SlideShare a Scribd company logo

Btpsec Sample Penetration Test Report

B
btpsec

Btpsec Sample Penetration Test Report

Technology
1 of 24
CUSTOMER ​PENTEST REPORT BTPSec Office 7, 35-37 Ludgate Hill EC4M7JN, London Tel: +44 203 2870040 info@btpsec.com www.btpsec.com TEST DATES: Legal Warning: This document contains confidential information about “​CUSTOMER​” and can be viewed by ONLY authorized personnel. If you have opened this document by accident, please report to ​info@btpsec.com Strictly CONFIDENTIAL 1
CONTENTS REPORT DETAILS LEGAL RESPONSIBILITIES INTRODUCTION ABOUT THE PENTEST REPORT SCOPE PENTEST RESULT EVALUATION STATISTICAL RESULTS OF THE PENTEST Summary table of vulnerabilities Table 1 Vulnerabilities by category Vulnerabilities by Category and importance level Table 2 Vulnerabilities by Category and importance level Graphical representation of vulnerabilities by risk levels Picture 1 Vulnerability risk levels and their count Number of Findings by test category Picture 2. Number of findings by test category Vulnerabilities and effects Picture 3 Number of Findings and their effects Vulnerabilities by entry point Picture 4 Number of findings by entry point Number of Findings by reasons of vulnerability Picture 5 Number of findings by reasons of vulnerability TEST METHODOLOGY INFORMATION GATHERING Passive Information Gathering Active Information Gathering NETWORK MAPPING VULNERABILITY SCANNING SYSTEM ACCESS Strictly CONFIDENTIAL 2
PRIVILEGE ESCALATION GAINING ACCESS TO OTHER SYSTEMS JUMPING TO OTHER NETWORKS RETAINING ACCESS LOSING TRACKS REPORTING PENTEST DETAILS ENTRY POINTS OF THE PENTEST USER PROFILES USED DURING PENTEST RISK LEVELS OF VULNERABILITIES PERFORMED TESTS AND RESULTS SOCIAL ENGINEERING TESTS Performed Tests Vulnerabilities discovered by this test: WEB APPLICATION PENTEST Performed Tests Vulnerabilities discovered by this test: DOMAIN, SERVER AND CLIENT TESTS Performed Tests Vulnerabilities discovered by this test Switch and Router TESTS Performed tests Vulnerabilities discovered by this test EMAIL AND DNS SERVER TESTS Tests performed Vulnerabilities discovered by this test. DATABASE TESTS Performed tests Vulnerabilities discovered by this test WIRELESS TESTS Strictly CONFIDENTIAL 3
Performed tests Vulnerabilities discovered by this test DDOS TESTS Performed tests Vulnerabilities discovered by this test Strictly CONFIDENTIAL 4
1. REPORT DETAILS Report Header Demo Customer Penetration Test Report Version 1.0 Author Test Team RedTeam Report class Secret Customer Representative Name, Last Name Title Organization System Manager 1. LEGAL RESPONSIBILITIES Report contents are hidden and cannot be transferred to or shared with third parties without written consent of both BTPSec and the customer. Report contains the security vulnerabilities discovered by our team, present throughout the scanning period and known to that date. Between scanning has finished and report was delivered, new security vulnerabilities might have been reported in the world, but both parties should understand that they will not be included in the test and the testing company should not be held liable for this. Solution recommendations (fixes) given in the report are for advisory purposes only. Any problems/issues resulting from the application of this solution will not be supported by BTPSec. Reasonable level of support has to be requested from professionals before applying the solution fixes. 2. INTRODUCTION This report covers the detailed information obtained by auditing the security of Customer’s information systems, performed between ​dates. During the test, we have avoided to use tools and methods that can negatively affect the information system. Furthermore, no action that can cause a denial of a service situation has been performed. Report contains information about the categories of the vulnerabilities, exploitation methods and information about how to solve these issues. Strictly CONFIDENTIAL 5
3. ABOUT THE PENTEST REPORT This part will help the reader better understand the report and it’s details. This report has been prepared to give details about the vulnerabilities of information systems for the Customer. This report is as important as the pentest itself since it's the only output that will help to understand the tests performed. Report contains all the operations performed during the test and summarizes the security situation of the customer from various points. We aim to prepare a useful report that will correctly lead the way to the customer to make necessary investments and sustain better security. BTPSec has used following guidelines while preparing this report; ● OWASP Testing Guide v4 ● OSSTM ● ISSAF ● NIST ● BDDK (BSD.2012/1) ● TSE Pentest Technical Criterias (Turkish Standards Institute) Report covers the results of all tests performed. Target systems have been declared in the Scope Section in table 1. The summary of the security situation of the organization has been given under the “Pen Test Result Evaluation’’ section. If the domain administrator account has been hacked, the scenario for that has also been discussed and detailed in the same section. The discovery statistics were given under the section: “Pentest Statistical Results”. Methods of pentest has been mentioned in “Applied Pentest Methodology” section. In this section, the evolution of the pentest have been supported by little explanations for each part. ‘Pentest Details’ section describes where the tests were performed, which users were modeled, categorization of findings, and risk level of findings. Pentests and results have been detailed in “Applied Tests and Results” section. Findings obtained after the test are ordered according to the risk levels. Each finding has its own finding table. This table includes; name of finding, risk level, effect,exploit point, user profile, test category and reason. A detailed explanation of the findings has been provided in “Vulnerability description’’. Systems that are affected by this vulnerability are also listed. Solutions to remove the effect of vulnerability are given in ‘Solution recommendations’ section. Detailed information about the vulnerability and solution methods are discussed in “Reference” section. A sample finding and description of the fields. Finding Name: Descriptive name of the finding Risk level Risk level of the finding Effect of the vulnerability Potential result when the vulnerability has been compromised. Strictly CONFIDENTIAL 6
Access Point Access point of the tester Category Test category User Profile User profile used during the test Reason of finding The reason this vulnerability exists Description: This field explains the vulnerability and exploitation method. Systems that have this vulnerability: Shows the name of the systems that have this vulnerability. Solution Recommendation: Solutions offered to eliminate this vulnerability. References: In this field, detailed information about the vulnerability and solution methods are discussed. 4. SCOPE The purpose of the penetration test is to sneak into customer systems by discovering the vulnerabilities in those systems. Penetration tests are performed within the scope that is given by the customer. Therefore, determining the scope is highly important in order to evaluate the real risks faced by the customer. Hackers approach towards the systems is much different than the system administrators. A single system which is somehow connected to the network and if left out of the scope, may cause serious risks against the whole system. Scope specifics are determined as per the table below. Test Category Details Ext.Nw IP Blocks Int.Nw. IP Blocks E-mail Gateways DNS Servers Web Apps Strictly CONFIDENTIAL 7
Social Engineering E-mail Wireless network DDOS Table 1: Pentest scope BTPsec have used following source IP (NAT) address during the test; ● x.x.x.x 5. SUMMARY OF PENTEST AND EVALUATION This report covers the results of the penetration tests against customer systems performed by BTPSec. Pentest has started @ Date, time and finished @Date , time. Tests performed against the systems include, web app test, domain-client-server test, network test, email service test, DNS service test, database system test and dos/ddos tests. Throughout the tests, all systems within the scope have been checked from a hacker’s perspective and hackings have been made within the knowledge of the customer. At the end of the test; x urgent, y critical, z High, a Middle and b Low level vulnerabilities were found , with a grand total of c. IP addresses used by our team were given special permission if applicable. Web application tests have disclosed one or more high and higher risk ratings that could seriously harm the corporate image of the customer. x ,y and z findings are critical level findings. Security devices and attack prevention methods disclosed during the penetration tests are stated below: Thank you for choosing us in testing your network, systems and applications. Domain administrator takeover scenario.. Strictly CONFIDENTIAL 8
6. STATISTICAL RESULTS OF THE PENTEST The presentation of the statistical overview of the findings during the test might be of critical importance in taking necessary actions. Graphically presented risks may also help a lot in analyzing risks during a ISO 27001 process. Security investments that are needed to close the security gaps of the organization can effectively be visualized by these graphs. Urgent​ level vulnerabilities are stated below: 6.1.Summary table of vulnerabilities Name of vulnerability Importance Category Phishing by Email Urgent Social Engineering Remote Code Execution Urgent Network Table 1 Vulnerabilities by category 6.2.Vulnerabilities by Category and importance level RISK level SCOPE Urgent Critical High High Low TOTAL Social Engineering 2 2 Web Apps 2 Server/Client Systems Network Systems 2 Email and DNS Servers Database Systems Wireless Network Systems DDoS Tests TOTAL Table 2 Vulnerabilities by Category and importance level (Numbers are randomized for demo purposes) Note​: Nessus type colorization has been used in risk evaluation. Strictly CONFIDENTIAL 9
6.3.Graphical representation of vulnerabilities by risk levels Picture 1 Vulnerability risk levels and their count 6.4.Number of Findings by test category Picture 2. Number of findings by test category Strictly CONFIDENTIAL 10
