Cross-Site-Tracing, when
used in conjunction with various weaknesses in browsers.
An attacker may use this flaw to trick your legitimate web users to give
him their credentials.
Solution:
Disable these methods.
References:
CVE: CVE-2004-2320, CVE-2003-1567
BID: 9506, 9561, 11604
CERT: CB-K14/0981
, DFN-CERT-2014-1018
Other:
http://www.kb.cert.org/vuls/id/867593
Issue
-----
NVT: Microsoft Windows SMTP Server MX Record Denial of Service Vulnerability
OID: 1.3.6.1.4.1.25623.1.0.100596
Threat: Medium (CVSS: 5.0)
Port: 25/tcp
Summary:
The Microsoft Windows Simple Mail Transfer Protocol (SMTP) Server is
prone to a denial-of-service vulnerability and to to an information-disclosure v!
ulnerability.
Successful exploits of the denial-of-service vulnerability will cause the
affected SMTP server to stop responding, denying service to legitimate users.
Attackers can exploit the information-disclosure issue to gain access to
sensitive information. Any information obtained may lead to further attacks.
StarDotStar 56
Solution:
Microsoft released fixes to address this issue. Please see the
references for more information.
References:
CVE: CVE-2010-0024, CVE-2010-0025
BID: 39308, 39381
CERT: DFN-CERT-2010-0523
Other:
http://www.securityfocus.com/bid/39308
http://www.securityfocus.com/bid/39381
http://www.microsoft.com
http://support.avaya.com/css/P8/documents/100079218
http://www.microsoft.com/technet/security/Bulletin/MS10-024.mspx
Issue
-----
NVT: Microsoft Security Bulletin MS06-033
OID: 1.3.6.1.4.1.25623.1.0.101009
Threat: Medium (CVSS: 5.0)
Port: 80/tcp
Summary:
This Information Disclosure vulnerability could allow an attacker to bypass ASP.!
Net security
and gain unauthorized access to objects in the Application folders explicitly by!
name.
this could be used to produce useful information that could be used to try to fu!
rther compromise the affected system.
Solution:
Microsoft has released a patch to correct this issue,
you can download it from the following web site:
http://www.microsoft.com/technet/security/bulletin/ms06-033.mspx
(OID: 1.3.6.1.4.1.25623.1.0.101009)
Version used: $Revision: 3208 $
References:
CVE: CVE-2006-1300
BID: 18920
Issue
-----
NVT: IIS Service Pack - 404
OID: 1.3.6.1.4.1.25623.1.0.11874
Threat: Medium (CVSS: 5.0)
Port: 80/tcp
Summary:
Ensure that the server is running the latest stable Service Pack
Solution:
Solution type: VendorFix
The Patch level (Service Pack) of the remote IIS server appears to be lower
than the current IIS service pack level. As each service pack typically
contains many security patches, the server may be at risk.
Caveat: This test makes assumptions of the remote patch level based on static
return values (Content-Length) within the IIS Servers 404 error message.
As such, the test can not be totally reliable and should be manually confirmed.
Issue
-----
NVT: Microsoft IIS Tilde Character Information Disclosure Vulnerability
OID: 1.3.6.1.4.1.25623.1.0.802887
Threat: Medium (CVSS: 5.0)
Port: 80/tcp
Summary:
This host is running Microsoft IIS Webserver and is prone to
information disclosure vulnerability.
Impact:
Successful exploitation will allow remote attackers to obtain
sensitive information that could aid in further attacks.
Impact Level: Application
Solution:
Solution type: WillNotFix
No solution or patch was made available for at least one year
since disclosure of this vulnerability. Likely none will be provided anymore.
General solution options are to upgrade to a newer release, disable respective
features, remove the product or replace the product by another one.
Affected Software/OS:
Microsoft Internet Information Services versions 7.5 and prior
Vulnerability Insight:
Microsoft IIS fails to validate a specially crafted GET request
containing a '~' tilde character, which allows to disclose all short-names of
folders and files having 4 letters extensions.
