Byte Me Report

3,925 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
3,925
On SlideShare
0
From Embeds
0
Number of Embeds
24
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Byte Me Report

  1. 1. Acme Widgets Inc Security Assessment Report May 6, 2010 ACSG 570, Web Server Security (BYTE ME Project) Date 05/06/2010 Prepared By: Saurav Amatya Anju Amatya Larry JenningsThe information contained within this report is considered proprietaryand confidential to the ACME Widgets Inc. Inappropriate andunauthorized disclosure of this report or portions of it could result insignificant damage or loss to the ACME Widgets Inc. This reportshould be distributed to individuals on a Need-to-Know basis only.Paper copies should be locked up when not in use. Electronic copiesshould be stored offline and protected appropriately.
  2. 2. AcknowledgementsWe, the group members – Saurav Amatya, Anju Amatya and Larry Jennings, would like to thankDr. Aman for providing all the necessary information regarding penetration testing. The externallinks, tutorials and the lectures that he provided were very useful and full of knowledge for us.We would also like to thank him for providing us the real practical knowledge with the help ofthis BYTE ME project and introducing us to the great security professional - Mr. James E.Conway.We would also like to thank Mr. James E. Conway for coming all the way through from Ohioand being involved in our project and helping us in every step to gain understanding of hisnetwork. Also, his real life experiences and the lecture he provided for the BYTE ME exercisewere very useful. Besides that, we would also like to thank him for setting up the virtualcorporate environment where we could gain real field experience.And at last, but not least, we would also like to thank our group members (each other) for beingso co-operative. The work done by each member has contributed significantly for the completionof the exercise and thus the report.Thank you everyone!
  3. 3. Table of ContentsIntroduction .................................................................................................................................................. 41. Network Profile ........................................................................................................................................ 5 1.1 Network Layout Discovery ............................................................................................................... 5 1.2 Overview of open ports with security concerns .............................................................................. 62. Some sensitive information found over the ACME-Widget Network ............................................... 7 2.1 Password lists of the different hosts ................................................................................................ 7 2.2 List of Suspected Customer names ................................................................................................ 10 2.3 Some critical files in editable mode ............................................................................................... 11 2.3.1 Numbers of critical files could be edited with sudo –s command in 192.168.199.106 .......... 11 2.4 Accessible Security Policy on 192.168.199.99 ............................................................................... 13 Figure: Security Policy on 192.168.199.99 ............................................................................................. 13 Figure: Computer Management on 192.168.199.99 ............................................................................... 14 Figure: Accessing admin group on 192.168.199.99................................................................................ 153. Key Recommendations........................................................................................................................... 16 3.1 Technical .......................................................................................................................................... 16 3.2 Non - Technical ............................................................................................................................... 184. Methodology .......................................................................................................................................... 18 4.1 Research ........................................................................................................................................... 18 4.2 The beginning phase – Analyzing the network............................................................................. 19 4.3 Web Site Testing ............................................................................................................................. 205. Some pre-installed tools in the system ................................................................................................. 20 5.1 Wireshark ........................................................................................................................................ 20 5.2 Metasploit ........................................................................................................................................ 21 5.3 Cain n Abel ...................................................................................................................................... 211 | ACME-Widgets Inc. Penetration Testing Report
  4. 4. 5.4 Fast track Autopwn ........................................................................................................................ 21 5.5 Nessus .............................................................................................................................................. 22 5.6 Zenmap ........................................................................................................................................... 22 5.7 Open-VAS ....................................................................................................................................... 226. Scan results for each machine in network 192.168.199.0/24 .............................................................. 23 6.1 192.168.199.70................................................................................................................................. 23 Repartition of the level of security problems ..................................................................................... 24 Summary ............................................................................................................................................. 