6.5. Vulnerabilities and effects Picture 3 Number of Findings and their effects 6.6. Vulnerabilities by entry point Picture 4 Number of findings by entry point Strictly CONFIDENTIAL 11
6.7.Number of Findings by reasons of vulnerability Picture 5 Number of findings by reasons of vulnerability 7. TEST METHODOLOGY A proactive hacker approach has been selected in order to provide the best simulation of risks. The methods for this approach are usually vulnerability scanning and penetration test. Commercial and non commercial tools are used to automatically scan the elements provided within the scope. During the pentest however; the discovered vulnerabilities during the scan, are analyzed and tested manually for exploitation. At this point, we try to sneak into customer systems in a silent and harmless way. After obtaining access, we will try to jump to other systems and databases. The quality of the test is highly dependent on the experience level of the pentest team. BTPSec performs tests in accordance to ISO 27001, PCI (Payment Card Industry) standards. BTPSec has used following references while preparing this report ● OWASP Testing Guide v4 ● OSSTM ● ISSAF ● NIST ● BDDK (BSD.2012/1) Strictly CONFIDENTIAL 12
● TSE (Turkish Standards Institute) Pentest has 3 main steps; those are testing, reporting and verification. Detailed steps of the pentest are following: 1. I​NFORMATION GATHERING a. Passive Information Gathering b. Active Information Gathering 2. NETWORK MAPPING 3. VULNERABILITY SCANNING 4. SYSTEM ACCESS 5. PRIVILEGE ESCALATION 6. GAINING ACCESS TO OTHER SYSTEMS 7. JUMPING TO OTHER NETWORKS 8. RETAINING ACCESS 9. LOSING TRACKS 10. REPORTING Strictly CONFIDENTIAL 13
7.1. INFORMATION GATHERING In this phase, all relevant information about the organization were collected. Two methods, active or passive information gathering were used during this phase. 7.1.1. Passive Information Gathering We use Internet only to gather info about the customer and make no single probe to the target systems. Platforms; ● Archive Sites (archive.org) ● Search Engines (Google, Bing, Yahoo etc.) ● Social Links (Twitter, Facebook, Linkedin, Pipl etc.) ● Blogs and forums ● Career sites etc. Information obtained here will be used later for testing purposes. The experience of the pentest team is important to remember the information obtained here. 7.1.2. Active Information Gathering Systems of the customer organization are probed and targeted in order to obtain; ● DNS records (A, MX, NS etc) ● DNS version info ● Subdomain names ● Email platform ● Banner info etc. 7.2. NETWORK MAPPING In this phase, we aim to discover the network topology of the organization. Open ports and services running on them and discovery of network and security devices will help us in drawing this map. Strictly CONFIDENTIAL 14
Picture 1 Demo Network Map * 7.3.VULNERABILITY SCANNING Running services i.e applications and their versions takes a big role in the context of vulnerability scanning. The version is discovered by obtaining the banner information received from those applications, after silently probing the listening services. Vulnerability scanning is mostly done via automated tools. However, the configuration, logical errors and policy configuration errors are also discovered greatly by the help of the experienced penetration testers. 7.4.SYSTEM ACCESS In this part, the vulnerabilities are exploited and systems are accessed. During this phase, the vulnerabilities found are further analyzed and exploits resulting from those vulnerabilities are chosen. If needed and we have plenty of time, a new exploit will be written. This phase is important because without the knowhow and experience of pentesters, it is very hard to gain access to systems and if we can’t get to systems, this doesn’t necessarily mean that hackers can’t. This is not a desirable situation for both customer and us. After access to systems, we usually look to find user accounts and their password hashes, and try to hack the passwords of those accounts. 7.5.PRIVILEGE ESCALATION It may not always be possible to obtain an authorized user’s password. In systems that have been misconfigured or unpatched, it might be possible to escalate the privilege of unauthorized users. It may also be possible to find password details in system logs or configuration files. *Source: Offensivesecurity.com Strictly CONFIDENTIAL 15
7.6.GAINING ACCESS TO OTHER SYSTEMS A detailed research takes place her. Devices that are in the same network with the compromised systems are scanned against vulnerabilities and exploited. Current passwords that we have gained can also be used. 7.7.JUMPING TO OTHER NETWORKS Other networks, subnets that are connected to the compromised systems are also analyzed and connection methods are tested. 7.8.RETAINING ACCESS Real attacks have methods to retain the hacked accounts and passwords with slight changes to the system. Therefore, a pentester will also look for ways to retain access to the systems. 7.9.LOSING TRACKS Throughout the test, there will be compromised or analyzed systems and all tracks relating to those intrusions will be cleaned after the end of the test. All backdoors, trojan or similar tools, scripts will be cleaned and transparently communicated during the test. 7.10. REPORTING Report will be explanatory of all defined actions performed on the systems. Report is the only outcome of the test and will be delivered with the best amount of effort to clearly communicate our test methodology, attitude, actions and results. The information provided to the customer will be satisfactorily available and enough in order to give perfect background for a perfect mitigation of the security gaps.SOlution recommendations will be up to date. The test tools and methods used will be clearly shared so general awareness will be increased, and system owners will feel more comfortable in understanding the effects. A security wise evaluation of the company will be provided with clean graphical representations. 8. PENTEST DETAILS 8.1. ENTRY POINTS OF THE PENTEST Access Point Description Internet All information systems of the customer that are reachable from Internet, will be tested. Local Network Pentests will take place on internal network and the pentester will be given the rights of a normal user on the network. 8.2. USER PROFILES SIMULATED DURING PENTEST Attacker profile Description Anonymous user Describes an anonymous internet user We use this user profile in order to discover how an anonymous Strictly CONFIDENTIAL 16
user (a user with no login credentials) can alter or hack into the system.. Employee An employee profile is given to our testers such that tester’s user accounts are created by the employer just like created for the employee. The most popular user account type is used, however a user with local administration privilege is also tested. The given access privileges and user profiles will clearly be stated in the report. Other user Any user that is not defined as the above types, will be reported under ‘Other user’ type. 8.3. RISK LEVELS OF VULNERABILITIES Risk Level Score Detailed explanation URGENT 5 Represents successful attacks that takes control of the system and can easily be performed by an inexperienced hacker from the Internet. E.g.: Stored XSS, SQL injection and RFI/LFI. CRITICAL 4 Represents successful attacks that takes control of the system and can easily be performed by an experienced hacker from the Internet. E.g: Reflected and DOM based XSS HIGH 3 Represents attacks that uses privilege escalation and probably cause a denial of service situation. These attacks can be performed in our out of the network. MIDDLE 2 Represents attacks that cause a denial of service situation. These attacks are performed inside the network. LOW 1 Effect of this level of vulnerabilities are usually unknown and stems from not following best security practices. Table 1 Risk levels of vulnerabilities 9. PERFORMED TESTS AND RESULTS We have performed following tests into the customer network and the results are given below. Strictly CONFIDENTIAL 17
9.1 SOCIAL ENGINEERING TESTS Social Engineering attack is a basic penetration test method. These attacks target the human, human relations and basically the human vulnerabilities. People working for the customer are misleaded to make things that they should not be doing. User identities, passwords, secret projects, appointments and similar information is obtained by the help of these attacks. These information are usually critical for a hacker even though the insider or the target usually cannot imagine how critical it is. Useful information obtained by social engineering attacks help a lot in completing the puzzle for the hacker. If information security is a chain, the human is the weakest link in this chain. To advance here, the company should regularly train its employees via classes, seminars etc. Social engineering attack tests must be refreshed in order to see the real effects of the trainings and seminars. 9.8.1 Performed Tests We mostly used telephone and email in the tests. The scenarios are clearly planned, played and reported. Sample test: 9.8.2 Vulnerabilities discovered by this test: 9.2 WEB APPLICATION PENTEST Web applications are the frontal windows of companies to the outer world. They also represent a big reputation for the company and its industry. The purpose of web app attacks are mostly testing if it is possible to hack into customer systems using the web applications. We also test the denial of service vulnerability by heavily loading the web applications and/or the devices in front of them. 9.8.1 Performed Tests BTPSec has used techniques that will not give a damage to the service and service availability. All unreal vulnerabilities (false positives) are eliminated. BTPSec has performed following OWASP tests; Configuration and Deployment Management Testing ● Test Network/Infrastructure Configuration (OTG-CONFIG-001) ● Test Application Platform Configuration (OTG-CONFIG-002) ● Test File Extensions Handling for Sensitive Information (OTG-CONFIG-003) ● Review Old, Backup and Unreferenced Files for Sensitive Information (OTG-CONFIG-004) ● Enumerate Infrastructure and Application Admin Interfaces (OTG-CONFIG-005) Strictly CONFIDENTIAL 18