References:
BID: 54251
Other:
http://www.osvdb.org/83771
http://www.exploit-db.com/exploits/19525
http://code.google.com/p/iis-shortname-scanner-poc
http://soroush.secproject.com/downloadable/iis_tilde_shortname_disclosure.txt
http://soroush.secproject.com/downloadable/microsoft_iis_tilde_character_vulnerability_fea
ture.pdf
Issue
-----
NVT: Microsoft ASP.NET Information Disclosure Vulnerability (2418042)
OID: 1.3.6.1.4.1.25623.1.0.901161
Threat: Medium (CVSS: 5.0)
Port: 80/tcp
StarDotStar 59
Summary:
This host is missing a critical security update according to
Microsoft Bulletin MS10-070.
Impact:
Successful exploitation could allow remote attackers to decrypt and gain
access to potentially sensitive data encrypted by the server or read data
from arbitrary files within an ASP.NET application. Obtained information
may aid in further attacks.
Impact Level: System/Application
Solution:
Solution type: VendorFix
Run Windows Update and update the listed hotfixes or download and
update mentioned hotfixes in the advisory from the below link,
http://www.microsoft.com/technet/security/bulletin/MS10-070.mspx
Affected Software/OS:
Microsoft ASP.NET 1.0
Microsoft ASP.NET 4.0
Microsoft ASP.NET 3.5.1
Microsoft ASP.NET 1.1 SP1 and prior
Microsoft ASP.NET 2.0 SP2 and prior
Microsoft ASP.NET 3.5 SP1 and prior
Vulnerability Insight:
The flaw is due to an error within ASP.NET in the handling of
cryptographic padding when using encryption in CBC mode. This can be
exploited to decrypt data via returned error codes from an affected server.
References:
CVE: CVE-2010-3332
BID: 43316
CERT: DFN-CERT-2011-0712
, DFN-CERT-2010-1237
Other:
http://www.vupen.com/english/advisories/2010/2429
http://www.microsoft.com/technet/security/bulletin/MS10-070.mspx
http://www.troyhunt.com/2010/09/fear-uncertainty-and-and-padding-oracle.html
http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-
vulnerability.aspx
StarDotStar 60
Issue
-----
NVT: Microsoft IIS IP Address/Internal Network Name Disclosure Vulnerability
OID: 1.3.6.1.4.1.25623.1.0.902796
Threat: Medium (CVSS: 5.0)
Port: 80/tcp
Summary:
The host is running Microsoft IIS Webserver and is prone to
IP address disclosure vulnerability.
Impact:
Successful exploitation will allow remote attackers to gain internal IP
address or internal network name, which could assist in further attacks
against the target host.
Impact Level: Application
Solution:
Solution type: VendorFix
Apply the hotfix for IIS 6.0 from below link
http://support.microsoft.com/kb/834141/#top
Affected Software/OS:
Microsoft Internet Information Services version 4.0, 5.0, 5.1 and 6.0
Workaround:
Apply workaround from below link for IIS 4.0, 5.0 and 5.1
http://support.microsoft.com/default.aspx?scid=KB
EN-US
Q218180
Vulnerability Insight:
The flaw is due to an error while processing 'GET' request. When
MS IIS receives a GET request without a host header, the Web server will
reveal the IP address of the server in the content-location field or the
location field in the TCP header in the response.
References:
BID: 3159
Other:
http://support.microsoft.com/kb/834141/
http://www.securityfocus.com/bid/3159/info
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q218180
http://www.juniper.net/security/auto/vulnerabilities/vuln3159.html
StarDotStar 61
Issue
-----
NVT: Microsoft Security Bulletin MS06-056
OID: 1.3.6.1.4.1.25623.1.0.101006
Threat: Medium (CVSS: 4.3)
Port: 80/tcp
Summary:
A cross-site scripting vulnerability exists in a server running a vulnerable ver!
sion of the .Net Framework 2.0
that could inject a client side script in the user's browser. The script could s!
poof content,
disclose information, or take any action that the user could take on the affecte!
d web site.
