Scribd Logo
Upload

Welcome to Scribd!

  • Plantilla Reporte eCPPTv2 v2

    Uploaded by

    HardWise
    14 views14 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    ODT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as ODT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    14 views14 pages

    Plantilla Reporte eCPPTv2 v2

    Uploaded by

    HardWise

    Copyright:

    © All Rights Reserved
    Download as ODT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 14

    Demo Company

    Security Assessment Findings Report

    Business Confidential

    Date: May 28th, 2019


    Project: 897-19
    Version 1.0

    Demo Company - 001-01


    BUSINESS CONFIDENTIAL
    Copyright © INE Security (ine.com)
    1
    Table of Contents
    Table of Contents............................................................................................................................................................
    Confidentiality Statement..............................................................................................................................................
    Disclaimer........................................................................................................................................................................
    Contact Information.......................................................................................................................................................
    Assessment Overview.....................................................................................................................................................
    Assessment Components................................................................................................................................................
    Internal Penetration Test.............................................................................................................................................................
    Finding Severity Ratings................................................................................................................................................
    Scope................................................................................................................................................................................
    Scope Exclusions........................................................................................................................................................................
    Executive Summary........................................................................................................................................................
    Vulnerabilities by Impact..............................................................................................................................................
    Timeline...........................................................................................................................................................................
    Attack Summary.........................................................................................................................................................................
    Technical Findings......................................................................................................................................................................
    Attack Narrative.............................................................................................................................................................
    Enumerating The Public Server..................................................................................................................................................
    Exploiting MiniServ....................................................................................................................................................................
    Cleanup............................................................................................................................................................................
    Conclusion.......................................................................................................................................................................
    Appendices......................................................................................................................................................................
    Nmap Scan..................................................................................................................................................................................
    Exploit code................................................................................................................................................................................

    Demo Company - 001-01


    BUSINESS CONFIDENTIAL
    Copyright © INE Security (ine.com)
    2
    Confidentiality Statement
    This document is the exclusive property of INE Security and <Your name>. This document contains
    proprietary and confidential information. Duplication, redistribution, or use, in whole or in part, in any
    form, requires consent of both INE and <Your name>.
    <Your name> may share this document with auditors under non-disclosure agreements to demonstrate
    penetration test requirement compliance.

    Disclaimer
    A penetration test is considered a snapshot in time. The findings and recommendations reflect the
    information gathered during the assessment and not any changes or modifications made outside of that
    period.
    Time-limited engagements do not allow for a full evaluation of all security controls. <Your name>
    prioritized the assessment to identify the weakest security controls an attacker would exploit.<Your
    name> recommends conducting similar assessments on an annual basis by internal or third-party
    assessors to ensure the continued success of the controls.

    Contact Information
    Name Title Contact Information
    Demo Company
    VP, Information Security Office: (555) 555-5555
    John Smith
    (CISO) Email: john.smith@demo.com
    Office: (555) 555-5555
    Jim Smith IT Manager
    Email: jim.smith@demo.com
    INE Security
    <Your name> Lead Penetration Tester Email: <Your name>@gmail.com

    Demo Company - 001-01


    BUSINESS CONFIDENTIAL
    Copyright © INE Security (ine.com)
    3
    Assessment Overview
    From June 30th, 2024 to July 5th, 2024, INE Security engaged <Your name> to evaluate the security
    posture of its infrastructure compared to current industry best practices that included an external
    penetration test.
    Phases of penetration testing activities include the following:

    ● Planning – Customer goals are gathered and rules of engagement obtained.

    ● Discovery – Perform scanning and enumeration to identify potential vulnerabilities, weak areas,
    and exploits.
    ● Attack – Confirm potential vulnerabilities through exploitation and perform additional discovery
    upon new access.
    ● Reporting – Document all found vulnerabilities and exploits, failed attempts, and company
    strengths and weaknesses.

