Nell’iperspazio con Rocket: il Framework Web di Rust!
Btpsec Sample Penetration Test Report
1. CUSTOMER PENTEST REPORT
BTPSec
Office 7, 35-37 Ludgate Hill
EC4M7JN, London
Tel: +44 203 2870040
info@btpsec.com
www.btpsec.com
TEST DATES:
Legal Warning: This document contains confidential information about “CUSTOMER” and
can be viewed by ONLY authorized personnel.
If you have opened this document by accident, please report to info@btpsec.com
Strictly CONFIDENTIAL 1
2. CONTENTS
REPORT DETAILS
LEGAL RESPONSIBILITIES
INTRODUCTION
ABOUT THE PENTEST REPORT
SCOPE
PENTEST RESULT EVALUATION
STATISTICAL RESULTS OF THE PENTEST
Summary table of vulnerabilities
Table 1 Vulnerabilities by category
Vulnerabilities by Category and importance level
Table 2 Vulnerabilities by Category and importance level
Graphical representation of vulnerabilities by risk levels
Picture 1 Vulnerability risk levels and their count
Number of Findings by test category
Picture 2. Number of findings by test category
Vulnerabilities and effects
Picture 3 Number of Findings and their effects
Vulnerabilities by entry point
Picture 4 Number of findings by entry point
Number of Findings by reasons of vulnerability
Picture 5 Number of findings by reasons of vulnerability
TEST METHODOLOGY
INFORMATION GATHERING
Passive Information Gathering
Active Information Gathering
NETWORK MAPPING
VULNERABILITY SCANNING
SYSTEM ACCESS
Strictly CONFIDENTIAL 2
3. PRIVILEGE ESCALATION
GAINING ACCESS TO OTHER SYSTEMS
JUMPING TO OTHER NETWORKS
RETAINING ACCESS
LOSING TRACKS
REPORTING
PENTEST DETAILS
ENTRY POINTS OF THE PENTEST
USER PROFILES USED DURING PENTEST
RISK LEVELS OF VULNERABILITIES
PERFORMED TESTS AND RESULTS
SOCIAL ENGINEERING TESTS
Performed Tests
Vulnerabilities discovered by this test:
WEB APPLICATION PENTEST
Performed Tests
Vulnerabilities discovered by this test:
DOMAIN, SERVER AND CLIENT TESTS
Performed Tests
Vulnerabilities discovered by this test
Switch and Router TESTS
Performed tests
Vulnerabilities discovered by this test
EMAIL AND DNS SERVER TESTS
Tests performed
Vulnerabilities discovered by this test.
DATABASE TESTS
Performed tests
Vulnerabilities discovered by this test
WIRELESS TESTS
Strictly CONFIDENTIAL 3
5. 1. REPORT DETAILS
Report Header Demo Customer Penetration Test Report
Version 1.0
Author
Test Team RedTeam
Report class Secret
Customer Representative
Name, Last Name Title Organization
System Manager
1. LEGAL RESPONSIBILITIES
Report contents are hidden and cannot be transferred to or shared with third parties without
written consent of both BTPSec and the customer.
Report contains the security vulnerabilities discovered by our team, present throughout the
scanning period and known to that date. Between scanning has finished and report was
delivered, new security vulnerabilities might have been reported in the world, but both parties
should understand that they will not be included in the test and the testing company should
not be held liable for this.
Solution recommendations (fixes) given in the report are for advisory purposes only. Any
problems/issues resulting from the application of this solution will not be supported by
BTPSec. Reasonable level of support has to be requested from professionals before
applying the solution fixes.
2. INTRODUCTION
This report covers the detailed information obtained by auditing the security of Customer’s
information systems, performed between dates.
During the test, we have avoided to use tools and methods that can negatively affect the
information system. Furthermore, no action that can cause a denial of a service situation has
been performed.
Report contains information about the categories of the vulnerabilities, exploitation methods
and information about how to solve these issues.
Strictly CONFIDENTIAL 5
6. 3. ABOUT THE PENTEST REPORT
This part will help the reader better understand the report and it’s details.
This report has been prepared to give details about the vulnerabilities of information systems
for the Customer. This report is as important as the pentest itself since it's the only output
that will help to understand the tests performed. Report contains all the operations performed
during the test and summarizes the security situation of the customer from various points.