Solution:
Microsoft has released a patch to correct this issue,
you can download it from the following web site:
http://www.microsoft.com/technet/security/Bulletin/MS06-056.mspx
References:
CVE: CVE-2006-3436
BID: 20337
Issue
-----
NVT: ICMP Timestamp Detection
OID: 1.3.6.1.4.1.25623.1.0.103190
Threat: Log (CVSS: 0.0)
Port: general/icmp
Summary:
The remote host responded to an ICMP timestamp request. The Timestamp Reply is
an ICMP message which replies to a Timestamp message. It consists of the
originating timestamp sent by the sender of the Timestamp as well as a receive
timestamp and a transmit timestamp. This information could theoretically be used
to exploit weak time-based random number generators in other services.
Log Method:
StarDotStar 62
Details:
ICMP Timestamp Detection
(OID: 1.3.6.1.4.1.25623.1.0.103190)
Version used: $Revision: 3115 $
References:
CVE: CVE-1999-0524
CERT: CB-K15/1514
, CB-K14/0632
, DFN-CERT-2014-0658
Other:
http://www.ietf.org/rfc/rfc0792.txt
Issue
-----
NVT: OS Detection
OID: 1.3.6.1.4.1.25623.1.0.105937
Threat: Log (CVSS: 0.0)
Port: general/tcp
Summary:
This script consolidates the OS information detected by several NVTs and tries t!
o find the best matching OS.
Log Method:
Details:
OS Detection
(OID: 1.3.6.1.4.1.25623.1.0.105937)
Version used: $Revision: 2709 $
Issue
-----
NVT: arachni (NASL wrapper)
OID: 1.3.6.1.4.1.25623.1.0.110001
Threat: Log (CVSS: 0.0)
Port: general/tcp
Summary:
This plugin uses arachni ruby command line to find
StarDotStar 63
Log Method:
Details:
arachni (NASL wrapper)
(OID: 1.3.6.1.4.1.25623.1.0.110001)
Version used: $Revision: 3117 $
Issue
-----
NVT: Traceroute
OID: 1.3.6.1.4.1.25623.1.0.51662
Threat: Log (CVSS: 0.0)
Port: general/tcp
Summary:
A traceroute from the scanning server to the target system was
conducted. This traceroute is provided primarily for informational
value only. In the vast majority of cases, it does not represent a
vulnerability. However, if the displayed traceroute contains any
private addresses that should not have been publicly visible, then you
have an issue you need to correct.
Solution:
Block unwanted packets from escaping your network.
Log Method:
Details:
Traceroute
(OID: 1.3.6.1.4.1.25623.1.0.51662)
Version used: $Revision: 2837 $
Issue
-----
NVT: SMB Remote Version Detection
StarDotStar 64
OID: 1.3.6.1.4.1.25623.1.0.807830
Threat: Log (CVSS: 0.0)
Port: general/tcp
Summary:
Detection of Server Message Block(SMB).
This script sends SMB Negotiation request and try to get the version from the
response.
Log Method:
Details:
SMB Remote Version Detection
(OID: 1.3.6.1.4.1.25623.1.0.807830)
Version used: $Revision: 3467 $
Issue
-----
NVT: CPE Inventory
OID: 1.3.6.1.4.1.25623.1.0.810002
Threat: Log (CVSS: 0.0)
Port: general/CPE-T
Summary:
This routine uses information collected by other routines about
CPE identities (http://cpe.mitre.org/) of operating systems, services and
applications detected during the scan.
Log Method:
Details:
CPE Inventory
(OID: 1.3.6.1.4.1.25623.1.0.810002)
Version used: $Revision: 2837 $
Issue
-----
NVT: SMB Test
OID: 1.3.6.1.4.1.25623.1.0.90011
Threat: Log (CVSS: 0.0)
Port: general/SMBClient
Summary:
StarDotStar 65
Log Method:
Details:
SMB Test
(OID: 1.3.6.1.4.1.25623.1.0.90011)
Version used: $Revision: 3376 $
Issue
-----
NVT: Anonymous FTP Checking
OID: 1.3.6.1.4.1.25623.1.0.900600
Threat: Log (CVSS: 0.0)
Port: general/tcp
Summary:
This FTP Server allows anonymous logins.