24 High Level Vulnerability Analysis for machine 192.168.199.70 .......................................................... 24 Mid Level Vulnerability Analysis for machine 192.168.199.70 ........................................................... 28 Low Level Vulnerability Analysis for machine 192.168.199.70........................................................... 29 6.2 192.168.199.99................................................................................................................................. 33 Repartition of the level of security problems ..................................................................................... 34 Summary ............................................................................................................................................. 34 High Level Vulnerability Analysis for machine 192.168.199.99 .......................................................... 34 Mid Level Vulnerability Analysis for machine 192.168.199.99 ........................................................... 35 Low Level Vulnerability Analysis for machine 192.168.199.99........................................................... 36 6.3 192.168.199.106............................................................................................................................... 38 Repartition of the level of security problems ..................................................................................... 38 Summary ............................................................................................................................................. 39 Critical Issues ....................................................................................................................................... 39 High Level Vulnerabilities Analysis for 192.168.199.106 .................................................................... 39 Mid-level Vulnerabilities Analysis for 192.168.199.106 ..................................................................... 40 Low Level Vulnerabilities Analysis for 192.168.199.106 ..................................................................... 40 6.4 192.168.199.222............................................................................................................................... 412 | ACME-Widgets Inc. Penetration Testing Report
  5. 5. Repartition of the level of security problems ..................................................................................... 42 Summary ............................................................................................................................................. 42 High Level Vulnerabilities Analysis for Machine 192.168.199.222 ..................................................... 42 Mid Level Vulnerabilities Analysis for Machine 192.168.199.222 ...................................................... 42 Low Level Vulnerabilities Analysis for Machine 192.168.199.222 ...................................................... 43 6.5 192.168.199.230............................................................................................................................... 44 Repartition of the level of security problems ..................................................................................... 45 Summary ............................................................................................................................................. 45 High Level Vulnerabilities Analysis of 192.168.199.230 ..................................................................... 45 Mid Level Vulnerabilities Analysis of Machine 192.168.199.230 ....................................................... 49 6.6 192.168.199.232............................................................................................................................... 54 Repartition of the level of security problems: .................................................................................... 54 Summary ............................................................................................................................................. 55 High Level Vulnerabilities Analysis of 192.168.199.232 ..................................................................... 55 Mid Level Vulnerabilities Analysis of Machine 192.168.199.232 ....................................................... 56 Low Level Vulnerabilities Analysis of Machine 192.168.199.232 ....................................................... 58Conclusion .................................................................................................................................................. 59References .................................................................................................................................................. 60Penetration Testing Log ............................................................................................................................. 613 | ACME-Widgets Inc. Penetration Testing Report
  6. 6. IntroductionThis report consists of the sensitive information related to penetration testing of ACME WidgetsInc. performed by a group involving 3 members – Anju Amatya, Larry Jennings and SauravAmatya.This report consist of research, finding and summary of a 3 week period of testing that wasbegun on April 8th, 2010 and concluded on April 29th 2010. The main focus of this report is thetesting result of the request by ACME- Widgets Inc. to confirm the vulnerabilities of theircomputer network.This report covers every aspect of the client’s, ACME Widget, network – Technical and as wellas Non- Technical. The main focus of this report has been on pointing out the vulnerabilities ofthe network and then the measures for that.4 | ACME-Widgets Inc. Penetration Testing Report
  7. 7. 1. Network Profile1.1 Network Layout DiscoveryWe have discovered the following topology of the network of ACME-Widgets. Figure: Network Layout of ACME Widgets5 | ACME-Widgets Inc. Penetration Testing Report
  8. 8. 1.2 Overview of open ports with security concernsNote: these ports were open at one point in time during our testing however the nature of portsmeans that some of these ports are being application driven to open said port because they werenot always consistently there. Hosts Figure: Open ports on different hosts of ACME Widgets6 | ACME-Widgets Inc. Penetration Testing Report