We aim to prepare a useful report that will correctly lead the way to the customer to make
necessary investments and sustain better security.
BTPSec has used following guidelines while preparing this report;
● OWASP Testing Guide v4
● OSSTM
● ISSAF
● NIST
● BDDK (BSD.2012/1)
● TSE Pentest Technical Criterias (Turkish Standards Institute)
Report covers the results of all tests performed. Target systems have been declared in the
Scope Section in table 1. The summary of the security situation of the organization has been
given under the “Pen Test Result Evaluation’’ section. If the domain administrator account
has been hacked, the scenario for that has also been discussed and detailed in the same
section. The discovery statistics were given under the section: “Pentest Statistical Results”.
Methods of pentest has been mentioned in “Applied Pentest Methodology” section. In this
section, the evolution of the pentest have been supported by little explanations for each part.
‘Pentest Details’ section describes where the tests were performed, which users were
modeled, categorization of findings, and risk level of findings.
Pentests and results have been detailed in “Applied Tests and Results” section.
Findings obtained after the test are ordered according to the risk levels. Each finding has its
own finding table. This table includes; name of finding, risk level, effect,exploit point, user
profile, test category and reason.
A detailed explanation of the findings has been provided in “Vulnerability description’’.
Systems that are affected by this vulnerability are also listed. Solutions to remove the effect
of vulnerability are given in ‘Solution recommendations’ section. Detailed information about
the vulnerability and solution methods are discussed in “Reference” section.
A sample finding and description of the fields.
Finding Name: Descriptive name of the finding
Risk level Risk level of the finding
Effect of the vulnerability Potential result when the vulnerability has been
compromised.
Strictly CONFIDENTIAL 6
7. Access Point Access point of the tester
Category Test category
User Profile User profile used during the test
Reason of finding The reason this vulnerability exists
Description:
This field explains the vulnerability and exploitation method.
Systems that have this vulnerability:
Shows the name of the systems that have this vulnerability.
Solution Recommendation:
Solutions offered to eliminate this vulnerability.
References:
In this field, detailed information about the vulnerability and solution methods are
discussed.
4. SCOPE
The purpose of the penetration test is to sneak into customer systems by discovering the
vulnerabilities in those systems. Penetration tests are performed within the scope that is
given by the customer. Therefore, determining the scope is highly important in order to
evaluate the real risks faced by the customer.
Hackers approach towards the systems is much different than the system administrators. A
single system which is somehow connected to the network and if left out of the scope, may
cause serious risks against the whole system.
Scope specifics are determined as per the table below.
Test Category Details
Ext.Nw IP Blocks
Int.Nw. IP Blocks
E-mail Gateways
DNS Servers
Web Apps
Strictly CONFIDENTIAL 7
8. Social Engineering E-mail
Wireless network
DDOS
Table 1: Pentest scope
BTPsec have used following source IP (NAT) address during the test;
● x.x.x.x
5. SUMMARY OF PENTEST AND EVALUATION
This report covers the results of the penetration tests against customer systems performed
by BTPSec. Pentest has started @ Date, time and finished @Date , time.
Tests performed against the systems include, web app test, domain-client-server test,
network test, email service test, DNS service test, database system test and dos/ddos tests.
Throughout the tests, all systems within the scope have been checked from a hacker’s
perspective and hackings have been made within the knowledge of the customer.
At the end of the test; x urgent, y critical, z High, a Middle and b Low level vulnerabilities
were found , with a grand total of c.
IP addresses used by our team were given special permission if applicable.
Web application tests have disclosed one or more high and higher risk ratings that could
seriously harm the corporate image of the customer.
x ,y and z findings are critical level findings.
Security devices and attack prevention methods disclosed during the penetration tests are
stated below:
Thank you for choosing us in testing your network, systems and applications.
Domain administrator takeover scenario..
Strictly CONFIDENTIAL 8
9. 6. STATISTICAL RESULTS OF THE PENTEST
The presentation of the statistical overview of the findings during the test might be of critical
importance in taking necessary actions. Graphically presented risks may also help a lot in
analyzing risks during a ISO 27001 process. Security investments that are needed to close
the security gaps of the organization can effectively be visualized by these graphs.
