Professional Documents
Culture Documents
Business Confidential
Disclaimer
A penetration test is considered a snapshot in time. The findings and recommendations reflect the
information gathered during the assessment and not any changes or modifications made outside of that
period.
Time-limited engagements do not allow for a full evaluation of all security controls. <Your name>
prioritized the assessment to identify the weakest security controls an attacker would exploit.<Your
name> recommends conducting similar assessments on an annual basis by internal or third-party
assessors to ensure the continued success of the controls.
Contact Information
Name Title Contact Information
Demo Company
VP, Information Security Office: (555) 555-5555
John Smith
(CISO) Email: john.smith@demo.com
Office: (555) 555-5555
Jim Smith IT Manager
Email: jim.smith@demo.com
INE Security
<Your name> Lead Penetration Tester Email: <Your name>@gmail.com
● Discovery – Perform scanning and enumeration to identify potential vulnerabilities, weak areas,
and exploits.
● Attack – Confirm potential vulnerabilities through exploitation and perform additional discovery
upon new access.
● Reporting – Document all found vulnerabilities and exploits, failed attempts, and company
strengths and weaknesses.
Assessment Components
Internal Penetration Test
An internal penetration test emulates the role of an attacker from inside the network. An engineer will
scan the network to identify potential host vulnerabilities and perform common and advanced internal
network attacks, such as: LLMNR/NBT-NS poisoning and other man-in-the-middle attacks, token
impersonation, pass-the-hash, golden ticket, and more. The engineer will seek to gain access to hosts
through lateral movement, compromise domain user and admin accounts, and exfiltrate sensitive data.
Vulnerabilities exist but are not exploitable or require extra steps such
Moderate 4.0-6.9 as social engineering. It is advised to form a plan of action and patch
after high-priority issues have been resolved.
Likelihood
Likelihood measures the potential of a vulnerability being exploited. Ratings are given based on the
difficulty of the attack, the available tools, attacker skill level, and client environment.
Impact
Impact measures the potential vulnerability’s effect on operations, including confidentiality, integrity,
and availability of client systems and/or data, reputational harm, and financial loss.
Scope
Assessment Details
192.168.0.0/24,
Internal Penetration Test
192.168.1.0/24
Network 2 10.10.10.0/24
Scope Exclusions
Per client request, INE Security did not perform any of the following attacks during testing:
All other attacks not specified above were permitted by INE Security.
Vulnerabilities by Impact
The following chart illustrates the vulnerabilities found by impact:
1 2 0 1 0
Total of Vulnerabilities 4
Timeline
The following chart illustrates a quick timeline of the penetration test so the attacks can be correlated
with logs:
Date/Time Event
Attack Summary
The following table describes how <Your name> gained internal network access, step by step:
Description: The MS-RPC functionality in smbd in Samba 3.0.0 through 3.0.25rc3 allows remote
attackers to execute arbitrary commands via shell metacharacters involving the (1)
SamrChangePassword function, when the "username map script" smb.conf option is
enabled, and allows remote authenticated users to execute commands via shell
metacharacters involving other MS-RPC functions in the (2) remote printer and (3)
file share management.
Impact: Critical
Tools Used: Metasploit, searchsploit
System: 192.168.0.5
References: www.exploit-db.com/exploits/16320
TCMS gathered the valid usernames and performed a password spraying attack. A password spraying
attack attempts to use common passwords against known usernames in hopes of gaining access to
company resources. TCMS attempted to use the common Summer2018! (season + year + special
character) against all known valid usernames. A username returned as a successful login:
TCMS leveraged the valid credentials to log into the client VPN portal and gain access to the internal
network.
Exploiting MiniServ
From 10.200.83.150 I removed the file that the exploit created exploit-M4t35Z.php, the created user
account with net user testuser1234 /DELETE, and chisel-M4t35Z.exe that I used for pivoting inside the
internal network.
From 10.200.83.200 I removed the uploaded nmap-M4t35Z binary which was used to enumerate the
internal network.
Conclusion
The Wreath network suffered a series of control failures which led to a complete compromise of critical
company assets. These failures would have a dramatic effect on the Wreath network if a malicious party
had exploited them.
It is important to note that this collapse of the entire Wreath network security infrastructure can be
greatly attributed to outdated software with known vulnerabilities. Appropriate efforts should be un-
dertaken to update the versions of the software used, which could help mitigate the effects of cascad- ing
security failures throughout the Wreath network infrastructure.
Nmap Scan
Exploit code