  9. 9. 2. Some sensitive information found over the ACME-Widget Network2.1 Password lists of the different hosts Passwords for different machine could be cracked by using the hash value of thepassword obtained by using the command ‘hashdump’. There are many online websites whichconvert the provided hash into plain text like for example - http://www.objectif-securite.ch/en/products.phpUserName PasswordAdministrator Emptyaman Acsg123backtrack 123Chor420barcelona Batoul06Dumbledore DumbledoreGORKHALI GORKHALIGuest Emptyhack hackerkechasolti GORKHALIksr 1234hackMorpheus NeotheoneNepali Nepalser alGhaDSeverus.Snape SlytherinSmas GORKHALIFigure: Username/password table for 192.168.199.2307 | ACME-Widgets Inc. Penetration Testing Report
  10. 10. Username Passwordadmin adminadmn pLatobacktrack1 123Chor420Daddy Hermioneeverest1 123Chor321Guest Empty passowordHelpAssistant MJ!6SgvDADVIDmHpotter Empty PasswordServices pLatoSQLExecutiveCmdExec SFNATNIESUPPORT_388945a0* LM hash empty, NT hash cannot be cracked by this tableAdministrator LM hash empty, NT hash cannot be cracked by this tableFigure: Username/Password table for 192.168.199.2328 | ACME-Widgets Inc. Penetration Testing Report
  11. 11. Username Passwordadmin nimdA2378Administrator DarkArtsbacktrack 123Chor420computer pLatoeverest 123Chor321Guest active:noHarry.J.Potter GryffindorIWAM_WORKMASTER 6ES3@1H3pC/^RoIUSR_WORKMASTER Fs&:q>0T5L7_`0ksr hack1234Ksr1 attack123Support_388945a0? LM hash empty, NT hash cannot be cracked by this tableFigure: Username/Password table for 192.168.199.999 | ACME-Widgets Inc. Penetration Testing Report
  12. 12. 2.2 List of Suspected Customer namesAdditionally we also found a list of suspected customer names in the host 192.168.199.70. Whilethis name was blank, the formatting suggests that it may have been used to create files; it is alsopossible that there are potential passwords in this file.Please see contents of the file “users.txt” from the 192.168.199.70 NT machine.dabsalon, Daniel Absalon, st_DarkArts,,,,,,aadhikari, Ashok Adhikari, st_DarkArts,,,,,,jaman,Jams,Aman,pr_DarkArts,,,,,,aamatya, Anju Amatya, st_DarkArts,,,,,,samatya, Saurav Amatya, st_DarkArts,,,,,,caviles, Christina Aviles, st_DarkArts,,,,,,ababani-maghirang,AshaBabani-Maghirang,st_DarkArts,,,,,,bbarkowski,BrianBarkowski,st_DarkArts,,,,,,aboston,AndrewBoston,st_DarkArts,,,,,,jconway,JamesConway,co_DarkArts,,,,,,ecrump, Eric Crump, st_DarkArts,,,,,,sdrake, Stacey Drake, st_DarkArts,,,,,,wevens,WilliamEvens,st_DarkArts,,,,,,jjenkins,JohnnyJenkins,st_DarkArts,,,,,,ljennings, Larry Jennings, st_DarkArts,,,,,,sjogkaew, Somchai Jogkaew, st_DarkArts,,,,,,mkowalski, Megan Kowalski, st_DarkArts,,,,,,mnowak, Miles Nowak, st_DarkArts,,,,,,oolympio, Olantunde Olympio, st_DarkArts,,,,,,rsampathkumaran, Ramanujan Sampathkumaran, st_DarkArts,,,,,,rschwien,RobertSchwien, st_DarkArts,,,,,,10 | ACME-Widgets Inc. Penetration Testing Report
  13. 13. 2.3 Some critical files in editable mode2.3.1 Numbers of critical files could be edited with sudo –s command in192.168.199.106 User ID: ‘0’ Group ID: ‘0’ stands stands for root & for root group & it it could be edited could be edited Figure: /etc/passwd screenshot11 | ACME-Widgets Inc. Penetration Testing Report
  14. 14. This is the encrypted form of password. It could be deleted. Figure: /etc/shadow screenshot12 | ACME-Widgets Inc. Penetration Testing Report
  15. 15. 2.4 Accessible Security Policy on 192.168.199.99 Figure: Security Policy on 192.168.199.9913 | ACME-Widgets Inc. Penetration Testing Report
  16. 16. Figure: Computer Management on 192.168.199.9914 | ACME-Widgets Inc. Penetration Testing Report
  17. 17. Figure: Accessing admin group on 192.168.199.9915 | ACME-Widgets Inc. Penetration Testing Report
  18. 18. 3. Key Recommendations3.1 TechnicalWhat we would like to do here is point out a few of the high level precautions that the clientshould take to try and address many of the security problems that were encountered. Byaddressing a few of these it may greatly improve your networks security. i) Password Strength and Settings: a) While looking at the network, we were able to determine the passwords for several users using dictionary and brute force attacks. So, you should chose long passwords with combination of all kind of characters – for example - #,Numbers, Capital letter, small letter etc. b) You should increase the minimum password length from 5 up to 8. The more of these that are required the chance to break a password using a dictionary or brute force attack drops significantly. c) Some hosts have minimum password length as set as ‘0’. Please change this to 8 or more. d) Lockout threshold should be set to maximum 3. It is set to “never” on most of the hosts. ii) Open Ports: Several open ports were detected during the course of this test. Many of these ports are being used by possibly unneeded software. Blackjack was even present on 1 of the machines. A port that is open on the machine can be an open invitation to hackers and others that would want to get sensitive information. Filter block or close any open port that is not being used. Also open port combined with bad form of password can be of very bad consequence. Netbios Ports 135 – 139/tcp netbios-ssn were found to be open on most of the computers. These are some of the most scanned ports on remote computer. Ports 135 - 139 are typically used for file/printer sharing, including directory replication with Active Directory, trusts, remote access of event logs, etc. Unless you want these16 | ACME-Widgets Inc. Penetration Testing Report
  19. 19. services, you can block these ports.The best protection is to turn off File and Print Sharing, or block ports 135-139 completely. If you must enable it, use the following guidelines: a) Use strong passwords, containing non-alphanumeric characters. b) Attach "$" at the end of your share names (the casual snooper using net view might not see them) c) Unbind File and Print Sharing from TCP/IP and use NetBEUI instead (its a non- routable protocol). d) Block ports 135-139 in your router/firewall (vs. locally on the machine) which helps to stop outside users from seeing these ports. iii) Pre-availability of harmful network tools There are several hosts that have software that is questionable use in an environment such as ACME Widgets. The excessive amount of exploitation software on Mr. Harry Potter’s machine192.168.199.106 is a good example for example- metasploit, zenmap, nessus, fasttrack autopwn etc.. Much of the software that is installed on that machine can easily be used to do damage to a network if it is put in the wrong hands. Additionally, we found a large stash of games from Disney and Ubisoft on the machine 198.168.199.222. While these games are for entertainment purposes, online play exposes the machine to unneeded risks. iv) Users having the ability to install software introduce several risks including the possibility of Viruses, Malware, as well as the use of system resources and time used to remove the software. v) Many hosts need to have their security patches updated. The latter portion of the report discusses more about the security patches. vi) The use of VNC software seems to be prevalent among the machines on the network. While there is nothing wrong with that, we would like to ask you to monitor the use of it. vii) Continuous monitoring of the open ports in firewall and network is required.17 | ACME-Widgets Inc. Penetration Testing Report