Urgent level vulnerabilities are stated below:
6.1.Summary table of vulnerabilities
Name of vulnerability Importance Category
Phishing by Email Urgent Social Engineering
Remote Code Execution Urgent Network
Table 1 Vulnerabilities by category
6.2.Vulnerabilities by Category and importance level
RISK level
SCOPE Urgent Critical High High Low TOTAL
Social Engineering 2 2
Web Apps 2
Server/Client Systems
Network Systems 2
Email and DNS Servers
Database Systems
Wireless Network
Systems
DDoS Tests
TOTAL
Table 2 Vulnerabilities by Category and importance level (Numbers are randomized for demo
purposes)
Note: Nessus type colorization has been used in risk evaluation.
Strictly CONFIDENTIAL 9
10. 6.3.Graphical representation of vulnerabilities by risk levels
Picture 1 Vulnerability risk levels and their count
6.4.Number of Findings by test category
Picture 2. Number of findings by test category
Strictly CONFIDENTIAL 10
11. 6.5. Vulnerabilities and effects
Picture 3 Number of Findings and their effects
6.6. Vulnerabilities by entry point
Picture 4 Number of findings by entry point
Strictly CONFIDENTIAL 11
12. 6.7.Number of Findings by reasons of vulnerability
Picture 5 Number of findings by reasons of vulnerability
7. TEST METHODOLOGY
A proactive hacker approach has been selected in order to provide the best simulation of
risks. The methods for this approach are usually vulnerability scanning and penetration test.
Commercial and non commercial tools are used to automatically scan the elements provided
within the scope.
During the pentest however; the discovered vulnerabilities during the scan, are analyzed and
tested manually for exploitation. At this point, we try to sneak into customer systems in a
silent and harmless way. After obtaining access, we will try to jump to other systems and
databases. The quality of the test is highly dependent on the experience level of the pentest
team.
BTPSec performs tests in accordance to ISO 27001, PCI (Payment Card Industry)
standards.
BTPSec has used following references while preparing this report
● OWASP Testing Guide v4
● OSSTM
● ISSAF
● NIST
● BDDK (BSD.2012/1)
Strictly CONFIDENTIAL 12
13. ● TSE (Turkish Standards Institute)
Pentest has 3 main steps; those are testing, reporting and verification.
Detailed steps of the pentest are following:
1. INFORMATION GATHERING
a. Passive Information Gathering
b. Active Information Gathering
2. NETWORK MAPPING
3. VULNERABILITY SCANNING
4. SYSTEM ACCESS
5. PRIVILEGE ESCALATION
6. GAINING ACCESS TO OTHER SYSTEMS
7. JUMPING TO OTHER NETWORKS
8. RETAINING ACCESS
9. LOSING TRACKS
10. REPORTING
Strictly CONFIDENTIAL 13
14. 7.1. INFORMATION GATHERING
In this phase, all relevant information about the organization were collected. Two
methods, active or passive information gathering were used during this phase.
7.1.1. Passive Information Gathering
We use Internet only to gather info about the customer and make no single probe to the
target systems.
Platforms;
● Archive Sites (archive.org)
● Search Engines (Google, Bing, Yahoo etc.)
● Social Links (Twitter, Facebook, Linkedin, Pipl etc.)
● Blogs and forums
● Career sites etc.
Information obtained here will be used later for testing purposes. The experience of the
pentest team is important to remember the information obtained here.
7.1.2. Active Information Gathering
Systems of the customer organization are probed and targeted in order to obtain;
● DNS records (A, MX, NS etc)
● DNS version info
● Subdomain names
● Email platform
● Banner info etc.
7.2. NETWORK MAPPING
In this phase, we aim to discover the network topology of the organization. Open ports and
services running on them and discovery of network and security devices will help us in
drawing this map.
Strictly CONFIDENTIAL 14
15. Picture 1 Demo Network Map *
7.3.VULNERABILITY SCANNING
Running services i.e applications and their versions takes a big role in the context of
vulnerability scanning. The version is discovered by obtaining the banner information
received from those applications, after silently probing the listening services.
Vulnerability scanning is mostly done via automated tools. However, the configuration, logical
errors and policy configuration errors are also discovered greatly by the help of the
experienced penetration testers.
7.4.SYSTEM ACCESS
In this part, the vulnerabilities are exploited and systems are accessed. During this
phase, the vulnerabilities found are further analyzed and exploits resulting from those
vulnerabilities are chosen. If needed and we have plenty of time, a new exploit will be written.
