Plantilla Reporte ECPPTv2

Demo Company
Security Assessment Findings Report
Business Confidential
Date: May 28th, 2019

Project: 897-19
Version 1.0
Demo Company - 001-01

BUSINESS CONFIDENTIAL
Copyright © INE Security (ine.com) 1
Table of Contents
Table of Contents........................................................................................................................................................
Confidentiality Statement........................................................................................................................................
Disclaimer......................................................................................................................................................................
Contact Information...................................................................................................................................................
Assessment Overview...............................................................................................................................................
Assessment Components.........................................................................................................................................
Internal Penetration Test...................................................................................................................................................................................
Finding Severity Ratings...........................................................................................................................................
Scope..............................................................................................................................................................................
Scope Exclusions....................................................................................................................................................................................................
Executive Summary...................................................................................................................................................
Vulnerabilities by Impact..........................................................................................................................................
Timeline.........................................................................................................................................................................
Attack Summary.....................................................................................................................................................................................................
Technical Findings..................................................................................................................................................................................................
Attack Narrative..........................................................................................................................................................
Enumerating The Public Server......................................................................................................................................................................
Exploiting MiniServ................................................................................................................................................................................................
Cleanup..........................................................................................................................................................................
Conclusion....................................................................................................................................................................
Appendices...................................................................................................................................................................
Nmap Scan.................................................................................................................................................................................................................
Exploit code...............................................................................................................................................................................................................

Confidentiality Statement
This document is the exclusive property of INE Security and Héctor Villanueva. This
document contains proprietary and confidential information. Duplication, redistribution, or
use, in whole or in part, in any form, requires consent of both INE and Héctor Villanueva.
Héctor Villanueva may share this document with auditors under non-disclosure
agreements to demonstrate penetration test requirement compliance.
Disclaimer
A penetration test is considered a snapshot in time. The findings and recommendations
reflect the information gathered during the assessment and not any changes or
modifications made outside of that period.
Time-limited engagements do not allow for a full evaluation of all security controls. Héctor
Villanueva prioritized the assessment to identify the weakest security controls an attacker
would exploit. Héctor Villanueva recommends conducting similar assessments on an
annual basis by internal or third-party assessors to ensure the continued success of the
controls.
Contact Information
Name Title Contact Information

Demo Company
VP, Information Security Office: (555) 555-5555
John Smith
(CISO) Email: john.smith@demo.com
Office: (555) 555-5555
Jim Smith IT Manager
Email: jim.smith@demo.com
INE Security
Héctor Villanueva Lead Penetration Tester Email: hvillaper@gmail.com

Assessment Overview
From June 30th, 2024 to July 5th, 2024, INE Security engaged Héctor Villanueva to evaluate
the security posture of its infrastructure compared to current industry best practices that
included an external penetration test.
Phases of penetration testing activities include the following:
● Planning – Customer goals are gathered and rules of engagement obtained.
● Discovery – Perform scanning and enumeration to identify potential vulnerabilities,

weak areas, and exploits.
● Attack – Confirm potential vulnerabilities through exploitation and perform
additional discovery upon new access.
● Reporting – Document all found vulnerabilities and exploits, failed attempts, and
company strengths and weaknesses.
Assessment Components
Internal Penetration Test
An internal penetration test emulates the role of an attacker from inside the network. An
engineer will scan the network to identify potential host vulnerabilities and perform
common and advanced internal network attacks, such as: LLMNR/NBT-NS poisoning and
other man-in-the-middle attacks, token impersonation, pass-the-hash, golden ticket, and

more. The engineer will seek to gain access to hosts through lateral movement,
compromise domain user and admin accounts, and exfiltrate sensitive data.

Finding Severity Ratings
The following table defines levels of severity and corresponding CVSS score range that
are used throughout the document to assess vulnerability and risk impact.
Severity CVSS V3 Definition

Score Range
Exploitation is straightforward and usually results in system-
Critical 9.0-10.0 level compromise. It is advised to form a plan of action and
patch immediately.
Exploitation is more difficult but could cause elevated

High 7.0-8.9 privileges and potentially a loss of data or downtime. It is
advised to form a plan of action and patch as soon as possible.
Vulnerabilities exist but are not exploitable or require extra

steps such as social engineering. It is advised to form a plan
Moderate 4.0-6.9
of action and patch after high-priority issues have been
resolved.
Vulnerabilities are non-exploitable but would reduce an

Low 0.1-3.9 organization’s attack surface. It is advised to form a plan of
action and patch during the next maintenance window.
No vulnerability exists. Additional information is provided

Informational N/A regarding items noticed during testing, strong controls, and
additional documentation.

Risk Factors
Risk is measured by two factors: Likelihood and Impact:
Likelihood
Likelihood measures the potential of a vulnerability being exploited. Ratings are given
based on the difficulty of the attack, the available tools, attacker skill level, and client
environment.
Impact
Impact measures the potential vulnerability’s effect on operations, including
confidentiality, integrity, and availability of client systems and/or data, reputational harm,
and financial loss.
Scope
Assessment Details
192.168.0.0/24,
Internal Penetration Test
192.168.1.0/24
Network 2 10.10.10.0/24
Scope Exclusions
Per client request, INE Security did not perform any of the following attacks during testing:
● Denial of Service (DoS), Man-in-the-middle
All other attacks not specified above were permitted by INE Security.