● Test HTTP Methods (OTG-CONFIG-006) ● Test HTTP Strict Transport Security (OTG-CONFIG-007) ● Test RIA cross domain policy (OTG-CONFIG-008) Identity Management Testing ● Test Role Definitions (OTG-IDENT-001) ● Test User Registration Process (OTG-IDENT-002) ● T​est Account Provisioning Process (OTG-IDENT-003) ● Testing for Account Enumeration and Guessable User Account (OTG-IDENT-004) ● Testing for Weak or unenforced username policy (OTG-IDENT-005) Authentication Testing ● Testing for Credentials Transported over an Encrypted Channel (OTG-AUTHN-001) ● Testing for default credentials (OTG-AUTHN-002) ● Testing for Weak lock out mechanism (OTG-AUTHN-003) ● Testing for bypassing authentication schema (OTG-AUTHN-004) ● Test remember password functionality (OTG-AUTHN-005) ● Testing for Browser cache weakness (OTG-AUTHN-006) ● Testing for Weak password policy (OTG-AUTHN-007) ● Testing for Weak security question/answer (OTG-AUTHN-008) ● Testing for weak password change or reset functionalities (OTG-AUTHN-009) ● Testing for Weaker authentication in alternative channel (OTG-AUTHN-010) Authorization Testing ● Testing Directory traversal/file include (OTG-AUTHZ-001) ● Testing for bypassing authorization schema (OTG-AUTHZ-002) ● Testing for Privilege Escalation (OTG-AUTHZ-003) ● Testing for Insecure Direct Object References (OTG-AUTHZ-004) Session Management Testing ● Testing for Bypassing Session Management Schema (OTG-SESS-001) ● Testing for Cookies attributes (OTG-SESS-002) ● Testing for Session Fixation (OTG-SESS-003) ● Testing for Exposed Session Variables (OTG-SESS-004) ● Testing for Cross Site Request Forgery (CSRF) (OTG-SESS-005) ● Testing for logout functionality (OTG-SESS-006) ● Test Session Timeout (OTG-SESS-007) ● Testing for Session puzzling (OTG-SESS-008) Strictly CONFIDENTIAL 19
Input Validation Testing ● Testing for Reflected Cross Site Scripting (OTG-INPVAL-001) ● Testing for Stored Cross Site Scripting (OTG-INPVAL-002) ● Testing for HTTP Verb Tampering (OTG-INPVAL-003) ● Testing for HTTP Parameter pollution (OTG-INPVAL-004) Testing for SQL Injection (OTG-INPVAL-005) ● Oracle Testing ● MySQL Testing ● SQL Server Testing ● Testing PostgreSQL (from OWASP BSP) ● MS Access Testing ● Testing for NoSQL injection ● Testing for LDAP Injection (OTG-INPVAL-006) ● Testing for ORM Injection (OTG-INPVAL-007) ● Testing for XML Injection (OTG-INPVAL-008) ● Testing for SSI Injection (OTG-INPVAL-009) ● Testing for XPath Injection (OTG-INPVAL-010) ● IMAP/SMTP Injection (OTG-INPVAL-011) ● Testing for Code Injection (OTG-INPVAL-012) ● Testing for Local File Inclusion ● Testing for Remote File Inclusion ● Testing for Command Injection (OTG-INPVAL-013) ● Testing for Buffer overflow (OTG-INPVAL-014) ● Testing for Heap overflow ● Testing for Stack overflow ● Testing for Format string ● Testing for incubated vulnerabilities (OTG-INPVAL-015) ● Testing for HTTP Splitting/Smuggling (OTG-INPVAL-016) Testing for Error Handling ● Analysis of Error Codes (OTG-ERR-001) ● Analysis of Stack Traces (OTG-ERR-002) Testing for weak Cryptography ● Testing for Weak SSL/TLS Ciphers, Insufficient Transport Layer Protection (OTG-CRYPST-001) ● Testing for Padding Oracle (OTG-CRYPST-002) ● Testing for Sensitive information sent via unencrypted channels (OTG-CRYPST-003) Business Logic Testing Strictly CONFIDENTIAL 20
● Test Business Logic Data Validation (OTG-BUSLOGIC-001) ● Test Ability to Forge Requests (OTG-BUSLOGIC-002) ● Test Integrity Checks (OTG-BUSLOGIC-003) ● Test for Process Timing (OTG-BUSLOGIC-004) ● Test Number of Times a Function Can be Used Limits (OTG-BUSLOGIC-005) ● Testing for the Circumvention of Work Flows (OTG-BUSLOGIC-006) ● Test Defenses Against Application Mis-use (OTG-BUSLOGIC-007) ● Test Upload of Unexpected File Types (OTG-BUSLOGIC-008) ● Test Upload of Malicious Files (OTG-BUSLOGIC-009) Client Side Testing ● Testing for DOM based Cross Site Scripting (OTG-CLIENT-001) ● Testing for JavaScript Execution (OTG-CLIENT-002) ● Testing for HTML Injection (OTG-CLIENT-003) ● Testing for Client Side URL Redirect (OTG-CLIENT-004) ● Testing for CSS Injection (OTG-CLIENT-005) ● Testing for Client Side Resource Manipulation (OTG-CLIENT-006) ● Test Cross Origin Resource Sharing (OTG-CLIENT-007) ● Testing for Cross Site Flashing (OTG-CLIENT-008) ● Testing for Clickjacking (OTG-CLIENT-009) ● Testing WebSockets (OTG-CLIENT-010) ● Test Web Messaging (OTG-CLIENT-011) ● Test Local Storage (OTG-CLIENT-012) 9.8.2 Vulnerabilities discovered by this test: 9.3 DOMAIN, SERVER AND CLIENT TESTS In this test category, the domain, local servers and clients are tested. The attacker profiles applied are unhappy employee, new hacker employee and disgruntled employee. These tests target to hack internal systems, applications and therefore visualize the risks that can be faced inside the company. 9.8.1 Performed Tests ● Misconfigurations in the initialization settings in client systems are tested. ● Privilege escalation attempts are made. ● Password policies of local accounts in client systems is tested. ● Domain user password policy and password storage policy is tested. ● Security patches of clients and whether they are uptodate are tested ● Security patches of servers and whether they are uptodate are tested ● Vulnerabilities have been scanned on servers and clients. Tested whether vulnerabilities cause remote code execution or information leakage. Strictly CONFIDENTIAL 21
● Tested security of anti malware and anti remote execution methods on clients and servers. ● Tested for poor passwords and policies on systems and applications. ● Predefined password protected systems are tested. ● OS services and 3rd party applications are tested. 9.8.2 Vulnerabilities discovered by this test 9.4 Switch and Router TESTS Network devices, e.g. switch and routers have usually predefined services, most of the time unused services and ports. In our tests, we look over your network devices whether there are vulnerabilities. e.g. unused port, unnecessary services, common passwords and community strings, and most importantly insecure and wrong configurations. In this category, cyber attacks that could use the network devices are simulated and risks are stated. 9.8.1 Performed tests ● All network devices are scanned via commercial scanners. ● Services and protocols running on them are reported. ● User authentication mechanisms are tested. ● Running services are examined. ● Port security, access control, and VLAN /TRUNK structure on active devices are audited 9.8.2 Vulnerabilities discovered by this test 9.5 EMAIL AND DNS SERVER TESTS All email communication takes place over the email gateway of the company.. Insecure and misconfigured email gateways can cause leakage of data, impersonation etc. DNS servers are also important because they direct the outside and inside communication. They simply convert ip addresses to dns names , however who uses ip addresses ? Most people depend on easy to remember names while connecting to servers, clients etc. So, the dns server must be tested against all general and dns related vulnerabilities. 9.8.1 Tests performed Email gateway tests; ● Location of email gateways in topology.. ● Email gateway software and version. ● Relay vulnerability is tested. Strictly CONFIDENTIAL 22
● Services on email gateway are discovered and analyzed. ● POP3, IMAP client services and configurations are tested. ● Mail servers are tested for vulnerabilities using commercial scanners. ● Vulnerabilities found are verified. ● Email server software is tested for vulnerabilities ● Tested if mail server limits file sizes in emails. DNS tests; ● DNS server location in the topology map is analyzed. ● DNS server zone transfer vulnerability is tested. ● NTX ve NSEC source records analyzed for leakage. ● Search engine discovery ● DNS server precache poisoning vulnerability. ● DNS resolver function test ● Tested for other open services on DNS servers. ● DNS server version and vulnerabilities are noted. ● DNS servers are scanned via commercial scanners and vulnerabilities are discovered. 9.8.2 Vulnerabilities discovered by this test. 9.6 DATABASE TESTS Databases are considered to be the most important systems for a company.. All company, customer, employer's, commercial, financial data would be stored on databases of some kind.. Database system do carry risks such as information leakage, service interruption etc and thus be protected. 9.8.1 Performed tests ● Database server security patches are analyzed. ● Predefined accounts on the databases are audited. ● Injection tests against databases are performed. ● Privilege escalation attempts made for systems that we gained access. ● Database versions and related gaps are analyzed. ● Databases scanned via commercial scanners and vulnerabilities are found. ● Misconfigurations on databases are tested. 9.8.2 Vulnerabilities discovered by this test Strictly CONFIDENTIAL 23
9.7 WIRELESS TESTS Wireless is an important access point to the internal network. Misconfigured or insecure wireless networks are an important risk for the company.. We test both the internal and external risk factors while attempting to reach wireless corporate networks. 9.8.1 Performed tests ● Discovering hidden and non hidden SSIDs that belong to company. ● Testing against information leakage from wifi networks. ● Testing wireless encryption algorithms used by networks. ● Wifi password cracking via handshake interception. ● WEP encryption discovery. ● WPS feature discovery ● Discovering wifi without user limitation. ● MAC filter bypass. ● Wifi management protocols and vulnerabilities ● Dos against wifi networks. ● Fake access point and phishing attempts. ● Man in the middle attacks. ● Captive portal bypass attempts. 9.8.2 Vulnerabilities discovered by this test 9.8 DDOS TESTS Ddos stands for distributed denial of service. In this attack, we aim to stop the availability of the target system. Distributed nature of the attacks comes from the fact that multiple sources are used to perform the test. 9.8.1 Performed tests IP/Transport and Application level DDOS attacks: ● DNS load tests exceeding the bandwidth.(valid and invalid dns reply, dns request, amplification , reflection attacks etc) ● Web server load tests (http post, http get, https, slow attack etc.) ● Udp attacks to udp listening services e.g. media, voip. (udp flood, invalid packets, sip invite flood etc) ● TCP, Mixed, Fragmented attacks ● Custom attacks designed according to the service. ● All these tests also test the power of availability of firewalls, routers, waf, ips systems etc. that are handling the packets before the application does. 9.8.2 Vulnerabilities discovered by this test Strictly CONFIDENTIAL 24