This phase is important because without the knowhow and experience of pentesters, it is
very hard to gain access to systems and if we can’t get to systems, this doesn’t necessarily
mean that hackers can’t. This is not a desirable situation for both customer and us. After
access to systems, we usually look to find user accounts and their password hashes, and try
to hack the passwords of those accounts.
7.5.PRIVILEGE ESCALATION
It may not always be possible to obtain an authorized user’s password. In systems that
have been misconfigured or unpatched, it might be possible to escalate the privilege of
unauthorized users. It may also be possible to find password details in system logs or
configuration files.
*Source: Offensivesecurity.com
Strictly CONFIDENTIAL 15
16. 7.6.GAINING ACCESS TO OTHER SYSTEMS
A detailed research takes place her. Devices that are in the same network with the
compromised systems are scanned against vulnerabilities and exploited. Current passwords
that we have gained can also be used.
7.7.JUMPING TO OTHER NETWORKS
Other networks, subnets that are connected to the compromised systems are also
analyzed and connection methods are tested.
7.8.RETAINING ACCESS
Real attacks have methods to retain the hacked accounts and passwords with slight changes
to the system. Therefore, a pentester will also look for ways to retain access to the systems.
7.9.LOSING TRACKS
Throughout the test, there will be compromised or analyzed systems and all tracks relating to
those intrusions will be cleaned after the end of the test. All backdoors, trojan or similar tools,
scripts will be cleaned and transparently communicated during the test.
7.10. REPORTING
Report will be explanatory of all defined actions performed on the systems. Report is the only
outcome of the test and will be delivered with the best amount of effort to clearly
communicate our test methodology, attitude, actions and results. The information provided to
the customer will be satisfactorily available and enough in order to give perfect background
for a perfect mitigation of the security gaps.SOlution recommendations will be up to date. The
test tools and methods used will be clearly shared so general awareness will be increased,
and system owners will feel more comfortable in understanding the effects. A security wise
evaluation of the company will be provided with clean graphical representations.
8. PENTEST DETAILS
8.1. ENTRY POINTS OF THE PENTEST
Access Point Description
Internet All information systems of the customer that are reachable from
Internet, will be tested.
Local Network Pentests will take place on internal network and the pentester will
be given the rights of a normal user on the network.
8.2. USER PROFILES SIMULATED DURING PENTEST
Attacker profile Description
Anonymous user
Describes an anonymous internet user
We use this user profile in order to discover how an anonymous
Strictly CONFIDENTIAL 16
17. user (a user with no login credentials) can alter or hack into the
system..
Employee
An employee profile is given to our testers such that tester’s user
accounts are created by the employer just like created for the
employee. The most popular user account type is used, however a
user with local administration privilege is also tested.
The given access privileges and user profiles will clearly be stated
in the report.
Other user
Any user that is not defined as the above types, will be reported
under ‘Other user’ type.
8.3. RISK LEVELS OF VULNERABILITIES
Risk Level Score Detailed explanation
URGENT 5 Represents successful attacks that takes control of the
system and can easily be performed by an inexperienced
hacker from the Internet.
E.g.: Stored XSS, SQL injection and RFI/LFI.
CRITICAL 4 Represents successful attacks that takes control of the
system and can easily be performed by an experienced
hacker from the Internet.
E.g: Reflected and DOM based XSS
HIGH 3 Represents attacks that uses privilege escalation and
probably cause a denial of service situation. These attacks
can be performed in our out of the network.
MIDDLE 2 Represents attacks that cause a denial of service situation.
These attacks are performed inside the network.
LOW 1 Effect of this level of vulnerabilities are usually unknown and
stems from not following best security practices.
Table 1 Risk levels of vulnerabilities
9. PERFORMED TESTS AND RESULTS
We have performed following tests into the customer network and the results are given
below.
Strictly CONFIDENTIAL 17
18. 9.1 SOCIAL ENGINEERING TESTS
Social Engineering attack is a basic penetration test method. These attacks target the
human, human relations and basically the human vulnerabilities. People working for the
customer are misleaded to make things that they should not be doing. User identities,
passwords, secret projects, appointments and similar information is obtained by the help of
these attacks. These information are usually critical for a hacker even though the insider or
the target usually cannot imagine how critical it is. Useful information obtained by social
engineering attacks help a lot in completing the puzzle for the hacker.