Executive Summary
Héctor Villanueva evaluated INE’s internal security posture through an internal network
penetration test from June 30th, 2024 to July 5th, 2024.
By leveraging a series of attacks, Héctor Villanueva found critical level vulnerabilities that
allowed full internal network access to the INE headquarter office. It is highly
recommended that INE address these vulnerabilities as soon as possible as the
vulnerabilities are easily found through basic reconnaissance and exploitable without
much effort.
Vulnerabilities by Impact
The following chart illustrates the vulnerabilities found by impact:
1 2 0 1 0
Critical High Moderate Low Informational
Total of Vulnerabilities 4
Timeline
The following chart illustrates a quick timeline of the penetration test so the attacks can
be correlated with logs:
Date/Time Event
17.06.24 Engagement start

17.06.24 - 12:00 SYSTEM access to GIT-SERV
17.06.24 - 14:00 ROOT access to PROD-SERV
Attack Summary
The following table describes how Héctor Villanueva gained internal network access, step
by step:
Finding Severity Recommendation
IPT-001: Insufficient Patch

Management - Samba 3.0.20 Upgrade Samba to the latest
‘Username’ map script Critical version
Command Execution - CVE-
2007-2447
IPT-002: Insufficient
Disable the anonymous login on
Hardening - Anonymous High
FTP
Permitted
IPT-003: Insufficient
Disable the READ/WRITE for the
Hardening - Samba
High tmp folder without getting any
READ/WRITE Permissions
password
Allowed
OWA permitted authenticated

with valid credentials. TCMS
Leveraged valid credentials recommends DC implement
Moderate
to log into VPN Multi-Factor Authentication
(MFA) on all external services.

Technical Findings
IPT:001 - Insufficient Patch Management (Critical)
Description: The MS-RPC functionality in smbd in Samba 3.0.0 through 3.0.25rc3

allows remote attackers to execute arbitrary commands via shell
metacharacters involving the (1) SamrChangePassword function, when
the "username map script" smb.conf option is enabled, and allows remote
authenticated users to execute commands via shell metacharacters
involving other MS-RPC functions in the (2) remote printer and (3) file
share management.
Impact: Critical
Tools Used: Metasploit, searchsploit
System: 192.168.0.5
References: www.exploit-db.com/exploits/16320
Exploitation Proof of Concept

Figure 1: Sample list of breached user credentials
TCMS used the gathered credentials to perform a credential stuffing attack against the
OWA login page. Credential stuffing attacks take previously known credentials and
attempt to use them on login forms to gain access to company resources. TCMS was
unsuccessful in the attack but was able to gather additional sensitive information from the
OWA server in the form of username enumeration.
Figure 2: OWA username enumeration
TCMS gathered the valid usernames and performed a password spraying attack. A
password spraying attack attempts to use common passwords against known usernames
in hopes of gaining access to company resources. TCMS attempted to use the common
Summer2018! (season + year + special character) against all known valid usernames. A
username returned as a successful login:
Figure 3: Successful OWA Login
TCMS leveraged the valid credentials to log into the client VPN portal and gain access to
the internal network.

Attack Narrative
Enumerating The Public Server
Exploiting MiniServ

Cleanup
From 10.200.83.100 I removed my nc wrapper System.exe, and the custom compiled
nc.exe binary which was used to bypass the Antivirus software running on the system.
I also removed my uploaded file upload exploit file image.png.php which was used to get
the initial remote code execution.
From 10.200.83.150 I removed the file that the exploit created exploit-M4t35Z.php, the
created user account with net user testuser1234 /DELETE, and chisel-M4t35Z.exe that I
used for pivoting inside the internal network.
From 10.200.83.200 I removed the uploaded nmap-M4t35Z binary which was used to
enumerate the internal network.
Conclusion
The Wreath network suffered a series of control failures which led to a complete
compromise of critical company assets. These failures would have a dramatic effect on
the Wreath network if a malicious party had exploited them.
It is important to note that this collapse of the entire Wreath network security
infrastructure can be greatly attributed to outdated software with known vulnerabilities.
Appropriate efforts should be un- dertaken to update the versions of the software used,
which could help mitigate the effects of cascad- ing security failures throughout the
Wreath network infrastructure.

Appendices
Nmap Scan
Exploit code

Last Page


Plantilla Reporte ECPPTv2

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Plantilla Reporte ECPPTv2

Uploaded by

Copyright:

Available Formats

Demo Company

Security Assessment Findings Report

Date: May 28th, 2019

Demo Company - 001-01

Demo Company - 001-01

Name Title Contact Information

Demo Company - 001-01

● Planning – Customer goals are gathered and rules of engagement obtained.

● Discovery – Perform scanning and enumeration to identify potential vulnerabilities,

Demo Company - 001-01

Demo Company - 001-01

Severity CVSS V3 Definition

Exploitation is more difficult but could cause elevated

Vulnerabilities exist but are not exploitable or require extra

Vulnerabilities are non-exploitable but would reduce an

No vulnerability exists. Additional information is provided

Demo Company - 001-01

● Denial of Service (DoS), Man-in-the-middle

Demo Company - 001-01

Critical High Moderate Low Informational

17.06.24 Engagement start

Demo Company - 001-01

17.06.24 - 14:00 ROOT access to PROD-SERV

Finding Severity Recommendation

IPT-001: Insufficient Patch

OWA permitted authenticated

Demo Company - 001-01

Description: The MS-RPC functionality in smbd in Samba 3.0.0 through 3.0.25rc3

Exploitation Proof of Concept

Demo Company - 001-01

Figure 2: OWA username enumeration

Figure 3: Successful OWA Login

Demo Company - 001-01

Enumerating The Public Server

Demo Company - 001-01

Demo Company - 001-01

Demo Company - 001-01

Demo Company - 001-01

You might also like