Recommended

Web PenTest Sample Report
Web PenTest Sample ReportWeb PenTest Sample Report
Web PenTest Sample ReportOctogence
 
Penetration Security Testing
Penetration Security TestingPenetration Security Testing
Penetration Security TestingSanjulika Rastogi
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
Vulnerability Assessment Report
Vulnerability Assessment ReportVulnerability Assessment Report
Vulnerability Assessment ReportHarshit Singh Bhatia
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
Vulnerability Assessment and Penetration Testing Report
Vulnerability Assessment and Penetration Testing Report Vulnerability Assessment and Penetration Testing Report
Vulnerability Assessment and Penetration Testing Report Rishabh Upadhyay
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testingNezar Alazzabi
 

Recommended

Web PenTest Sample Report
Web PenTest Sample ReportWeb PenTest Sample Report
Web PenTest Sample ReportOctogence
 
Penetration Security Testing
Penetration Security TestingPenetration Security Testing
Penetration Security TestingSanjulika Rastogi
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
Vulnerability Assessment Report
Vulnerability Assessment ReportVulnerability Assessment Report
Vulnerability Assessment ReportHarshit Singh Bhatia
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
Vulnerability Assessment and Penetration Testing Report
Vulnerability Assessment and Penetration Testing Report Vulnerability Assessment and Penetration Testing Report
Vulnerability Assessment and Penetration Testing Report Rishabh Upadhyay
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testingNezar Alazzabi
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
Mitre Attack - Credential Dumping - updated.pptx
Mitre Attack - Credential Dumping - updated.pptxMitre Attack - Credential Dumping - updated.pptx
Mitre Attack - Credential Dumping - updated.pptxwaizuq
 
Penetration Testing
Penetration Testing Penetration Testing
Penetration Testing RomSoft SRL
 
OWASP Top Ten
OWASP Top TenOWASP Top Ten
OWASP Top TenChristian Heinrich
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingRaghav Bisht
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Frameworkn|u - The Open Security Community
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxDARSHANBHAVSAR14
 
Owasp top 10
Owasp top 10Owasp top 10
Owasp top 10YasserElsnbary
 
Security testing
Security testingSecurity testing
Security testingbaskar p
 
Application Security
Application SecurityApplication Security
Application SecurityReggie Niccolo Santos
 
Nii sample pt_report
Nii sample pt_reportNii sample pt_report
Nii sample pt_reportChandan Bagai, GWAPT, CEHv8, CCNA
 
Sql injection - security testing
Sql injection - security testingSql injection - security testing
Sql injection - security testingNapendra Singh
 
Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)LJ PROJECTS
 
Understanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for OrganizationUnderstanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for OrganizationPECB
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
A Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionA Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionSina Manavi
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
How to identify and prevent SQL injection
How to identify and prevent SQL injection How to identify and prevent SQL injection
How to identify and prevent SQL injection Eguardian Global Services
 
Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun RathodVulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun RathodFalgun Rathod
 
Sample penetration testing agreement for core infrastructure
Sample penetration testing agreement for core infrastructureSample penetration testing agreement for core infrastructure
Sample penetration testing agreement for core infrastructureDavid Sweigert
 

More Related Content

What's hot

Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
Mitre Attack - Credential Dumping - updated.pptx
Mitre Attack - Credential Dumping - updated.pptxMitre Attack - Credential Dumping - updated.pptx
Mitre Attack - Credential Dumping - updated.pptxwaizuq
 
Penetration Testing
Penetration Testing Penetration Testing
Penetration Testing RomSoft SRL
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingRaghav Bisht
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxDARSHANBHAVSAR14
 
Security testing
Security testingSecurity testing
Security testingbaskar p
 
Sql injection - security testing
Sql injection - security testingSql injection - security testing
Sql injection - security testingNapendra Singh
 
Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)LJ PROJECTS
 
Understanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for OrganizationUnderstanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for OrganizationPECB
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
A Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionA Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionSina Manavi
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 

What's hot (20)

Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
 
Mitre Attack - Credential Dumping - updated.pptx
Mitre Attack - Credential Dumping - updated.pptxMitre Attack - Credential Dumping - updated.pptx
Mitre Attack - Credential Dumping - updated.pptx
 
Penetration Testing
Penetration Testing Penetration Testing
Penetration Testing
 
OWASP Top Ten
OWASP Top TenOWASP Top Ten
OWASP Top Ten
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration Testing
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
 
Owasp top 10
Owasp top 10Owasp top 10
Owasp top 10
 
Security testing
Security testingSecurity testing
Security testing
 
Application Security
Application SecurityApplication Security
Application Security
 
Nii sample pt_report
Nii sample pt_reportNii sample pt_report
Nii sample pt_report
 
Sql injection - security testing
Sql injection - security testingSql injection - security testing
Sql injection - security testing
 
Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)
 
Understanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for OrganizationUnderstanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for Organization
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
 
A Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionA Brief Introduction in SQL Injection
A Brief Introduction in SQL Injection
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
 
How to identify and prevent SQL injection
How to identify and prevent SQL injection How to identify and prevent SQL injection
How to identify and prevent SQL injection
 

Viewers also liked

Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun RathodVulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun RathodFalgun Rathod
 
Sample penetration testing agreement for core infrastructure
Sample penetration testing agreement for core infrastructureSample penetration testing agreement for core infrastructure
Sample penetration testing agreement for core infrastructureDavid Sweigert
 
Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)btpsec
 
In house penetration testing pci dss
In house penetration testing pci dssIn house penetration testing pci dss
In house penetration testing pci dssRichard Thompson
 
PCI Guidance On Penetration Testing
PCI Guidance On Penetration TestingPCI Guidance On Penetration Testing
PCI Guidance On Penetration TestingThe Hacker News
 
Announcing AWS Shield - Protect Web Applications from DDoS Attacks
Announcing AWS Shield - Protect Web Applications from DDoS AttacksAnnouncing AWS Shield - Protect Web Applications from DDoS Attacks
Announcing AWS Shield - Protect Web Applications from DDoS AttacksAmazon Web Services
 
Stack Exchange Infrastructure - LISA 14
Stack Exchange Infrastructure - LISA 14Stack Exchange Infrastructure - LISA 14
Stack Exchange Infrastructure - LISA 14GABeech
 
Penetration Testing Services Technical Description Cyber51
Penetration Testing Services Technical Description Cyber51Penetration Testing Services Technical Description Cyber51
Penetration Testing Services Technical Description Cyber51martinvoelk
 
App Penetration Test
App Penetration TestApp Penetration Test
App Penetration TestAung Khant
 
Misused top ASNs
Misused top ASNsMisused top ASNs
Misused top ASNsAPNIC
 
Web application penetration testing
Web application penetration testingWeb application penetration testing
Web application penetration testingImaginea
 
Radware Cloud Security Services
Radware Cloud Security ServicesRadware Cloud Security Services
Radware Cloud Security ServicesRadware
 
Deep Learning Based Real-Time DNS DDoS Detection System
Deep Learning Based Real-Time DNS DDoS Detection SystemDeep Learning Based Real-Time DNS DDoS Detection System
Deep Learning Based Real-Time DNS DDoS Detection SystemSeungjoo Kim
 
Penetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningPenetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningSecurityMetrics
 
Phases of penetration testing
Phases of penetration testingPhases of penetration testing
Phases of penetration testingAbdul Rahman
 
Oracle SQL Developer Data Modeler - Version Control Your Designs
Oracle SQL Developer Data Modeler - Version Control Your DesignsOracle SQL Developer Data Modeler - Version Control Your Designs
Oracle SQL Developer Data Modeler - Version Control Your DesignsJeff Smith
 
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chanceDr. Anish Cheriyan (PhD)
 

Viewers also liked (20)

Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun RathodVulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
 
Sample penetration testing agreement for core infrastructure
Sample penetration testing agreement for core infrastructureSample penetration testing agreement for core infrastructure
Sample penetration testing agreement for core infrastructure
 
Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)
 
Standard Penetration Test
Standard Penetration TestStandard Penetration Test
Standard Penetration Test
 
In house penetration testing pci dss
In house penetration testing pci dssIn house penetration testing pci dss
In house penetration testing pci dss
 
PCI Guidance On Penetration Testing
PCI Guidance On Penetration TestingPCI Guidance On Penetration Testing
PCI Guidance On Penetration Testing
 
Announcing AWS Shield - Protect Web Applications from DDoS Attacks
Announcing AWS Shield - Protect Web Applications from DDoS AttacksAnnouncing AWS Shield - Protect Web Applications from DDoS Attacks
Announcing AWS Shield - Protect Web Applications from DDoS Attacks
 
Stack Exchange Infrastructure - LISA 14
Stack Exchange Infrastructure - LISA 14Stack Exchange Infrastructure - LISA 14
Stack Exchange Infrastructure - LISA 14
 
Penetration Testing Services Technical Description Cyber51
Penetration Testing Services Technical Description Cyber51Penetration Testing Services Technical Description Cyber51
Penetration Testing Services Technical Description Cyber51
 
Report1
Report1Report1
Report1
 
App Penetration Test
App Penetration TestApp Penetration Test
App Penetration Test
 
Misused top ASNs
Misused top ASNsMisused top ASNs
Misused top ASNs
 
Web application penetration testing
Web application penetration testingWeb application penetration testing
Web application penetration testing
 