If information security is a chain, the human is the weakest link in this chain. To advance
here, the company should regularly train its employees via classes, seminars etc. Social
engineering attack tests must be refreshed in order to see the real effects of the trainings and
seminars.
9.8.1 Performed Tests
We mostly used telephone and email in the tests. The scenarios are clearly planned, played
and reported.
Sample test:
9.8.2 Vulnerabilities discovered by this test:
9.2 WEB APPLICATION PENTEST
Web applications are the frontal windows of companies to the outer world. They also
represent a big reputation for the company and its industry. The purpose of web app attacks
are mostly testing if it is possible to hack into customer systems using the web applications.
We also test the denial of service vulnerability by heavily loading the web applications and/or
the devices in front of them.
9.8.1 Performed Tests
BTPSec has used techniques that will not give a damage to the service and service
availability. All unreal vulnerabilities (false positives) are eliminated.
BTPSec has performed following OWASP tests;
Configuration and Deployment Management Testing
● Test Network/Infrastructure Configuration (OTG-CONFIG-001)
● Test Application Platform Configuration (OTG-CONFIG-002)
● Test File Extensions Handling for Sensitive Information (OTG-CONFIG-003)
● Review Old, Backup and Unreferenced Files for Sensitive Information
(OTG-CONFIG-004)
● Enumerate Infrastructure and Application Admin Interfaces (OTG-CONFIG-005)
Strictly CONFIDENTIAL 18
19. ● Test HTTP Methods (OTG-CONFIG-006)
● Test HTTP Strict Transport Security (OTG-CONFIG-007)
● Test RIA cross domain policy (OTG-CONFIG-008)
Identity Management Testing
● Test Role Definitions (OTG-IDENT-001)
● Test User Registration Process (OTG-IDENT-002)
● Test Account Provisioning Process (OTG-IDENT-003)
● Testing for Account Enumeration and Guessable User Account (OTG-IDENT-004)
● Testing for Weak or unenforced username policy (OTG-IDENT-005)
Authentication Testing
● Testing for Credentials Transported over an Encrypted Channel (OTG-AUTHN-001)
● Testing for default credentials (OTG-AUTHN-002)
● Testing for Weak lock out mechanism (OTG-AUTHN-003)
● Testing for bypassing authentication schema (OTG-AUTHN-004)
● Test remember password functionality (OTG-AUTHN-005)
● Testing for Browser cache weakness (OTG-AUTHN-006)
● Testing for Weak password policy (OTG-AUTHN-007)
● Testing for Weak security question/answer (OTG-AUTHN-008)
● Testing for weak password change or reset functionalities (OTG-AUTHN-009)
● Testing for Weaker authentication in alternative channel (OTG-AUTHN-010)
Authorization Testing
● Testing Directory traversal/file include (OTG-AUTHZ-001)
● Testing for bypassing authorization schema (OTG-AUTHZ-002)
● Testing for Privilege Escalation (OTG-AUTHZ-003)
● Testing for Insecure Direct Object References (OTG-AUTHZ-004)
Session Management Testing
● Testing for Bypassing Session Management Schema (OTG-SESS-001)
● Testing for Cookies attributes (OTG-SESS-002)
● Testing for Session Fixation (OTG-SESS-003)
● Testing for Exposed Session Variables (OTG-SESS-004)
● Testing for Cross Site Request Forgery (CSRF) (OTG-SESS-005)
● Testing for logout functionality (OTG-SESS-006)
● Test Session Timeout (OTG-SESS-007)
● Testing for Session puzzling (OTG-SESS-008)
Strictly CONFIDENTIAL 19
20. Input Validation Testing
● Testing for Reflected Cross Site Scripting (OTG-INPVAL-001)
● Testing for Stored Cross Site Scripting (OTG-INPVAL-002)
● Testing for HTTP Verb Tampering (OTG-INPVAL-003)
● Testing for HTTP Parameter pollution (OTG-INPVAL-004)
Testing for SQL Injection (OTG-INPVAL-005)
● Oracle Testing
● MySQL Testing
● SQL Server Testing
● Testing PostgreSQL (from OWASP BSP)
● MS Access Testing
● Testing for NoSQL injection
● Testing for LDAP Injection (OTG-INPVAL-006)