    Assessment Components
    Internal Penetration Test

    An internal penetration test emulates the role of an attacker from inside the network. An engineer will
    scan the network to identify potential host vulnerabilities and perform common and advanced internal
    network attacks, such as: LLMNR/NBT-NS poisoning and other man-in-the-middle attacks, token
    impersonation, pass-the-hash, golden ticket, and more. The engineer will seek to gain access to hosts
    through lateral movement, compromise domain user and admin accounts, and exfiltrate sensitive data.

    Demo Company - 001-01


    BUSINESS CONFIDENTIAL
    Copyright © INE Security (ine.com)
    4
    Finding Severity Ratings
    The following table defines levels of severity and corresponding CVSS score range that are used
    throughout the document to assess vulnerability and risk impact.

    Severity CVSS V3 Definition


    Score Range
    Exploitation is straightforward and usually results in system-level
    Critical 9.0-10.0 compromise. It is advised to form a plan of action and patch
    immediately.

    Exploitation is more difficult but could cause elevated privileges and


    High 7.0-8.9 potentially a loss of data or downtime. It is advised to form a plan of
    action and patch as soon as possible.

    Vulnerabilities exist but are not exploitable or require extra steps such
    Moderate 4.0-6.9 as social engineering. It is advised to form a plan of action and patch
    after high-priority issues have been resolved.

    Vulnerabilities are non-exploitable but would reduce an organization’s


    Low 0.1-3.9 attack surface. It is advised to form a plan of action and patch during
    the next maintenance window.

    No vulnerability exists. Additional information is provided regarding


    Informational N/A items noticed during testing, strong controls, and additional
    documentation.

    Demo Company - 001-01


    BUSINESS CONFIDENTIAL
    Copyright © INE Security (ine.com)
    5
    Risk Factors
    Risk is measured by two factors: Likelihood and Impact:

    Likelihood
    Likelihood measures the potential of a vulnerability being exploited. Ratings are given based on the
    difficulty of the attack, the available tools, attacker skill level, and client environment.
    Impact
    Impact measures the potential vulnerability’s effect on operations, including confidentiality, integrity,
    and availability of client systems and/or data, reputational harm, and financial loss.

    Scope
    Assessment Details

    192.168.0.0/24,
    Internal Penetration Test
    192.168.1.0/24

    Network 2 10.10.10.0/24

    Scope Exclusions

    Per client request, INE Security did not perform any of the following attacks during testing:

    ● Denial of Service (DoS), Man-in-the-middle

    All other attacks not specified above were permitted by INE Security.

    Demo Company - 001-01


    BUSINESS CONFIDENTIAL
    Copyright © INE Security (ine.com)
    6
    Executive Summary
    <Your name> evaluated INE’s internal security posture through an internal network penetration test
    from June 30th, 2024 to July 5th, 2024.
    By leveraging a series of attacks, <Your name> found critical level vulnerabilities that allowed full
    internal network access to the INE headquarter office. It is highly recommended that INE address these
    vulnerabilities as soon as possible as the vulnerabilities are easily found through basic reconnaissance
    and exploitable without much effort.

    Vulnerabilities by Impact
    The following chart illustrates the vulnerabilities found by impact:

    1 2 0 1 0

    Critical High Moderate Low Informational

    Total of Vulnerabilities 4

    Timeline
    The following chart illustrates a quick timeline of the penetration test so the attacks can be correlated
    with logs:

    Date/Time Event

    17.06.24 Engagement start

    17.06.24 - 12:00 SYSTEM access to GIT-SERV

    Demo Company - 001-01


    BUSINESS CONFIDENTIAL
    Copyright © INE Security (ine.com)
    7
    17.06.24 - 14:00 ROOT access to PROD-SERV

    Attack Summary

    The following table describes how <Your name> gained internal network access, step by step:

    Finding Severity Recommendation

    IPT-001: Insufficient Patch


    Management - Samba 3.0.20 Upgrade Samba to the latest version
    Critical
    ‘Username’ map script Command
    Execution - CVE-2007-2447

    IPT-002: Insufficient Hardening -


    High Disable the anonymous login on FTP
    Anonymous Permitted

    IPT-003: Insufficient Hardening - Disable the READ/WRITE for the


    Samba READ/WRITE High tmp folder without getting any
    Permissions Allowed password

    OWA permitted authenticated with


    valid credentials. TCMS recommends
    Leveraged valid credentials to log DC implement Multi-Factor
    Moderate
    into VPN Authentication (MFA) on all external
    services.