Radware Cloud Security Services
Radware Cloud Security ServicesRadware Cloud Security Services
Radware Cloud Security Services
 
Deep Learning Based Real-Time DNS DDoS Detection System
Deep Learning Based Real-Time DNS DDoS Detection SystemDeep Learning Based Real-Time DNS DDoS Detection System
Deep Learning Based Real-Time DNS DDoS Detection System
 
Welder training
Welder trainingWelder training
Welder training
 
Penetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningPenetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability Scanning
 
Phases of penetration testing
Phases of penetration testingPhases of penetration testing
Phases of penetration testing
 
Oracle SQL Developer Data Modeler - Version Control Your Designs
Oracle SQL Developer Data Modeler - Version Control Your DesignsOracle SQL Developer Data Modeler - Version Control Your Designs
Oracle SQL Developer Data Modeler - Version Control Your Designs
 
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chance
 

Similar to Btpsec Sample Penetration Test Report

ByteCode pentest report example
ByteCode pentest report exampleByteCode pentest report example
ByteCode pentest report exampleIhor Uzhvenko
 
Peck shield audit-report-strips-1.0-for_medium
Peck shield audit-report-strips-1.0-for_mediumPeck shield audit-report-strips-1.0-for_medium
Peck shield audit-report-strips-1.0-for_mediumChengZhu22
 
Phases of Penetration Testing
Phases of Penetration TestingPhases of Penetration Testing
Phases of Penetration TestingKiwiQA
 
Many companies and agencies conduct IT audits to test and assess the.docx
Many companies and agencies conduct IT audits to test and assess the.docxMany companies and agencies conduct IT audits to test and assess the.docx
Many companies and agencies conduct IT audits to test and assess the.docxtienboileau
 
CST 630 RANK Redefined Education--cst630rank.com
CST 630 RANK Redefined Education--cst630rank.comCST 630 RANK Redefined Education--cst630rank.com
CST 630 RANK Redefined Education--cst630rank.comclaric241
 
CST 630 RANK Remember Education--cst630rank.com
CST 630 RANK Remember Education--cst630rank.comCST 630 RANK Remember Education--cst630rank.com
CST 630 RANK Remember Education--cst630rank.comchrysanthemu49
 
Icssea 2013 arrl_final_08102013
Icssea 2013 arrl_final_08102013Icssea 2013 arrl_final_08102013
Icssea 2013 arrl_final_08102013Vincenzo De Florio
 
CST 630 RANK Achievement Education--cst630rank.com
CST 630 RANK Achievement Education--cst630rank.comCST 630 RANK Achievement Education--cst630rank.com
CST 630 RANK Achievement Education--cst630rank.comkopiko147
 
CST 630 RANK Introduction Education--cst630rank.com
CST 630 RANK Introduction Education--cst630rank.comCST 630 RANK Introduction Education--cst630rank.com
CST 630 RANK Introduction Education--cst630rank.comagathachristie266
 
CST 630 RANK Educational Specialist--cst630rank.com
CST 630 RANK Educational Specialist--cst630rank.comCST 630 RANK Educational Specialist--cst630rank.com
CST 630 RANK Educational Specialist--cst630rank.comVSNaipaul15
 
CST 630 RANK Inspiring Innovation--cst630rank.com
CST 630 RANK Inspiring Innovation--cst630rank.comCST 630 RANK Inspiring Innovation--cst630rank.com
CST 630 RANK Inspiring Innovation--cst630rank.comKeatonJennings104
 
CST 630 RANK Become Exceptional--cst630rank.com
CST 630 RANK Become Exceptional--cst630rank.comCST 630 RANK Become Exceptional--cst630rank.com
CST 630 RANK Become Exceptional--cst630rank.comagathachristie113
 
Fundamentals_of_testing.pdf
Fundamentals_of_testing.pdfFundamentals_of_testing.pdf
Fundamentals_of_testing.pdfAndreeaDavid22
 
Cst 630 Enhance teaching / snaptutorial.com
Cst 630 Enhance teaching / snaptutorial.comCst 630 Enhance teaching / snaptutorial.com
Cst 630 Enhance teaching / snaptutorial.comBaileyabw
 
325838924-Splunk-Use-Case-Framework-Introduction-Session
325838924-Splunk-Use-Case-Framework-Introduction-Session325838924-Splunk-Use-Case-Framework-Introduction-Session
325838924-Splunk-Use-Case-Framework-Introduction-SessionRyan Faircloth
 
A Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use CasesA Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use CasesRyan Faircloth
 
Cst 630 Believe Possibilities / snaptutorial.com
Cst 630 Believe Possibilities / snaptutorial.comCst 630 Believe Possibilities / snaptutorial.com
Cst 630 Believe Possibilities / snaptutorial.comDavis11a
 
Cst 630Education Specialist / snaptutorial.com
Cst 630Education Specialist / snaptutorial.comCst 630Education Specialist / snaptutorial.com
Cst 630Education Specialist / snaptutorial.comMcdonaldRyan79
 

Similar to Btpsec Sample Penetration Test Report (20)

Security Testing Report Hitachi Application Q1 Sep 2015
Security Testing Report Hitachi Application Q1 Sep 2015Security Testing Report Hitachi Application Q1 Sep 2015
Security Testing Report Hitachi Application Q1 Sep 2015
 
ByteCode pentest report example
ByteCode pentest report exampleByteCode pentest report example
ByteCode pentest report example
 
Peck shield audit-report-strips-1.0-for_medium
Peck shield audit-report-strips-1.0-for_mediumPeck shield audit-report-strips-1.0-for_medium
Peck shield audit-report-strips-1.0-for_medium
 
Phases of Penetration Testing
Phases of Penetration TestingPhases of Penetration Testing
Phases of Penetration Testing
 
Many companies and agencies conduct IT audits to test and assess the.docx
Many companies and agencies conduct IT audits to test and assess the.docxMany companies and agencies conduct IT audits to test and assess the.docx
Many companies and agencies conduct IT audits to test and assess the.docx
 
O0181397100
O0181397100O0181397100
O0181397100
 
CST 630 RANK Redefined Education--cst630rank.com
CST 630 RANK Redefined Education--cst630rank.comCST 630 RANK Redefined Education--cst630rank.com
CST 630 RANK Redefined Education--cst630rank.com
 
CST 630 RANK Remember Education--cst630rank.com
CST 630 RANK Remember Education--cst630rank.comCST 630 RANK Remember Education--cst630rank.com
CST 630 RANK Remember Education--cst630rank.com
 
Icssea 2013 arrl_final_08102013
Icssea 2013 arrl_final_08102013Icssea 2013 arrl_final_08102013
Icssea 2013 arrl_final_08102013
 
CST 630 RANK Achievement Education--cst630rank.com
CST 630 RANK Achievement Education--cst630rank.comCST 630 RANK Achievement Education--cst630rank.com
CST 630 RANK Achievement Education--cst630rank.com
 
CST 630 RANK Introduction Education--cst630rank.com
CST 630 RANK Introduction Education--cst630rank.comCST 630 RANK Introduction Education--cst630rank.com
CST 630 RANK Introduction Education--cst630rank.com
 
CST 630 RANK Educational Specialist--cst630rank.com
CST 630 RANK Educational Specialist--cst630rank.comCST 630 RANK Educational Specialist--cst630rank.com
CST 630 RANK Educational Specialist--cst630rank.com
 
CST 630 RANK Inspiring Innovation--cst630rank.com
CST 630 RANK Inspiring Innovation--cst630rank.comCST 630 RANK Inspiring Innovation--cst630rank.com
CST 630 RANK Inspiring Innovation--cst630rank.com
 
CST 630 RANK Become Exceptional--cst630rank.com
CST 630 RANK Become Exceptional--cst630rank.comCST 630 RANK Become Exceptional--cst630rank.com
CST 630 RANK Become Exceptional--cst630rank.com
 
Fundamentals_of_testing.pdf
Fundamentals_of_testing.pdfFundamentals_of_testing.pdf
Fundamentals_of_testing.pdf
 
Cst 630 Enhance teaching / snaptutorial.com
Cst 630 Enhance teaching / snaptutorial.comCst 630 Enhance teaching / snaptutorial.com
Cst 630 Enhance teaching / snaptutorial.com
 
325838924-Splunk-Use-Case-Framework-Introduction-Session
325838924-Splunk-Use-Case-Framework-Introduction-Session325838924-Splunk-Use-Case-Framework-Introduction-Session
325838924-Splunk-Use-Case-Framework-Introduction-Session
 
A Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use CasesA Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use Cases
 
Cst 630 Believe Possibilities / snaptutorial.com
Cst 630 Believe Possibilities / snaptutorial.comCst 630 Believe Possibilities / snaptutorial.com
Cst 630 Believe Possibilities / snaptutorial.com
 
Cst 630Education Specialist / snaptutorial.com
Cst 630Education Specialist / snaptutorial.comCst 630Education Specialist / snaptutorial.com
Cst 630Education Specialist / snaptutorial.com
 

Recently uploaded

Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 

Recently uploaded (20)

Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 

Btpsec Sample Penetration Test Report

  • 1. CUSTOMER ​PENTEST REPORT BTPSec Office 7, 35-37 Ludgate Hill EC4M7JN, London Tel: +44 203 2870040 info@btpsec.com www.btpsec.com TEST DATES: Legal Warning: This document contains confidential information about “​CUSTOMER​” and can be viewed by ONLY authorized personnel. If you have opened this document by accident, please report to ​info@btpsec.com Strictly CONFIDENTIAL 1
  • 2. CONTENTS REPORT DETAILS LEGAL RESPONSIBILITIES INTRODUCTION ABOUT THE PENTEST REPORT SCOPE PENTEST RESULT EVALUATION STATISTICAL RESULTS OF THE PENTEST Summary table of vulnerabilities Table 1 Vulnerabilities by category Vulnerabilities by Category and importance level Table 2 Vulnerabilities by Category and importance level Graphical representation of vulnerabilities by risk levels Picture 1 Vulnerability risk levels and their count Number of Findings by test category Picture 2. Number of findings by test category Vulnerabilities and effects Picture 3 Number of Findings and their effects Vulnerabilities by entry point Picture 4 Number of findings by entry point Number of Findings by reasons of vulnerability Picture 5 Number of findings by reasons of vulnerability TEST METHODOLOGY INFORMATION GATHERING Passive Information Gathering Active Information Gathering NETWORK MAPPING VULNERABILITY SCANNING SYSTEM ACCESS Strictly CONFIDENTIAL 2
  • 3. PRIVILEGE ESCALATION GAINING ACCESS TO OTHER SYSTEMS JUMPING TO OTHER NETWORKS RETAINING ACCESS LOSING TRACKS REPORTING PENTEST DETAILS ENTRY POINTS OF THE PENTEST USER PROFILES USED DURING PENTEST RISK LEVELS OF VULNERABILITIES PERFORMED TESTS AND RESULTS SOCIAL ENGINEERING TESTS Performed Tests Vulnerabilities discovered by this test: WEB APPLICATION PENTEST Performed Tests Vulnerabilities discovered by this test: DOMAIN, SERVER AND CLIENT TESTS Performed Tests Vulnerabilities discovered by this test Switch and Router TESTS Performed tests Vulnerabilities discovered by this test EMAIL AND DNS SERVER TESTS Tests performed Vulnerabilities discovered by this test. DATABASE TESTS Performed tests Vulnerabilities discovered by this test WIRELESS TESTS Strictly CONFIDENTIAL 3
  • 4. Performed tests Vulnerabilities discovered by this test DDOS TESTS Performed tests Vulnerabilities discovered by this test Strictly CONFIDENTIAL 4
  • 5. 1. REPORT DETAILS Report Header Demo Customer Penetration Test Report Version 1.0 Author Test Team RedTeam Report class Secret Customer Representative Name, Last Name Title Organization System Manager 1. LEGAL RESPONSIBILITIES Report contents are hidden and cannot be transferred to or shared with third parties without written consent of both BTPSec and the customer. Report contains the security vulnerabilities discovered by our team, present throughout the scanning period and known to that date. Between scanning has finished and report was delivered, new security vulnerabilities might have been reported in the world, but both parties should understand that they will not be included in the test and the testing company should not be held liable for this. Solution recommendations (fixes) given in the report are for advisory purposes only. Any problems/issues resulting from the application of this solution will not be supported by BTPSec. Reasonable level of support has to be requested from professionals before applying the solution fixes. 2. INTRODUCTION This report covers the detailed information obtained by auditing the security of Customer’s information systems, performed between ​dates. During the test, we have avoided to use tools and methods that can negatively affect the information system. Furthermore, no action that can cause a denial of a service situation has been performed. Report contains information about the categories of the vulnerabilities, exploitation methods and information about how to solve these issues. Strictly CONFIDENTIAL 5
  • 6. 3. ABOUT THE PENTEST REPORT This part will help the reader better understand the report and it’s details. This report has been prepared to give details about the vulnerabilities of information systems for the Customer. This report is as important as the pentest itself since it's the only output that will help to understand the tests performed. Report contains all the operations performed during the test and summarizes the security situation of the customer from various points. We aim to prepare a useful report that will correctly lead the way to the customer to make necessary investments and sustain better security. BTPSec has used following guidelines while preparing this report; ● OWASP Testing Guide v4 ● OSSTM ● ISSAF ● NIST ● BDDK (BSD.2012/1) ● TSE Pentest Technical Criterias (Turkish Standards Institute) Report covers the results of all tests performed. Target systems have been declared in the Scope Section in table 1. The summary of the security situation of the organization has been given under the “Pen Test Result Evaluation’’ section. If the domain administrator account has been hacked, the scenario for that has also been discussed and detailed in the same section. The discovery statistics were given under the section: “Pentest Statistical Results”. Methods of pentest has been mentioned in “Applied Pentest Methodology” section. In this section, the evolution of the pentest have been supported by little explanations for each part. ‘Pentest Details’ section describes where the tests were performed, which users were modeled, categorization of findings, and risk level of findings. Pentests and results have been detailed in “Applied Tests and Results” section. Findings obtained after the test are ordered according to the risk levels. Each finding has its own finding table. This table includes; name of finding, risk level, effect,exploit point, user profile, test category and reason. A detailed explanation of the findings has been provided in “Vulnerability description’’. Systems that are affected by this vulnerability are also listed. Solutions to remove the effect of vulnerability are given in ‘Solution recommendations’ section. Detailed information about the vulnerability and solution methods are discussed in “Reference” section. A sample finding and description of the fields. Finding Name: Descriptive name of the finding Risk level Risk level of the finding Effect of the vulnerability Potential result when the vulnerability has been compromised. Strictly CONFIDENTIAL 6
  • 7. Access Point Access point of the tester Category Test category User Profile User profile used during the test Reason of finding The reason this vulnerability exists Description: This field explains the vulnerability and exploitation method. Systems that have this vulnerability: Shows the name of the systems that have this vulnerability. Solution Recommendation: Solutions offered to eliminate this vulnerability. References: In this field, detailed information about the vulnerability and solution methods are discussed. 4. SCOPE The purpose of the penetration test is to sneak into customer systems by discovering the vulnerabilities in those systems. Penetration tests are performed within the scope that is given by the customer. Therefore, determining the scope is highly important in order to evaluate the real risks faced by the customer. Hackers approach towards the systems is much different than the system administrators. A single system which is somehow connected to the network and if left out of the scope, may cause serious risks against the whole system. Scope specifics are determined as per the table below. Test Category Details Ext.Nw IP Blocks Int.Nw. IP Blocks E-mail Gateways DNS Servers Web Apps Strictly CONFIDENTIAL 7
  • 8. Social Engineering E-mail Wireless network DDOS Table 1: Pentest scope BTPsec have used following source IP (NAT) address during the test; ● x.x.x.x 5. SUMMARY OF PENTEST AND EVALUATION This report covers the results of the penetration tests against customer systems performed by BTPSec. Pentest has started @ Date, time and finished @Date , time. Tests performed against the systems include, web app test, domain-client-server test, network test, email service test, DNS service test, database system test and dos/ddos tests. Throughout the tests, all systems within the scope have been checked from a hacker’s perspective and hackings have been made within the knowledge of the customer. At the end of the test; x urgent, y critical, z High, a Middle and b Low level vulnerabilities were found , with a grand total of c. IP addresses used by our team were given special permission if applicable. Web application tests have disclosed one or more high and higher risk ratings that could seriously harm the corporate image of the customer. x ,y and z findings are critical level findings. Security devices and attack prevention methods disclosed during the penetration tests are stated below: Thank you for choosing us in testing your network, systems and applications. Domain administrator takeover scenario.. Strictly CONFIDENTIAL 8
  • 9. 6. STATISTICAL RESULTS OF THE PENTEST The presentation of the statistical overview of the findings during the test might be of critical importance in taking necessary actions. Graphically presented risks may also help a lot in analyzing risks during a ISO 27001 process. Security investments that are needed to close the security gaps of the organization can effectively be visualized by these graphs. Urgent​ level vulnerabilities are stated below: 6.1.Summary table of vulnerabilities Name of vulnerability Importance Category Phishing by Email Urgent Social Engineering Remote Code Execution Urgent Network Table 1 Vulnerabilities by category 6.2.Vulnerabilities by Category and importance level RISK level SCOPE Urgent Critical High High Low TOTAL Social Engineering 2 2 Web Apps 2 Server/Client Systems Network Systems 2 Email and DNS Servers Database Systems Wireless Network Systems DDoS Tests TOTAL Table 2 Vulnerabilities by Category and importance level (Numbers are randomized for demo purposes) Note​: Nessus type colorization has been used in risk evaluation. Strictly CONFIDENTIAL 9
  • 10. 6.3.Graphical representation of vulnerabilities by risk levels Picture 1 Vulnerability risk levels and their count 6.4.Number of Findings by test category Picture 2. Number of findings by test category Strictly CONFIDENTIAL 10
  • 11. 6.5. Vulnerabilities and effects Picture 3 Number of Findings and their effects 6.6. Vulnerabilities by entry point Picture 4 Number of findings by entry point Strictly CONFIDENTIAL 11