● Testing for ORM Injection (OTG-INPVAL-007)
● Testing for XML Injection (OTG-INPVAL-008)
● Testing for SSI Injection (OTG-INPVAL-009)
● Testing for XPath Injection (OTG-INPVAL-010)
● IMAP/SMTP Injection (OTG-INPVAL-011)
● Testing for Code Injection (OTG-INPVAL-012)
● Testing for Local File Inclusion
● Testing for Remote File Inclusion
● Testing for Command Injection (OTG-INPVAL-013)
● Testing for Buffer overflow (OTG-INPVAL-014)
● Testing for Heap overflow
● Testing for Stack overflow
● Testing for Format string
● Testing for incubated vulnerabilities (OTG-INPVAL-015)
● Testing for HTTP Splitting/Smuggling (OTG-INPVAL-016)
Testing for Error Handling
● Analysis of Error Codes (OTG-ERR-001)
● Analysis of Stack Traces (OTG-ERR-002)
Testing for weak Cryptography
● Testing for Weak SSL/TLS Ciphers, Insufficient Transport Layer Protection
(OTG-CRYPST-001)
● Testing for Padding Oracle (OTG-CRYPST-002)
● Testing for Sensitive information sent via unencrypted channels (OTG-CRYPST-003)
Business Logic Testing
Strictly CONFIDENTIAL 20
21. ● Test Business Logic Data Validation (OTG-BUSLOGIC-001)
● Test Ability to Forge Requests (OTG-BUSLOGIC-002)
● Test Integrity Checks (OTG-BUSLOGIC-003)
● Test for Process Timing (OTG-BUSLOGIC-004)
● Test Number of Times a Function Can be Used Limits (OTG-BUSLOGIC-005)
● Testing for the Circumvention of Work Flows (OTG-BUSLOGIC-006)
● Test Defenses Against Application Mis-use (OTG-BUSLOGIC-007)
● Test Upload of Unexpected File Types (OTG-BUSLOGIC-008)
● Test Upload of Malicious Files (OTG-BUSLOGIC-009)
Client Side Testing
● Testing for DOM based Cross Site Scripting (OTG-CLIENT-001)
● Testing for JavaScript Execution (OTG-CLIENT-002)
● Testing for HTML Injection (OTG-CLIENT-003)
● Testing for Client Side URL Redirect (OTG-CLIENT-004)
● Testing for CSS Injection (OTG-CLIENT-005)
● Testing for Client Side Resource Manipulation (OTG-CLIENT-006)
● Test Cross Origin Resource Sharing (OTG-CLIENT-007)
● Testing for Cross Site Flashing (OTG-CLIENT-008)
● Testing for Clickjacking (OTG-CLIENT-009)
● Testing WebSockets (OTG-CLIENT-010)
● Test Web Messaging (OTG-CLIENT-011)
● Test Local Storage (OTG-CLIENT-012)
9.8.2 Vulnerabilities discovered by this test:
9.3 DOMAIN, SERVER AND CLIENT TESTS
In this test category, the domain, local servers and clients are tested. The attacker profiles
applied are unhappy employee, new hacker employee and disgruntled employee. These
tests target to hack internal systems, applications and therefore visualize the risks that can
be faced inside the company.
9.8.1 Performed Tests
● Misconfigurations in the initialization settings in client systems are tested.
● Privilege escalation attempts are made.
● Password policies of local accounts in client systems is tested.
● Domain user password policy and password storage policy is tested.
● Security patches of clients and whether they are uptodate are tested
● Security patches of servers and whether they are uptodate are tested
● Vulnerabilities have been scanned on servers and clients. Tested whether
vulnerabilities cause remote code execution or information leakage.
Strictly CONFIDENTIAL 21
22. ● Tested security of anti malware and anti remote execution methods on clients and
servers.
● Tested for poor passwords and policies on systems and applications.
● Predefined password protected systems are tested.
● OS services and 3rd party applications are tested.
9.8.2 Vulnerabilities discovered by this test
9.4 Switch and Router TESTS
Network devices, e.g. switch and routers have usually predefined services, most of the time
unused services and ports. In our tests, we look over your network devices whether there are
vulnerabilities. e.g. unused port, unnecessary services, common passwords and community
strings, and most importantly insecure and wrong configurations.