  20. 20. 3.2 Non - Technicali) Physical Location of Computer Equipment While inspecting Acme Widgets, we noticed that the servers were located in the basement of the building. While this is not so much a penetration test security risk as it is a possible interruption in the business itself. There is always the possibility of flooding in a low lying location such as a basement. We would recommend that the servers be moved to a higher location where flooding is not as much of a possibility.ii) All the computers seem to have low processing capacity. We would like to suggest you to increase the capacity so that programs can run smoothly on your computer.iii) Back up your system in regular intervalsiv) Make sure the automatic updates of all the hosts are enabled so that your computer installs the latest security patches itself.v) Make your users aware of the consequence of simple passwords and confidentiality of the information in your business.vi) Make your users aware of the viruses around and their consequences. Also, tell them to scan anything that is unknown and suspicious.vii) Tell your users to not to download heavy files like movies which can significantly increase the bandwidth traffic and almost most of the sites contain malwares.4. Methodology4.1 ResearchOur Testing began with some basic research on the acme-widgets users. We were able to find outthat one of the people responsible for your network is Mr. Harry J. Potter. We tried SSH login onpublic IP 98.28.11.223 with port number 22.Guessing the username and password for the login was quite an easy task. With some researchand some username-password combination, we were able to determine the username as “hpotter”(combination of the initial of first name and full last name of Harry Potter) and password as“Hogwarts” (which is the school where he studied). Users typically choose passwords that have18 | ACME-Widgets Inc. Penetration Testing Report
  21. 21. special significance because they are easy to remember. Unfortunately, they are also easy toguess. This was how we got into the network.4.2 The beginning phase – Analyzing the networkIn the process of analyzing your network we got access to 192.168.199.106 and here is what wefound.It is a general purpose linux machine running Linux bt 2.6.30.9 as an operating system and00:08:02:8d:20:ce as its MAC address. Once we got into this machine, we discovered that it wasalready loaded with the following network utilities:- • Network scanning and vulnerability finding utilities like zenmap, Nessus and Open-VAS which can be used to scan the open ports and vulnerability on the remote host. • Network mapping tool like lanmap which can be used to get information about the network structure. • Password sniffing or network monitoring tool like Wireshark which can used to monitor anything flowing through the network. • Exploiting tools like Metasploit and Fast-track Autopwn which can be used to send exploits to the remote vulnerable host and compromise it. Because of the pre-availability of these tools in 192.168.199.106 machine made us very easy to gather information about the rest of the network, the whole network itself and the vulnerabilities on each machine.The information discovered about the network structure at the first place from 192.168.199.106host:- • Besides this machine, there are 5 other hosts with IP addresses :- o 192.168.199.70 o 192.168.199.99 o 192.168.199.222 o 192.168.199.230 o 192.168.199.23219 | ACME-Widgets Inc. Penetration Testing Report
  22. 22. • Each of the hosts are on the same network of 192.168.199.0/24 with gateway as 192.168.199.1 (my.firewall) • Besides acting as a gateway for network 192.168.199.0/24 with IP address 192.168.199.1, my.firewall(which has a public IP address of 98.28.11.223) also acts as a gateway for other sub-network of 192.168.0.0/24 with IP address 192.168.0.4.4.3 Web Site TestingAttempts were made to investigate the website at acme-widgets. However, several attempts tolocate a website within the network were fruitless. Even looking on the server we were unable toestablish a website. We put this in the report with the understanding that while a website may notexist, attempts to locate it were attempted.5. Some pre-installed tools in the system5.1 WiresharkWireshark is used to capture network traffic. There are a number of reasons to use this data. Onereason is that often data is transmitted from computer to computer unencrypted and sensitive datasuch as passwords can be captured. Additionally, this software capture can also be used toidentify other subnetworks or wireless networks.Test ResultsBased on 2 captures of data, we were unable to identify any passwords being transmitted to orfrom the network. Most of the traffic that we did see was basic traffic of a normal nature goingbetween the systems. Additionally, we were not able to determine any wireless traffic oradditional routers.20 | ACME-Widgets Inc. Penetration Testing Report
  23. 23. 5.2 MetasploitMetasploit is a program designed to run tests against the open ports of a computer. For example,If a machine has a port open that has a known vulnerability (or weakness), metasploit can beused to streamline the testing process and attempt to gain access the machine. From there,whoever is running the exploit can have access to everything on the computer.Test ResultsBased on our port scan results, were were successfully able to penetrate every machine on thenetwork using several different methods. More of this information will be located in the sectionon vulnerabilities.5.3 Cain n AbelCain is a utility that is used to run attacks on encrypted passwords. Once we were able to accessthe SAM files on some of the PCs we were able to use CAN to decrypt the passwords using avariety of dictionary and brute force attacks.Test ResultsOnce we had gained access to the machines, we were able to successfully download the SAMfile. The SAM file is essentially the password and login file. We were able to identify severalusers such as Sevarus Snape, DADDY, Barcelona, Aman, and GORKHALI. When we ran thesepasswords against a dictionary attack we were able to find a few passwords. For Example - user‘GORKHALI’ has a password that mirrored his username)5.4 Fast track AutopwnFast-Track is a python based open-source project aimed at helping Penetration Testers in aneffort to identify, exploit, and further penetrate a network.21 | ACME-Widgets Inc. Penetration Testing Report