A host that provides an FTP service may additionally provide Anonymous FTP
access as well. Under this arrangement, users do not strictly need an account
on the host. Instead the user typically enters 'anonymous' or 'ftp' when
prompted for username. Although users are commonly asked to send their email
address as their password, little to no verification is actually performed on
the supplied data.
Solution:
If you do not want to share files, you should disable anonymous logins.
Log Method:
Details:
Anonymous FTP Checking
(OID: 1.3.6.1.4.1.25623.1.0.900600)
Version used: $Revision: 2833 $
References:
CVE: CVE-1999-0497
Issue
-----
NVT: FTP Banner Detection
OID: 1.3.6.1.4.1.25623.1.0.10092
Threat: Log (CVSS: 0.0)
Port: 21/tcp
StarDotStar 66
Summary:
This Plugin detects the FTP Server Banner
Log Method:
Details:
FTP Banner Detection
(OID: 1.3.6.1.4.1.25623.1.0.10092)
Version used: $Revision: 2622 $
Issue
-----
NVT: Services
OID: 1.3.6.1.4.1.25623.1.0.10330
Threat: Log (CVSS: 0.0)
Port: 21/tcp
Summary:
This routine attempts to guess which
service is running on the remote ports. For instance,
it searches for a web server which could listen on
another port than 80 or 443 and makes this information
available for other check routines.
Log Method:
Details:
Services
(OID: 1.3.6.1.4.1.25623.1.0.10330)
Version used: $Revision: 3210 $
Issue
-----
NVT: SMTP Server type and version
OID: 1.3.6.1.4.1.25623.1.0.10263
Threat: Log (CVSS: 0.0)
Port: 25/tcp
Summary:
This detects the SMTP Server's type and version by connecting to
the server and processing the buffer received.
220 WINVUL Microsoft ESMTP MAIL Service, Version: 6.0.2600.2180 ready at Wed, 2!
2 Jun 2016 01:34:00 -0600
Solution:
Change the login banner to something generic.
Log Method:
Details:
SMTP Server type and version
(OID: 1.3.6.1.4.1.25623.1.0.10263)
Version used: $Revision: 2599 $
Issue
-----
NVT: Services
OID: 1.3.6.1.4.1.25623.1.0.10330
Threat: Log (CVSS: 0.0)
Port: 25/tcp
Summary:
This routine attempts to guess which
service is running on the remote ports. For instance,
it searches for a web server which could listen on
another port than 80 or 443 and makes this information
available for other check routines.
Log Method:
Details:
Services
(OID: 1.3.6.1.4.1.25623.1.0.10330)
Version used: $Revision: 3210 $
Issue
-----
NVT: SMTP Missing Support For STARTTLS
OID: 1.3.6.1.4.1.25623.1.0.105091
Threat: Log (CVSS: 0.0)
Port: 25/tcp
Summary:
The remote Mailserver does not support the STARTTLS command.
Log Method:
Details:
SMTP Missing Support For STARTTLS
(OID: 1.3.6.1.4.1.25623.1.0.105091)
Version used: $Revision: 2823 $
Issue
-----
NVT: Microsoft Exchange Server Remote Detection
OID: 1.3.6.1.4.1.25623.1.0.111085
Threat: Log (CVSS: 0.0)
Port: 25/tcp
Summary:
The script checks the SMTP/POP3/IMAP server
banner for the presence of Microsoft Exchange Server.
Log Method:
Details:
Microsoft Exchange Server Remote Detection
(OID: 1.3.6.1.4.1.25623.1.0.111085)
Version used: $Revision: 2880 $
Issue
-----
NVT: Microsoft dotNET version grabber
OID: 1.3.6.1.4.1.25623.1.0.101007
Threat: Log (CVSS: 0.0)
Port: 80/tcp
Summary:
The remote host seems to have Microsoft .NET installed.
Solution:
It's recommended to disable verbose error displaying to avoid version detection.
this can be done througth the IIS management console.