In this category, cyber attacks that could use the network devices are simulated and risks are
stated.
9.8.1 Performed tests
● All network devices are scanned via commercial scanners.
● Services and protocols running on them are reported.
● User authentication mechanisms are tested.
● Running services are examined.
● Port security, access control, and VLAN /TRUNK structure on active devices are
audited
9.8.2 Vulnerabilities discovered by this test
9.5 EMAIL AND DNS SERVER TESTS
All email communication takes place over the email gateway of the company.. Insecure and
misconfigured email gateways can cause leakage of data, impersonation etc.
DNS servers are also important because they direct the outside and inside communication.
They simply convert ip addresses to dns names , however who uses ip addresses ? Most
people depend on easy to remember names while connecting to servers, clients etc. So, the
dns server must be tested against all general and dns related vulnerabilities.
9.8.1 Tests performed
Email gateway tests;
● Location of email gateways in topology..
● Email gateway software and version.
● Relay vulnerability is tested.
Strictly CONFIDENTIAL 22
23. ● Services on email gateway are discovered and analyzed.
● POP3, IMAP client services and configurations are tested.
● Mail servers are tested for vulnerabilities using commercial scanners.
● Vulnerabilities found are verified.
● Email server software is tested for vulnerabilities
● Tested if mail server limits file sizes in emails.
DNS tests;
● DNS server location in the topology map is analyzed.
● DNS server zone transfer vulnerability is tested.
● NTX ve NSEC source records analyzed for leakage.
● Search engine discovery
● DNS server precache poisoning vulnerability.
● DNS resolver function test
● Tested for other open services on DNS servers.
● DNS server version and vulnerabilities are noted.
● DNS servers are scanned via commercial scanners and vulnerabilities are
discovered.
9.8.2 Vulnerabilities discovered by this test.
9.6 DATABASE TESTS
Databases are considered to be the most important systems for a company.. All company,
customer, employer's, commercial, financial data would be stored on databases of some
kind.. Database system do carry risks such as information leakage, service interruption etc
and thus be protected.
9.8.1 Performed tests
● Database server security patches are analyzed.
● Predefined accounts on the databases are audited.
● Injection tests against databases are performed.
● Privilege escalation attempts made for systems that we gained access.
● Database versions and related gaps are analyzed.
● Databases scanned via commercial scanners and vulnerabilities are found.
● Misconfigurations on databases are tested.
9.8.2 Vulnerabilities discovered by this test
Strictly CONFIDENTIAL 23
24. 9.7 WIRELESS TESTS
Wireless is an important access point to the internal network. Misconfigured or insecure
wireless networks are an important risk for the company.. We test both the internal and
external risk factors while attempting to reach wireless corporate networks.
9.8.1 Performed tests
● Discovering hidden and non hidden SSIDs that belong to company.
● Testing against information leakage from wifi networks.
● Testing wireless encryption algorithms used by networks.
● Wifi password cracking via handshake interception.
● WEP encryption discovery.
● WPS feature discovery
● Discovering wifi without user limitation.
● MAC filter bypass.
● Wifi management protocols and vulnerabilities
● Dos against wifi networks.
● Fake access point and phishing attempts.
● Man in the middle attacks.
● Captive portal bypass attempts.
9.8.2 Vulnerabilities discovered by this test
9.8 DDOS TESTS
Ddos stands for distributed denial of service. In this attack, we aim to stop the availability of
the target system. Distributed nature of the attacks comes from the fact that multiple sources
are used to perform the test.
9.8.1 Performed tests
IP/Transport and Application level DDOS attacks:
● DNS load tests exceeding the bandwidth.(valid and invalid dns reply, dns request,
amplification , reflection attacks etc)
● Web server load tests (http post, http get, https, slow attack etc.)
● Udp attacks to udp listening services e.g. media, voip. (udp flood, invalid packets, sip
invite flood etc)
● TCP, Mixed, Fragmented attacks
● Custom attacks designed according to the service.
● All these tests also test the power of availability of firewalls, routers, waf, ips systems etc.
that are handling the packets before the application does.
9.8.2 Vulnerabilities discovered by this test
Strictly CONFIDENTIAL 24