    Demo Company - 001-01


    BUSINESS CONFIDENTIAL
    Copyright © INE Security (ine.com)
    8
    Technical Findings
    IPT:001 - Insufficient Patch Management (Critical)

    Description: The MS-RPC functionality in smbd in Samba 3.0.0 through 3.0.25rc3 allows remote
    attackers to execute arbitrary commands via shell metacharacters involving the (1)
    SamrChangePassword function, when the "username map script" smb.conf option is
    enabled, and allows remote authenticated users to execute commands via shell
    metacharacters involving other MS-RPC functions in the (2) remote printer and (3)
    file share management.
    Impact: Critical
    Tools Used: Metasploit, searchsploit
    System: 192.168.0.5
    References: www.exploit-db.com/exploits/16320

    Exploitation Proof of Concept

    Figure 1: Sample list of breached user credentials

    Demo Company - 001-01


    BUSINESS CONFIDENTIAL
    Copyright © INE Security (ine.com)
    9
    TCMS used the gathered credentials to perform a credential stuffing attack against the OWA login page.
    Credential stuffing attacks take previously known credentials and attempt to use them on login forms to
    gain access to company resources. TCMS was unsuccessful in the attack but was able to gather
    additional sensitive information from the OWA server in the form of username enumeration.

    Figure 2: OWA username enumeration

    TCMS gathered the valid usernames and performed a password spraying attack. A password spraying
    attack attempts to use common passwords against known usernames in hopes of gaining access to
    company resources. TCMS attempted to use the common Summer2018! (season + year + special
    character) against all known valid usernames. A username returned as a successful login:

    Figure 3: Successful OWA Login

    TCMS leveraged the valid credentials to log into the client VPN portal and gain access to the internal
    network.

    Demo Company - 001-01


    BUSINESS CONFIDENTIAL
    Copyright © INE Security (ine.com)
    10
    Attack Narrative

    Enumerating The Public Server

    Exploiting MiniServ

    Demo Company - 001-01


    BUSINESS CONFIDENTIAL
    Copyright © INE Security (ine.com)
    11
    Cleanup
    From 10.200.83.100 I removed my nc wrapper System.exe, and the custom compiled nc.exe binary
    which was used to bypass the Antivirus software running on the system.
    I also removed my uploaded file upload exploit file image.png.php which was used to get the initial
    remote code execution.

    From 10.200.83.150 I removed the file that the exploit created exploit-M4t35Z.php, the created user
    account with net user testuser1234 /DELETE, and chisel-M4t35Z.exe that I used for pivoting inside the
    internal network.

    From 10.200.83.200 I removed the uploaded nmap-M4t35Z binary which was used to enumerate the
    internal network.

    Conclusion
    The Wreath network suffered a series of control failures which led to a complete compromise of critical
    company assets. These failures would have a dramatic effect on the Wreath network if a malicious party
    had exploited them.

    It is important to note that this collapse of the entire Wreath network security infrastructure can be
    greatly attributed to outdated software with known vulnerabilities. Appropriate efforts should be un-
    dertaken to update the versions of the software used, which could help mitigate the effects of cascad- ing
    security failures throughout the Wreath network infrastructure.

    Demo Company - 001-01


    BUSINESS CONFIDENTIAL
    Copyright © INE Security (ine.com)
    12
    Appendices

    Nmap Scan

    Exploit code

    Demo Company - 001-01


    BUSINESS CONFIDENTIAL
    Copyright © INE Security (ine.com)
    13
    Last Page

    Demo Company - 001-01


    BUSINESS CONFIDENTIAL
    Copyright © INE Security (ine.com)
    14

    You might also like