Professional Documents
Culture Documents
Business Confidential
Disclaimer
A penetration test is considered a snapshot in time. The findings and recommendations
reflect the information gathered during the assessment and not any changes or
modifications made outside of that period.
Time-limited engagements do not allow for a full evaluation of all security controls. Héctor
Villanueva prioritized the assessment to identify the weakest security controls an attacker
would exploit. Héctor Villanueva recommends conducting similar assessments on an
annual basis by internal or third-party assessors to ensure the continued success of the
controls.
Contact Information
Assessment Components
Internal Penetration Test
An internal penetration test emulates the role of an attacker from inside the network. An
engineer will scan the network to identify potential host vulnerabilities and perform
common and advanced internal network attacks, such as: LLMNR/NBT-NS poisoning and
other man-in-the-middle attacks, token impersonation, pass-the-hash, golden ticket, and
Likelihood
Likelihood measures the potential of a vulnerability being exploited. Ratings are given
based on the difficulty of the attack, the available tools, attacker skill level, and client
environment.
Impact
Impact measures the potential vulnerability’s effect on operations, including
confidentiality, integrity, and availability of client systems and/or data, reputational harm,
and financial loss.
Scope
Assessment Details
192.168.0.0/24,
Internal Penetration Test
192.168.1.0/24
Network 2 10.10.10.0/24
Scope Exclusions
Per client request, INE Security did not perform any of the following attacks during testing:
All other attacks not specified above were permitted by INE Security.
Vulnerabilities by Impact
The following chart illustrates the vulnerabilities found by impact:
1 2 0 1 0
Total of Vulnerabilities 4
Timeline
The following chart illustrates a quick timeline of the penetration test so the attacks can
be correlated with logs:
Date/Time Event
Attack Summary
The following table describes how Héctor Villanueva gained internal network access, step
by step:
IPT-002: Insufficient
Disable the anonymous login on
Hardening - Anonymous High
FTP
Permitted
IPT-003: Insufficient
Disable the READ/WRITE for the
Hardening - Samba
High tmp folder without getting any
READ/WRITE Permissions
password
Allowed
TCMS used the gathered credentials to perform a credential stuffing attack against the
OWA login page. Credential stuffing attacks take previously known credentials and
attempt to use them on login forms to gain access to company resources. TCMS was
unsuccessful in the attack but was able to gather additional sensitive information from the
OWA server in the form of username enumeration.
TCMS gathered the valid usernames and performed a password spraying attack. A
password spraying attack attempts to use common passwords against known usernames
in hopes of gaining access to company resources. TCMS attempted to use the common
Summer2018! (season + year + special character) against all known valid usernames. A
username returned as a successful login:
TCMS leveraged the valid credentials to log into the client VPN portal and gain access to
the internal network.
Exploiting MiniServ
From 10.200.83.150 I removed the file that the exploit created exploit-M4t35Z.php, the
created user account with net user testuser1234 /DELETE, and chisel-M4t35Z.exe that I
used for pivoting inside the internal network.
From 10.200.83.200 I removed the uploaded nmap-M4t35Z binary which was used to
enumerate the internal network.
Conclusion
The Wreath network suffered a series of control failures which led to a complete
compromise of critical company assets. These failures would have a dramatic effect on
the Wreath network if a malicious party had exploited them.
It is important to note that this collapse of the entire Wreath network security
infrastructure can be greatly attributed to outdated software with known vulnerabilities.
Appropriate efforts should be un- dertaken to update the versions of the software used,
which could help mitigate the effects of cascad- ing security failures throughout the
Wreath network infrastructure.
Nmap Scan
Exploit code