  24. 24. Fast-Track utilizes large portions of the Metasploit Framework in order to complete successfulattacks. Fast-Track has a wide variety of unique attacks that allows utilizing the MetasploitFramework to its maximum potential.This is the syntax of the command that we used throughout our testing process:-./fast-track.py –c 2 <IP> -rWhere, c = command line and r = reverse5.5 NessusNessus is vulnerability scanner tool which is used to scan a machine and detect the open ports, securityhole in it. Besides this, it also offers solution for this with probable consequence.5.6 ZenmapZenmap is the official Nmap security scanner Zenmap is another vulnerability scanner tool which is usedto perform different level of scans in a machine. It helps to find the open ports in the machine, operatingsystem and many more things.5.7 Open-VASOpen-VAS stands for Open Vulnerability Assessment System and is a network security scanner withassociated tools like a graphical user front-end. The core component is a server with a set of networkvulnerability tests (NVTs) to detect security problems in remote systems and applications.22 | ACME-Widgets Inc. Penetration Testing Report
  25. 25. 6. Scan results for each machine in network 192.168.199.0/24 ** Vulnerability information based on information provided by Nessus 6.1 192.168.199.70 Port ScanMachine:192.168.199.70Operating System: Windows NTMachine Security Status: PoorProtocol Port Program Status High Level VulnerabilitiesTcp 21 ftp OpenHttp 80 OpenTcp 135 Epmap OpenTcp 139 Netbios-ssn OpenTcp General Mid Level VulnerabilitiesUdp 137 Netbios-ns Open Low Level VulnerabilitiesTcp 70 Gopher OpenTcp 1028 Unknown OpenTcp 1030 Iad1 Open Figure: Open ports in the host 192.168.199.7023 | ACME-Widgets Inc. Penetration Testing Report
  26. 26. Repartition of the level of security problemsSummary The .70 NT machine is full of things that a hacker could use to gain access to the machine. There is an open FTP port that allows anonymous access. The administrator account does not have a password. Additionally there are a few ways for a non administrator to elevate his access on this machine. These are noted below. Please update your service patches on this machine if not move it to a more secure operating system otherwise.High Level Vulnerability Analysis for machine 192.168.199.70Vulnerability found on port ftp (21/tcp) • It was possible to make the remote FTP server crash by creating a huge directory structure. This is usually called the wu-ftpd buffer overflow even though it affects other FTP servers. It is very likely that an attacker can use this flaw to execute arbitrary code on the remote server. This will give him a shell on your system, which is not a good thing. • Solution: Upgrade your FTP server. Consider removing directories writable by anonymous. • Risk factor : High CVE : CVE-1999-0368, CVE-1999-0878, CVE-1999-0879, CVE-1999-095024 | ACME-Widgets Inc. Penetration Testing Report
  27. 27. Vulnerability found on port ftp (21/tcp) • The remote FTP server closes the connection when a command is too long or is given a too long argument. This probably due to a buffer overflow, this allows anyone to execute arbitrary code on the remote host. This problem is threatening, because the attackers dont need an account to exploit this flaw. • Solution : Upgrade your FTP server or change it • Risk factor : High CVE : CAN-2000-0133, CVE-2000-0943, CAN-2002-0126, CVE-2000-0870, CAN- 2000-1035, CAN-2000-1194, CAN-2000-1035Vulnerability found on port http (80/tcp) • When IIS receives a user request to run a script, it renders the request in a decoded canonical form which performs security checks on the decoded request. A vulnerability results because a second, superfluous decoding pass is performed after the initial security checks are completed. Thus, a specially crafted request could allow an attacker to execute arbitrary commands on the IIS Server. • Solution: See MS advisory MS01-026(Superseded by ms01-044) Please see the details on http://www.microsoft.com/technet/security/bulletin/ms01- 044.mspx • Risk factor : High CVE : CVE-2001-0507, CVE-2001-0333Vulnerability found on port netbios-ssn (139/tcp) • The following registry keys are writeable by users who are not in the admin group : HKLMSoftwareMicrosoftWindows NTCurrentVersionAeDebug These keys contain the name of the program that shall be started when the computer starts. The users who have the right to modify them can easily make the admin run a trojan program which will give them admin privileges. • Solution: Use regedt32 and set the permissions of this key to : - Admin group : Full Control25 | ACME-Widgets Inc. Penetration Testing Report
  28. 28. - System : Full Control - Everyone : Read Make sure that Power Users do not have any special privilege for this key. • Risk factor : High CVE : CAN-1999-0589Vulnerability found on port netbios-ssn (139/tcp) • The following shares can be accessed as hpotter : .nessus_test_2 IE 5.5 SP1 Full Q244599i.EXE 41414141 ie401sp1.exe Q246009i.EXE CVGRKQNGJI ie55sp1.exe Q831167.exe DTDJMCEKJZ ie5setup sp4rk_i386.Exe FISNOBUAOF ie6setup.exe XXXXXXXXXX GUVPBZPJCR nessus_test • Solution : To restrict their access under WindowsNT, open the explorer, do a right click on each, go to the sharing tab, and click on permissions • Risk factor : High CVE : CAN-1999-0519, CAN-1999-0520 •Vulnerability found on port netbios-ssn (139/tcp) • The registry key HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogon is writeable by users who are not in the admin group. This key contains a value which defines which program should be run when a user logs on. As this program runs in the SYSTEM context, the users who have the right to change the value of this key can gain more privileges on this host. • Solution : use regedt32 and set the permissions of this key to : - admin group : Full Control - system : Full Control - everyone : Read26 | ACME-Widgets Inc. Penetration Testing Report