  • 12. 6.7.Number of Findings by reasons of vulnerability Picture 5 Number of findings by reasons of vulnerability 7. TEST METHODOLOGY A proactive hacker approach has been selected in order to provide the best simulation of risks. The methods for this approach are usually vulnerability scanning and penetration test. Commercial and non commercial tools are used to automatically scan the elements provided within the scope. During the pentest however; the discovered vulnerabilities during the scan, are analyzed and tested manually for exploitation. At this point, we try to sneak into customer systems in a silent and harmless way. After obtaining access, we will try to jump to other systems and databases. The quality of the test is highly dependent on the experience level of the pentest team. BTPSec performs tests in accordance to ISO 27001, PCI (Payment Card Industry) standards. BTPSec has used following references while preparing this report ● OWASP Testing Guide v4 ● OSSTM ● ISSAF ● NIST ● BDDK (BSD.2012/1) Strictly CONFIDENTIAL 12
  • 13. ● TSE (Turkish Standards Institute) Pentest has 3 main steps; those are testing, reporting and verification. Detailed steps of the pentest are following: 1. I​NFORMATION GATHERING a. Passive Information Gathering b. Active Information Gathering 2. NETWORK MAPPING 3. VULNERABILITY SCANNING 4. SYSTEM ACCESS 5. PRIVILEGE ESCALATION 6. GAINING ACCESS TO OTHER SYSTEMS 7. JUMPING TO OTHER NETWORKS 8. RETAINING ACCESS 9. LOSING TRACKS 10. REPORTING Strictly CONFIDENTIAL 13
  • 14. 7.1. INFORMATION GATHERING In this phase, all relevant information about the organization were collected. Two methods, active or passive information gathering were used during this phase. 7.1.1. Passive Information Gathering We use Internet only to gather info about the customer and make no single probe to the target systems. Platforms; ● Archive Sites (archive.org) ● Search Engines (Google, Bing, Yahoo etc.) ● Social Links (Twitter, Facebook, Linkedin, Pipl etc.) ● Blogs and forums ● Career sites etc. Information obtained here will be used later for testing purposes. The experience of the pentest team is important to remember the information obtained here. 7.1.2. Active Information Gathering Systems of the customer organization are probed and targeted in order to obtain; ● DNS records (A, MX, NS etc) ● DNS version info ● Subdomain names ● Email platform ● Banner info etc. 7.2. NETWORK MAPPING In this phase, we aim to discover the network topology of the organization. Open ports and services running on them and discovery of network and security devices will help us in drawing this map. Strictly CONFIDENTIAL 14
  • 15. Picture 1 Demo Network Map * 7.3.VULNERABILITY SCANNING Running services i.e applications and their versions takes a big role in the context of vulnerability scanning. The version is discovered by obtaining the banner information received from those applications, after silently probing the listening services. Vulnerability scanning is mostly done via automated tools. However, the configuration, logical errors and policy configuration errors are also discovered greatly by the help of the experienced penetration testers. 7.4.SYSTEM ACCESS In this part, the vulnerabilities are exploited and systems are accessed. During this phase, the vulnerabilities found are further analyzed and exploits resulting from those vulnerabilities are chosen. If needed and we have plenty of time, a new exploit will be written. This phase is important because without the knowhow and experience of pentesters, it is very hard to gain access to systems and if we can’t get to systems, this doesn’t necessarily mean that hackers can’t. This is not a desirable situation for both customer and us. After access to systems, we usually look to find user accounts and their password hashes, and try to hack the passwords of those accounts. 7.5.PRIVILEGE ESCALATION It may not always be possible to obtain an authorized user’s password. In systems that have been misconfigured or unpatched, it might be possible to escalate the privilege of unauthorized users. It may also be possible to find password details in system logs or configuration files. *Source: Offensivesecurity.com Strictly CONFIDENTIAL 15
  • 16. 7.6.GAINING ACCESS TO OTHER SYSTEMS A detailed research takes place her. Devices that are in the same network with the compromised systems are scanned against vulnerabilities and exploited. Current passwords that we have gained can also be used. 7.7.JUMPING TO OTHER NETWORKS Other networks, subnets that are connected to the compromised systems are also analyzed and connection methods are tested. 7.8.RETAINING ACCESS Real attacks have methods to retain the hacked accounts and passwords with slight changes to the system. Therefore, a pentester will also look for ways to retain access to the systems. 7.9.LOSING TRACKS Throughout the test, there will be compromised or analyzed systems and all tracks relating to those intrusions will be cleaned after the end of the test. All backdoors, trojan or similar tools, scripts will be cleaned and transparently communicated during the test. 7.10. REPORTING Report will be explanatory of all defined actions performed on the systems. Report is the only outcome of the test and will be delivered with the best amount of effort to clearly communicate our test methodology, attitude, actions and results. The information provided to the customer will be satisfactorily available and enough in order to give perfect background for a perfect mitigation of the security gaps.SOlution recommendations will be up to date. The test tools and methods used will be clearly shared so general awareness will be increased, and system owners will feel more comfortable in understanding the effects. A security wise evaluation of the company will be provided with clean graphical representations. 8. PENTEST DETAILS 8.1. ENTRY POINTS OF THE PENTEST Access Point Description Internet All information systems of the customer that are reachable from Internet, will be tested. Local Network Pentests will take place on internal network and the pentester will be given the rights of a normal user on the network. 8.2. USER PROFILES SIMULATED DURING PENTEST Attacker profile Description Anonymous user Describes an anonymous internet user We use this user profile in order to discover how an anonymous Strictly CONFIDENTIAL 16
  • 17. user (a user with no login credentials) can alter or hack into the system.. Employee An employee profile is given to our testers such that tester’s user accounts are created by the employer just like created for the employee. The most popular user account type is used, however a user with local administration privilege is also tested. The given access privileges and user profiles will clearly be stated in the report. Other user Any user that is not defined as the above types, will be reported under ‘Other user’ type. 8.3. RISK LEVELS OF VULNERABILITIES Risk Level Score Detailed explanation URGENT 5 Represents successful attacks that takes control of the system and can easily be performed by an inexperienced hacker from the Internet. E.g.: Stored XSS, SQL injection and RFI/LFI. CRITICAL 4 Represents successful attacks that takes control of the system and can easily be performed by an experienced hacker from the Internet. E.g: Reflected and DOM based XSS HIGH 3 Represents attacks that uses privilege escalation and probably cause a denial of service situation. These attacks can be performed in our out of the network. MIDDLE 2 Represents attacks that cause a denial of service situation. These attacks are performed inside the network. LOW 1 Effect of this level of vulnerabilities are usually unknown and stems from not following best security practices. Table 1 Risk levels of vulnerabilities 9. PERFORMED TESTS AND RESULTS We have performed following tests into the customer network and the results are given below. Strictly CONFIDENTIAL 17
  • 18. 9.1 SOCIAL ENGINEERING TESTS Social Engineering attack is a basic penetration test method. These attacks target the human, human relations and basically the human vulnerabilities. People working for the customer are misleaded to make things that they should not be doing. User identities, passwords, secret projects, appointments and similar information is obtained by the help of these attacks. These information are usually critical for a hacker even though the insider or the target usually cannot imagine how critical it is. Useful information obtained by social engineering attacks help a lot in completing the puzzle for the hacker. If information security is a chain, the human is the weakest link in this chain. To advance here, the company should regularly train its employees via classes, seminars etc. Social engineering attack tests must be refreshed in order to see the real effects of the trainings and seminars. 9.8.1 Performed Tests We mostly used telephone and email in the tests. The scenarios are clearly planned, played and reported. Sample test: 9.8.2 Vulnerabilities discovered by this test: 9.2 WEB APPLICATION PENTEST Web applications are the frontal windows of companies to the outer world. They also represent a big reputation for the company and its industry. The purpose of web app attacks are mostly testing if it is possible to hack into customer systems using the web applications. We also test the denial of service vulnerability by heavily loading the web applications and/or the devices in front of them. 9.8.1 Performed Tests BTPSec has used techniques that will not give a damage to the service and service availability. All unreal vulnerabilities (false positives) are eliminated. BTPSec has performed following OWASP tests; Configuration and Deployment Management Testing ● Test Network/Infrastructure Configuration (OTG-CONFIG-001) ● Test Application Platform Configuration (OTG-CONFIG-002) ● Test File Extensions Handling for Sensitive Information (OTG-CONFIG-003) ● Review Old, Backup and Unreferenced Files for Sensitive Information (OTG-CONFIG-004) ● Enumerate Infrastructure and Application Admin Interfaces (OTG-CONFIG-005) Strictly CONFIDENTIAL 18