StarDotStar 69
Log Method:
Details:
Microsoft dotNET version grabber
(OID: 1.3.6.1.4.1.25623.1.0.101007)
Version used: $Revision: 2837 $
Issue
-----
NVT: Windows SharePoint Services detection
OID: 1.3.6.1.4.1.25623.1.0.101018
Threat: Log (CVSS: 0.0)
Port: 80/tcp
Summary:
The remote host is running Windows SharePoint Services.
Microsoft SharePoint products and technologies include browser-based collaborat!
ion and a document-management platform.
These can be used to host web sites that access shared workspaces and documents!
from a browser.
Solution:
It's recommended to allow connection to this host only from trusted hosts or net!
works.
Log Method:
Details:
Windows SharePoint Services detection
(OID: 1.3.6.1.4.1.25623.1.0.101018)
Version used: $Revision: 3467 $
Issue
-----
NVT: HTTP Server type and version
OID: 1.3.6.1.4.1.25623.1.0.10107
Threat: Log (CVSS: 0.0)
Port: 80/tcp
Summary:
This detects the HTTP Server's type and version.
Solution:
StarDotStar 70
Log Method:
Details:
HTTP Server type and version
(OID: 1.3.6.1.4.1.25623.1.0.10107)
Version used: $Revision: 3564 $
Issue
-----
NVT: DIRB (NASL wrapper)
OID: 1.3.6.1.4.1.25623.1.0.103079
Threat: Log (CVSS: 0.0)
Port: 80/tcp
Summary:
This script uses DIRB to find directories and files on web
applications via brute forcing.
Log Method:
Details:
DIRB (NASL wrapper)
(OID: 1.3.6.1.4.1.25623.1.0.103079)
Version used: $Revision: 3117 $
Issue
-----
NVT: Services
OID: 1.3.6.1.4.1.25623.1.0.10330
Threat: Log (CVSS: 0.0)
Port: 80/tcp
Summary:
This routine attempts to guess which
service is running on the remote ports. For instance,
it searches for a web server which could listen on
another port than 80 or 443 and makes this information
available for other check routines.
Log Method:
StarDotStar 71
Details:
Services
(OID: 1.3.6.1.4.1.25623.1.0.10330)
Version used: $Revision: 3210 $
Issue
-----
NVT: Web mirroring
OID: 1.3.6.1.4.1.25623.1.0.10662
Threat: Log (CVSS: 0.0)
Port: 80/tcp
Summary:
This script makes a mirror of the remote web site
and extracts the list of CGIs that are used by the remote host.
It is suggested you allow a long-enough timeout value for
this test routine and also adjust the setting on
the number of pages to mirror.
Log Method:
Details:
Web mirroring
(OID: 1.3.6.1.4.1.25623.1.0.10662)
Version used: $Revision: 2837 $
Issue
-----
NVT: Directory Scanner
OID: 1.3.6.1.4.1.25623.1.0.11032
Threat: Log (CVSS: 0.0)
Port: 80/tcp
Summary:
This plugin attempts to determine the presence of various
common dirs on the remote web server
Log Method:
Details:
Directory Scanner
(OID: 1.3.6.1.4.1.25623.1.0.11032)
Version used: $Revision: 2837 $
References:
Other:
OWASP:OWASP-CM-006
Issue
-----
NVT: HTTP TRACE
OID: 1.3.6.1.4.1.25623.1.0.11040
Threat: Log (CVSS: 0.0)
Port: 80/tcp
Summary:
Transparent or reverse HTTP proxies may be implement on some sites.
Log Method:
Details:
HTTP TRACE
(OID: 1.3.6.1.4.1.25623.1.0.11040)
Version used: $Revision: 3395 $
Issue
-----
NVT: Directories used for CGI Scanning
OID: 1.3.6.1.4.1.25623.1.0.111038
Threat: Log (CVSS: 0.0)
Port: 80/tcp
Summary:
The script prints out the directories which
are used when CGI scanning is enabled.
http://172.16.112.20/cgi-bin
http://172.16.112.20/old
http://172.16.112.20/
Log Method:
Details:
Directories used for CGI Scanning
(OID: 1.3.6.1.4.1.25623.1.0.111038)
Version used: $Revision: 3092 $
Issue
-----
NVT: Nikto (NASL wrapper)
OID: 1.3.6.1.4.1.25623.1.0.14260
Threat: Log (CVSS: 0.0)
Port: 80/tcp
Summary:
This plugin uses nikto(1) to find weak CGI scripts
and other known issues regarding web server security.