  29. 29. • Risk factor : High CVE : CAN-1999-0589Vulnerability found on port netbios-ssn (139/tcp) • The registry key HKLMSYSTEMCurrentControlSetControlSecurePipeServersWinreg is missing. This key allows you to define what can be viewed in the registry by non administrators. • Solution : install service pack 3 if not done already, and create and create SYSTEMCurrentControlSetControlSecurePipeServersWinregAllowedPaths Under this key, create the value Machine as a REG_MULTI_SZ and put in it what you allow to be browsed remotely. • Reference : http://www.microsoft.com/technet/prodtechnol/winntas/maintain/mngntreg/admreg.as p • Risk factor : MediumVulnerability found on port netbios-ssn (139/tcp) • It seems that is was possible to crash the remote windows remotely by sending a specially crafted packet. An attacker may use this flaw to prevent this host from working properly. This attack is known as SMBDie • Solution : http://www.microsoft.com/technet/security/bulletin/ms02-045.mspx ( It is the link to the patch solution) • Risk factor : High • CVE : CAN-2002-072427 | ACME-Widgets Inc. Penetration Testing Report
  30. 30. Mid Level Vulnerability Analysis for machine 192.168.199.70Warning found on port netbios-ssn (139/tcp) • The domain SID could be used to enumerate the names of the users of this domain. This gives extra knowledge to an attacker, which is not a good thing : - Administrator account name : Administrator (id 500) - Guest account name : hpotter (id 501) - ACMEDC$ (id 1000) - IUSR_ACMEDC (id 1001) - backtrack (id 1002) • Risk factor : Medium • Solution : filter incoming connections this port CVE : CVE-2000-1200Warning found on port netbios-ssn (139/tcp) • Here is the list of the SMB shares of this host: NETLOGON - Logon server share ftproot - ADMIN$ - Remote Admin IPC$ - Remote IPC C$ - Default share This is potentially dangerous as this may help the attack of a potential hacker. • Solution : filter incoming traffic to this port • Risk factor : MediumWarning found on port netbios-ns (137/udp) • The following 11 NetBIOS names have been gathered: ACMEDC = This is the computer name ACMEDC28 | ACME-Widgets Inc. Penetration Testing Report
  31. 31. ACME = Workgroup / Domain name ACME = Workgroup / Domain name (Domain Controller) ACME ACMEDC = This is the current logged in user or registered workstation name. INet~Services = Workgroup / Domain name (Domain Controller) IS~ACMEDC ACME = Workgroup / Domain name (part of the Browser elections) ACME __MSBROWSE__ The remote host has the following MAC address on its adapter : 00:0c:29:c7:26:b9 • If you do not want to allow everyone to find the NetBios name of your computer, you should filter incoming traffic to this port. • Risk factor : Medium CVE : CAN-1999-0621Low Level Vulnerability Analysis for machine 192.168.199.70Warning found on port ftp (21/tcp) • This FTP service allows anonymous logins. If you do not want to share data with anyone you do not know, then you should deactivate the anonymous account, since it may only cause troubles. • Risk factor : Low CVE : CAN-1999-0497Warning found on port epmap (135/tcp) • Distributed Computing Environment (DCE) services running on the remote host can be enumerated by connecting on port 135 and doing the appropriate queries. An attacker may use this fact to gain more knowledge about the remote host. • Solution: filter incoming traffic to this port. • Risk factor : Low29 | ACME-Widgets Inc. Penetration Testing Report
  32. 32. Warning found on port netbios-ssn (139/tcp) • The alerter service is running. This service allows NT users to send pop-ups messages to each others. This service can be abused by an attacker who can trick valid users into doing some actions that may harm their accounts or your network (social engineering attack) • Solution : Disable this service. • Risk factor : Low How to disable this service under NT 4 : - open the Services control panel - select the Alerter service, and click Stop - click osn Startup... and change to radio button of the field Startup Type from Automatic to Disabled CVE : CAN-1999-0630Warning found on port netbios-ssn (139/tcp) • The remote registry can be accessed remotely using the login / password combination used for the SMB tests. Having the registry accessible to the world is not a good thing as it gives extra knowledge to a hacker. • Solution: Apply service pack 3 if not done already, and set the key HKLMSYSTEMCurrentControlSetControlSecurePipeServersWinreg to restrict what can be browsed by non administrators. In addition to this, you should consider filtering incoming packets to this port. • Risk factor : Low CVE : CAN-1999-0562Warning found on port netbios-ssn (139/tcp) • The domain SID can be obtained remotely. Its value is : ACME : 5-21-1730571904-1379865857-4547331 An attacker can use it to obtain the list of the local users of this host Solution : filter30 | ACME-Widgets Inc. Penetration Testing Report
  33. 33. the ports 137 to 139 and 445 • Risk factor : Low CVE : CVE-2000-1200Warning found on port netbios-ssn (139/tcp) • Here is the browse list of the remote host : ACME-W2K-01 - ACMEDC - This is potentially dangerous as this may help the attack of a potential hacker by giving him extra targets to check for • Solution : filter incoming traffic to this port • Risk factor : LowWarning found on port netbios-ssn (139/tcp) • The following accounts have passwords which never expire : Administrator Password should have a limited lifetime • Solution : disable password non-expiry • Risk factor : MediumWarning found on port netbios-ssn (139/tcp) • The remote host seems to be a Primary Domain Controller or a Backup Domain Controller. This can be told by the value of the registry key ProductType under HKLMSYSTEMCurrentControlSetControlProductOptions This knowledge may be of some use to an attacker and helphim to focus his attack on this host. • Solution : filter the traffic going to this port • Risk factor : Low CVE : CAN-1999-065931 | ACME-Widgets Inc. Penetration Testing Report
  34. 34. Information found on port netbios-ssn (139/tcp) • It was possible to log into the remote host using the following login/password combinations guest/ It was possible to log into the remote host using a NULL session. The concept of a NULL session is to provide a null username and a null password, which grants the user the guest access To prevent null sessions, see MS KB Article Q143474 (NT 4.0) and Q246261 (Windows 2000). Note that this wont completely disable null sessions, but will prevent them from connecting to IPC$ Please see http://msgs.securepoint.com/cgi-bin/get/nessus-0204/50/1.html The remote host defaults to guest when a user logs in using an invalid login • CVE : CAN-1999-0504, CAN-1999-0506, CVE-2000-0222, CAN-1999-0505, CAN- 2002-1117Information found on port netbios-ssn (139/tcp) • The following users are in the domain administrator group : . Administrator You should make sure that only the proper users are member of this group • Risk factor : LowInformation found on port unknown (1028/tcp) and (1030/tcp) • Distributed Computing Environment (DCE) services running on the remote host can be enumerated by connecting on port 135 and doing the appropriate queries. • Solution: filter incoming traffic to this port. • Risk factor : LowWarning found on port general/tcp • The remote host accepts loose source routed IP packets. The feature was designed for testing purpose. An attacker may use it to circumvent poorly designed IP filtering and32 | ACME-Widgets Inc. Penetration Testing Report