  • 19. ● Test HTTP Methods (OTG-CONFIG-006) ● Test HTTP Strict Transport Security (OTG-CONFIG-007) ● Test RIA cross domain policy (OTG-CONFIG-008) Identity Management Testing ● Test Role Definitions (OTG-IDENT-001) ● Test User Registration Process (OTG-IDENT-002) ● T​est Account Provisioning Process (OTG-IDENT-003) ● Testing for Account Enumeration and Guessable User Account (OTG-IDENT-004) ● Testing for Weak or unenforced username policy (OTG-IDENT-005) Authentication Testing ● Testing for Credentials Transported over an Encrypted Channel (OTG-AUTHN-001) ● Testing for default credentials (OTG-AUTHN-002) ● Testing for Weak lock out mechanism (OTG-AUTHN-003) ● Testing for bypassing authentication schema (OTG-AUTHN-004) ● Test remember password functionality (OTG-AUTHN-005) ● Testing for Browser cache weakness (OTG-AUTHN-006) ● Testing for Weak password policy (OTG-AUTHN-007) ● Testing for Weak security question/answer (OTG-AUTHN-008) ● Testing for weak password change or reset functionalities (OTG-AUTHN-009) ● Testing for Weaker authentication in alternative channel (OTG-AUTHN-010) Authorization Testing ● Testing Directory traversal/file include (OTG-AUTHZ-001) ● Testing for bypassing authorization schema (OTG-AUTHZ-002) ● Testing for Privilege Escalation (OTG-AUTHZ-003) ● Testing for Insecure Direct Object References (OTG-AUTHZ-004) Session Management Testing ● Testing for Bypassing Session Management Schema (OTG-SESS-001) ● Testing for Cookies attributes (OTG-SESS-002) ● Testing for Session Fixation (OTG-SESS-003) ● Testing for Exposed Session Variables (OTG-SESS-004) ● Testing for Cross Site Request Forgery (CSRF) (OTG-SESS-005) ● Testing for logout functionality (OTG-SESS-006) ● Test Session Timeout (OTG-SESS-007) ● Testing for Session puzzling (OTG-SESS-008) Strictly CONFIDENTIAL 19
  • 20. Input Validation Testing ● Testing for Reflected Cross Site Scripting (OTG-INPVAL-001) ● Testing for Stored Cross Site Scripting (OTG-INPVAL-002) ● Testing for HTTP Verb Tampering (OTG-INPVAL-003) ● Testing for HTTP Parameter pollution (OTG-INPVAL-004) Testing for SQL Injection (OTG-INPVAL-005) ● Oracle Testing ● MySQL Testing ● SQL Server Testing ● Testing PostgreSQL (from OWASP BSP) ● MS Access Testing ● Testing for NoSQL injection ● Testing for LDAP Injection (OTG-INPVAL-006) ● Testing for ORM Injection (OTG-INPVAL-007) ● Testing for XML Injection (OTG-INPVAL-008) ● Testing for SSI Injection (OTG-INPVAL-009) ● Testing for XPath Injection (OTG-INPVAL-010) ● IMAP/SMTP Injection (OTG-INPVAL-011) ● Testing for Code Injection (OTG-INPVAL-012) ● Testing for Local File Inclusion ● Testing for Remote File Inclusion ● Testing for Command Injection (OTG-INPVAL-013) ● Testing for Buffer overflow (OTG-INPVAL-014) ● Testing for Heap overflow ● Testing for Stack overflow ● Testing for Format string ● Testing for incubated vulnerabilities (OTG-INPVAL-015) ● Testing for HTTP Splitting/Smuggling (OTG-INPVAL-016) Testing for Error Handling ● Analysis of Error Codes (OTG-ERR-001) ● Analysis of Stack Traces (OTG-ERR-002) Testing for weak Cryptography ● Testing for Weak SSL/TLS Ciphers, Insufficient Transport Layer Protection (OTG-CRYPST-001) ● Testing for Padding Oracle (OTG-CRYPST-002) ● Testing for Sensitive information sent via unencrypted channels (OTG-CRYPST-003) Business Logic Testing Strictly CONFIDENTIAL 20
  • 21. ● Test Business Logic Data Validation (OTG-BUSLOGIC-001) ● Test Ability to Forge Requests (OTG-BUSLOGIC-002) ● Test Integrity Checks (OTG-BUSLOGIC-003) ● Test for Process Timing (OTG-BUSLOGIC-004) ● Test Number of Times a Function Can be Used Limits (OTG-BUSLOGIC-005) ● Testing for the Circumvention of Work Flows (OTG-BUSLOGIC-006) ● Test Defenses Against Application Mis-use (OTG-BUSLOGIC-007) ● Test Upload of Unexpected File Types (OTG-BUSLOGIC-008) ● Test Upload of Malicious Files (OTG-BUSLOGIC-009) Client Side Testing ● Testing for DOM based Cross Site Scripting (OTG-CLIENT-001) ● Testing for JavaScript Execution (OTG-CLIENT-002) ● Testing for HTML Injection (OTG-CLIENT-003) ● Testing for Client Side URL Redirect (OTG-CLIENT-004) ● Testing for CSS Injection (OTG-CLIENT-005) ● Testing for Client Side Resource Manipulation (OTG-CLIENT-006) ● Test Cross Origin Resource Sharing (OTG-CLIENT-007) ● Testing for Cross Site Flashing (OTG-CLIENT-008) ● Testing for Clickjacking (OTG-CLIENT-009) ● Testing WebSockets (OTG-CLIENT-010) ● Test Web Messaging (OTG-CLIENT-011) ● Test Local Storage (OTG-CLIENT-012) 9.8.2 Vulnerabilities discovered by this test: 9.3 DOMAIN, SERVER AND CLIENT TESTS In this test category, the domain, local servers and clients are tested. The attacker profiles applied are unhappy employee, new hacker employee and disgruntled employee. These tests target to hack internal systems, applications and therefore visualize the risks that can be faced inside the company. 9.8.1 Performed Tests ● Misconfigurations in the initialization settings in client systems are tested. ● Privilege escalation attempts are made. ● Password policies of local accounts in client systems is tested. ● Domain user password policy and password storage policy is tested. ● Security patches of clients and whether they are uptodate are tested ● Security patches of servers and whether they are uptodate are tested ● Vulnerabilities have been scanned on servers and clients. Tested whether vulnerabilities cause remote code execution or information leakage. Strictly CONFIDENTIAL 21
  • 22. ● Tested security of anti malware and anti remote execution methods on clients and servers. ● Tested for poor passwords and policies on systems and applications. ● Predefined password protected systems are tested. ● OS services and 3rd party applications are tested. 9.8.2 Vulnerabilities discovered by this test 9.4 Switch and Router TESTS Network devices, e.g. switch and routers have usually predefined services, most of the time unused services and ports. In our tests, we look over your network devices whether there are vulnerabilities. e.g. unused port, unnecessary services, common passwords and community strings, and most importantly insecure and wrong configurations. In this category, cyber attacks that could use the network devices are simulated and risks are stated. 9.8.1 Performed tests ● All network devices are scanned via commercial scanners. ● Services and protocols running on them are reported. ● User authentication mechanisms are tested. ● Running services are examined. ● Port security, access control, and VLAN /TRUNK structure on active devices are audited 9.8.2 Vulnerabilities discovered by this test 9.5 EMAIL AND DNS SERVER TESTS All email communication takes place over the email gateway of the company.. Insecure and misconfigured email gateways can cause leakage of data, impersonation etc. DNS servers are also important because they direct the outside and inside communication. They simply convert ip addresses to dns names , however who uses ip addresses ? Most people depend on easy to remember names while connecting to servers, clients etc. So, the dns server must be tested against all general and dns related vulnerabilities. 9.8.1 Tests performed Email gateway tests; ● Location of email gateways in topology.. ● Email gateway software and version. ● Relay vulnerability is tested. Strictly CONFIDENTIAL 22
  • 23. ● Services on email gateway are discovered and analyzed. ● POP3, IMAP client services and configurations are tested. ● Mail servers are tested for vulnerabilities using commercial scanners. ● Vulnerabilities found are verified. ● Email server software is tested for vulnerabilities ● Tested if mail server limits file sizes in emails. DNS tests; ● DNS server location in the topology map is analyzed. ● DNS server zone transfer vulnerability is tested. ● NTX ve NSEC source records analyzed for leakage. ● Search engine discovery ● DNS server precache poisoning vulnerability. ● DNS resolver function test ● Tested for other open services on DNS servers. ● DNS server version and vulnerabilities are noted. ● DNS servers are scanned via commercial scanners and vulnerabilities are discovered. 9.8.2 Vulnerabilities discovered by this test. 9.6 DATABASE TESTS Databases are considered to be the most important systems for a company.. All company, customer, employer's, commercial, financial data would be stored on databases of some kind.. Database system do carry risks such as information leakage, service interruption etc and thus be protected. 9.8.1 Performed tests ● Database server security patches are analyzed. ● Predefined accounts on the databases are audited. ● Injection tests against databases are performed. ● Privilege escalation attempts made for systems that we gained access. ● Database versions and related gaps are analyzed. ● Databases scanned via commercial scanners and vulnerabilities are found. ● Misconfigurations on databases are tested. 9.8.2 Vulnerabilities discovered by this test Strictly CONFIDENTIAL 23
  • 24. 9.7 WIRELESS TESTS Wireless is an important access point to the internal network. Misconfigured or insecure wireless networks are an important risk for the company.. We test both the internal and external risk factors while attempting to reach wireless corporate networks. 9.8.1 Performed tests ● Discovering hidden and non hidden SSIDs that belong to company. ● Testing against information leakage from wifi networks. ● Testing wireless encryption algorithms used by networks. ● Wifi password cracking via handshake interception. ● WEP encryption discovery. ● WPS feature discovery ● Discovering wifi without user limitation. ● MAC filter bypass. ● Wifi management protocols and vulnerabilities ● Dos against wifi networks. ● Fake access point and phishing attempts. ● Man in the middle attacks. ● Captive portal bypass attempts. 9.8.2 Vulnerabilities discovered by this test 9.8 DDOS TESTS Ddos stands for distributed denial of service. In this attack, we aim to stop the availability of the target system. Distributed nature of the attacks comes from the fact that multiple sources are used to perform the test. 9.8.1 Performed tests IP/Transport and Application level DDOS attacks: ● DNS load tests exceeding the bandwidth.(valid and invalid dns reply, dns request, amplification , reflection attacks etc) ● Web server load tests (http post, http get, https, slow attack etc.) ● Udp attacks to udp listening services e.g. media, voip. (udp flood, invalid packets, sip invite flood etc) ● TCP, Mixed, Fragmented attacks ● Custom attacks designed according to the service. ● All these tests also test the power of availability of firewalls, routers, waf, ips systems etc. that are handling the packets before the application does. 9.8.2 Vulnerabilities discovered by this test Strictly CONFIDENTIAL 24