See the preferences section for configuration options.
Log Method:
Details:
Nikto (NASL wrapper)
(OID: 1.3.6.1.4.1.25623.1.0.14260)
Version used: $Revision: 2837 $
Issue
-----
NVT: wapiti (NASL wrapper)
OID: 1.3.6.1.4.1.25623.1.0.80110
Threat: Log (CVSS: 0.0)
Port: 80/tcp
Summary:
This plugin uses wapiti to find
web security issues.
Make sure to have wapiti 2.x as wapiti 1.x is not supported.
See the preferences section for wapiti options.
Note that OpenVAS is using limited set of wapiti options.
Therefore, for more complete web assessment, you should
use standalone wapiti tool for deeper/customized checks.
Log Method:
Details:
wapiti (NASL wrapper)
(OID: 1.3.6.1.4.1.25623.1.0.80110)
Version used: $Revision: 3207 $
Issue
-----
NVT: Microsoft IIS Webserver Version Detection
OID: 1.3.6.1.4.1.25623.1.0.900710
Threat: Log (CVSS: 0.0)
Port: 80/tcp
Summary:
This script detects the installed MS IIS Webserver and sets the
result in KB
Log Method:
Details:
Microsoft IIS Webserver Version Detection
(OID: 1.3.6.1.4.1.25623.1.0.900710)
Version used: $Revision: 2711 $
Issue
-----
NVT: SMB on port 445
OID: 1.3.6.1.4.1.25623.1.0.11011
Threat: Log (CVSS: 0.0)
Port: 139/tcp
Summary:
This script detects wether port 445 and 139 are open and
if thet are running SMB servers.
Log Method:
Details:
SMB on port 445
(OID: 1.3.6.1.4.1.25623.1.0.11011)
StarDotStar 76
Issue
-----
NVT: Services
OID: 1.3.6.1.4.1.25623.1.0.10330
Threat: Log (CVSS: 0.0)
Port: 443/tcp
Summary:
This routine attempts to guess which
service is running on the remote ports. For instance,
it searches for a web server which could listen on
another port than 80 or 443 and makes this information
available for other check routines.
Log Method:
Details:
Services
(OID: 1.3.6.1.4.1.25623.1.0.10330)
Version used: $Revision: 3210 $
Issue
-----
NVT: Identify unknown services with nmap
OID: 1.3.6.1.4.1.25623.1.0.66286
Threat: Log (CVSS: 0.0)
Port: 443/tcp
Summary:
This plugin performs service detection by launching nmap's
service probe against ports running unidentified services.
Description :
This plugin is a complement of find_service.nasl. It launches
nmap -sV (probe requests) against ports that are running
unidentified services.
Log Method:
Details:
Identify unknown services with nmap
(OID: 1.3.6.1.4.1.25623.1.0.66286)
Version used: $Revision: 2752 $
StarDotStar 77
Issue
-----
NVT: SMB NativeLanMan
OID: 1.3.6.1.4.1.25623.1.0.102011
Threat: Log (CVSS: 0.0)
Port: 445/tcp
Summary:
It is possible to extract OS, domain
and SMB server information from the Session Setup AndX Response packet
which is generatedduring NTLM authentication.
Log Method:
Details:
SMB NativeLanMan
(OID: 1.3.6.1.4.1.25623.1.0.102011)
Version used: $Revision: 3462 $
Issue
-----
NVT: SMB on port 445
OID: 1.3.6.1.4.1.25623.1.0.11011
Threat: Log (CVSS: 0.0)
Port: 445/tcp
Summary:
This script detects wether port 445 and 139 are open and
if thet are running SMB servers.