  35. 35. exploit another flaw. However, it is not dangerous by itself. • Solution: drop source routed packets on this host or on other ingress routers or firewalls. • Risk factor : Low6.2 192.168.199.99 Port ScanMachine:192.168.199.99Operating System: Windows 2003 server/windows.NETSecurity Status: GoodProtocol Port Program Status High Level VulnerabilitiesTcp 135 Epmap Open Mid Level VulnerabilitiesUdp 137 Netbios-ns OpenTcp 139 netbios-ssn OpenTcp 3389 Ms-wbt-server OpenTcp 5800 Vnc-http OpenIcmp General Low Level VulnerabilitiesTcp 80 Http OpenTcp 1024 Kdm OpenTcp 1026 Cap OpenTcp 1029 Ms-lsa OpenTcp 4757 Unknown OpenTcp 5900 Vnc Open Figure: Open ports on host 192.168.199.9933 | ACME-Widgets Inc. Penetration Testing Report
  36. 36. Repartition of the level of security problemsSummaryThe Machine with the IP address of 192.168.199.99 appears to be a standard Windows Server.While we were able to find an existing exploit to gain access into the machine, We were unableto do anything other than gain a user list and a copy of the passwords file. Looking for sensitiveinformation on this machine we were unable to locate any. Additionally, while this does appearto be a web server machine, we were unable to find a corresponding website tied to it. In thefuture, the client will probably want to apply the appropriate solutions to rectify the situation.Additionally there is remote access into the server from VNC software. This needs to beaddressed.High Level Vulnerability Analysis for machine 192.168.199.99Vulnerability found on port epmap (135/tcp) • Description of Vulnerability: The remote host is running a version of Windows which has a flaw in its RPC interface which may allow an attacker to execute arbitrary code and gain SYSTEM privileges. There is at least one Worm which is currently exploiting this vulnerability. Namely, the MsBlaster worm. • Solution: Please download a patch from http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx • Risk factor : High34 | ACME-Widgets Inc. Penetration Testing Report
  37. 37. CVE : CAN-2003-0352 • We could get shell access into this machine using exploit - windows/dcerpc/ms03_026_dcom and that was via 192.168.199.106:40065 -> 192.168.199.99:1101 • Description of Vulnerability: Microsoft Windows platforms contain a flaw that may allow a remote attacker to execute arbitrary code. The issue is due to a flaw in the Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) interface that does not properly sanitize remote requests. • Solution: Please download a patch from http://www.microsoft.com/downloads/details.aspx?FamilyId=F8E0FF3A-9F4C- 4061-9009-3A212458E92E&amp;displaylang=en&displaylang=enMid Level Vulnerability Analysis for machine 192.168.199.99Vulnerabilities found on port netbios-ns (137/udp) • Description of Vulnerability: The following 3 NetBIOS names have been gathered : WORKMASTER = This is the computer name registered for workstation services by a WINS client. ACME = Workgroup / Domain name ACME = Workgroup / Domain name (part of the Browser elections) The remote host has the following MAC address on its adapter : 00:02:a5:97:ce:02 • Solution: If you do not want to allow everyone to find the NetBios name of your computer, you should filter incoming traffic to this port. • Risk factor : Medium CVE : CAN-1999-0621Warning found on port ms-wbt-server (3389/tcp) • Description of Vulnerability: The Terminal Services are enabled on the remote host. Terminal Services allow a Windows user to remotely obtain a graphical login (and therefore act as a local user on the remote host). If an attacker gains a valid login and35 | ACME-Widgets Inc. Penetration Testing Report
  38. 38. password, he may be able to use this service to gain further access on the remote host. An attacker may also use this service to mount a dictionary attack against the remote host to try to log in remotely. Note that RDP (the Remote Desktop Protocol) is vulnerable to Man-in-the-middle attacks, making it easy for attackers to steal the credentials of legitimates users by impersonating the Windows server. • Solution : Disable the Terminal Services if you do not use them, and do not allow this service to run across the internet or patch could be downloaded from http://www.microsoft.com/downloads/details.aspx?FamilyId=EFD642EF-95E2- 4A99-8FFD-6032D86282A2 • Risk factor : Medium CVE : CVE-2001-0540Warning found on port vnc-http (5800/tcp) • Description of Vulnerability: The remote server is running VNC. VNC permits a console to be displayed remotely. • Solution: Disable VNC access from the network by using a firewall, or stop VNC service if not needed. • Risk factor : MediumLow Level Vulnerability Analysis for machine 192.168.199.99Warning found on port epmap (135/tcp) • Description of Vulnerability: Distributed Computing Environment (DCE) services running on the remote host can be enumerated by connecting on port 135 and doing the appropriate queries. An attacker may use this fact to gain more knowledge about the remote host. • Solution: filter incoming traffic to this port. • Risk factor : LowWarning found on port netbios-ssn (139/tcp)36 | ACME-Widgets Inc. Penetration Testing Report
  39. 39. • Description of Vulnerability: A rfpoison packet has been sent to the remote host. This packet is supposed to crash the services.exe process, rendering the system instable. If you see that this attack was successful, have a look at this page http://support.microsoft.com/support/kb/articles/Q231/4/57.ASP • CVE: CVE-1999-0980Information found on port cap (1026/tcp) (1029/tcp) and (4757/tcp) • Description of Vulnerability: Distributed Computing Environment (DCE) services running on the remote host can be enumerated by connecting on port 135 and doing the appropriate queries. An attacker may use this fact to gain more knowledge about the remote host. • Solution: filter incoming traffic to this port. • Risk factor : LowInformation found on port vnc (5900/tcp) • Description: The remote server is running VNC, software which permits a console to be displayed remotely. This allows users to control the host remotely. • Solution: Make sure the use of this software is done in accordance with your corporate security policy and filter incoming traffic to this port.Vulnerability found on MS-LSA • The Windows Local Security Authority Service Server (LSASS) contains a vulnerability that may permit an attacker to completely compromise the system. More information at http://www.kb.cert.org/vuls/id/753212. Microsoft notes that while the vulnerability exists in Window Server 2003, it could only be expoited by a local administrator. • Solution: Patch can be downloaded from http://www.microsoft.com/downloads/details.aspx?FamilyId=EAB176D0-01CF- 453E-AE7E-7495864E8D8C&displaylang=en37 | ACME-Widgets Inc. Penetration Testing Report