Log Method:
Details:
SMB on port 445
(OID: 1.3.6.1.4.1.25623.1.0.11011)
Version used: $Revision: 2837 $
Issue
-----
NVT: Microsoft SMB Signing Disabled
OID: 1.3.6.1.4.1.25623.1.0.802726
Threat: Log (CVSS: 0.0)
Port: 445/tcp
StarDotStar 78
Summary:
Checking for SMB signing is disabled.
The script logs in via smb, checks the SMB Negotiate Protocol response to
confirm SMB signing is disabled.
Log Method:
Details:
Microsoft SMB Signing Disabled
(OID: 1.3.6.1.4.1.25623.1.0.802726)
Version used: $Revision: 2576 $
Issue
-----
NVT: Identify unknown services with nmap
OID: 1.3.6.1.4.1.25623.1.0.66286
Threat: Log (CVSS: 0.0)
Port: 1025/tcp
Summary:
This plugin performs service detection by launching nmap's
service probe against ports running unidentified services.
Description :
This plugin is a complement of find_service.nasl. It launches
nmap -sV (probe requests) against ports that are running
unidentified services.
Log Method:
Details:
Identify unknown services with nmap
(OID: 1.3.6.1.4.1.25623.1.0.66286)
Version used: $Revision: 2752 $
StarDotStar 79
Appendix F
Windows XP Hashes
Administrator:500:e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bd
d830b7586c::: Cracked! (password)
ASPNET:1005:5fb17a533013285bffc02083c3f48e6c:58404e31eb4ddf8a869a5685fa
813b2e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c
089c0::: Cracked! (*blank no password*)
HelpAssistant:1000:dfbcc05e8a55611dba5dc13d2fb3614b:9cbfb55b0d260922555fa
6d0376e7bfd:::
IUSR_AKELLY-
D3D808A1:1003:fbca4ac487cb197e452a412e36b81d3d:329c4e7007896d4ddf1187
12790b8920:::
IWAM_AKELLY-
D3D808A1:1004:64ee602436e96fe19775591fdbf3c5e2:5ea7d1b5760548726e4449
25c0cbb1fe:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:941c0cc0a1466f
335a2de8f9802fe036:::
Administrator:500:51cd23289304854d22c34254e51bff62:bc23a1506bd3c8d3a533
680c516bab27::: Cracked! (P@55w0rd!)
ASPNET:1007:16a6c99cc13bd5757b48b78093bb5570:da7e180110d6509aa401a5a
7b2dcdc17:::
dave:1022:921988ba001dc8e14a3b108f3fa6cb6d:e19ccf75ee54e06b06a5907af13c
ef42:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c
089c0::: Cracked! (*blank no password*)
IUSR_RALPH:1003:bab940dd7c0477b21856625027bdf484:5cfe2745a7bdca18901e
a74cb73da17c:::
IWAM_RALPH:1004:3b96f3c59c820586983121e72e3ae9f8:b36cd113cd77d576917a
7025f111c86e:::
StarDotStar 80
manager:1019:1ed43cc6d27e263f4ae30af03e6e662d:20c4b6dadf1d4944d55058b5
f069149c:::
operadmin:1017:f150e8fb8eefadf18e5d533411003c5c:d6dec4e236ee0cca62fb6fd5
69cded8e:::
SQLDebugger:1008:aad3b435b51404eeaad3b435b51404ee:8507d66605f11e40f5e
9150c6106bc41:::
supersupport:1018:51cd23289304854dc17ec4fe2a5374cb:0d05cd9c8ded97e26a6b
35ef8c7fc08e:::
SUPPORT_388945a0:1001:aad3b435b51404eeaad3b435b51404ee:c94304ab8c44f
6db09e78487592cef5c:::
Note: Both Windows servers were hosting the same databases and web apps.
References
Alharbi, M. A. (2010, April 6). Writing a Penetration Testing Report.
Retrieved from SANS: https://www.sans.org/reading-
room/whitepapers/testing/writing-penetration-testing-report-33343