  40. 40. 6.3 192.168.199.106 Port ScanMachine:192.168.199.106Operating System: Linux 2.6.30.9Protocol Port Program Status High Level VulnerabilitiesTcp 445 Microsoft-ds OpenTcp General Open Mid Level VulnerabilitiesTcp 1241 Nessus OpenTcp 139 Netbios-ssn OpenUdp 137 Netbios-ns Open Low Level VulnerabilitiesTcp 22 Ssh Open Figure: Open ports on host 192.168.199.106Repartition of the level of security problems38 | ACME-Widgets Inc. Penetration Testing Report
  41. 41. SummaryMany of the problems with the .106 machine are listed above. However this linux box is primed with alarge array of penetration testing tools. Again we would question the need to have these kinds of softwareon the computer. The machine itself, suffers from weak passwords and open shares.Critical Issues • Easy login username and password Upon knowledge of Harry Potter as one of the administrators, it was quite easy to guess the username like “hpotter” and password as “Hogwarts” with simple research. • Improper configuration of the file “sudoers” which gives any user access equal to the root user With the sudo -s command, it is possible for the “hpotter” user to access the files like:  /etc/security/access.conf, where the login access for any user can be modified.  /etc/shadow and /etc/passwd, where the password and details of any user could be accessed and modified. For example, changing the user id and group id to ‘0’ could modify any user into super power user or password for any user could be deleted.  Any kind of software program could be installed on the system.High Level Vulnerabilities Analysis for 192.168.199.106Vulnerability found on port microsoft-ds (445/tcp) • The attacker can use this port to list all the users and for sharing files and folder over the network. It was possible to log into the remote host using a NULL session. The concept of a NULL session is to provide a null username and a null password, which grants the user the guest access. • It was possible to log into the remote host using the following login/password combinations : administrator/ administrator/administrator guest/ guest/guest39 | ACME-Widgets Inc. Penetration Testing Report
  42. 42. • CVE : CAN-1999-0504, CAN-1999-0506, CVE-2000-0222, CAN-1999-0505, CAN-2002-1117 • Solution: This port should be turned off or filtered if needed.Mid-level Vulnerabilities Analysis for 192.168.199.106Warning found on port netbios-ns (137/udp) • The following 7 NetBIOS names have been gathered : BT = This is the computer name registered for workstation services by a WINS client. BT = This is the current logged in user registered for this workstation. BT = Computer name __MSBROWSE__ WORKGROUP WORKGROUP = Workgroup / Domain name (part of the Browser elections) WORKGROUP = Workgroup / Domain name • This SMB server seems to be a SAMBA server (this is not a security risk; this is just for information). This can be told because this server claims to have a null MAC address • If you do not want to allow everyone to find the NetBios name of your computer, you should filter incoming traffic to this port. • Risk factor : Medium CVE : CAN-1999-0621Low Level Vulnerabilities Analysis for 192.168.199.106Warning found on port microsoft-ds (445/tcp) • Here is the browse list of the remote host : BT - This is potentially dangerous as this may help the attack of a potential hacker by giving him extra targets to check for • Solution: filter incoming traffic to this port • Risk factor : Low • Warning found on port microsoft-ds (445/tcp)40 | ACME-Widgets Inc. Penetration Testing Report
  43. 43. • The host Security Identifier (SID) can be obtained remotely. Its value is : • BT : 5-21-417406534--924645799--698956383 • An attacker can use it to obtain the list of the local users of this host • Solution : filter the ports 137-139 and 445 • Risk factor : Low • CVE : CVE-2000-12006.4 192.168.199.222 Port ScanMachine:192.168.199.222Operating System: Windows 2003 Server / Windows .NETSecurity Status: GoodProtocol Port Program Open High Level VulnerabilitiesTcp 912 Apex-mesh StatusTcp General Mid Level VulnerabilitiesTcp 3389 Ms-wbt-server Open Low Level VulnerabilitiesTcp 902 Ideafarm-chat OpenTcp 8222 Unknown OpenTcp 8333 Unknown OpenUdp 0 General Figure: Open ports on host 192.168.199.22241 | ACME-Widgets Inc. Penetration Testing Report
  44. 44. Repartition of the level of security problemsSummaryThis machine was for the most part hard to get any information out of. As a matter of fact, wewere only able to gain access to this machine on 1 night. This machine appears to be running aMail server as well as VM ware. When we did have access we did notice that there were largeamounts of entertainment software installed. These should be removed due to the unintendedside effects that having them can have with both malware and virusesHigh Level Vulnerabilities Analysis for Machine 192.168.199.222Vulnerability found on port apex-mesh (912/tcp) • Description of Vulnerability: It was possible to perform a denial of service against the remote Interscan SMTP server by sending it a special long HELO command. This problem allows an attacker to prevent your Interscan SMTP server from handling requests. • Solution: contact your vendor for a patch. o Risk factor : High o CVE : CAN-1999-1529Mid Level Vulnerabilities Analysis for Machine 192.168.199.222Warning found on port ms-wbt-server (3389/tcp) • Description of Vulnerability: The Terminal Services are enabled on the remote42 | ACME-Widgets Inc. Penetration Testing Report
  45. 45. host. Terminal Services allow a Windows user to remotely obtain a graphical login (and therefore act as a local user on the remote host). If an attacker gains a valid login and password, he may be able to use this service to gain further access on the remote host. An attacker may also use this service to mount a dictionary attack against the remote host to try to log in remotely. Note that RDP (the Remote Desktop Protocol) is vulnerable to Man-in-the-middle attacks, making it easy for attackers to steal the credentials of legitimates users by impersonating the Windows server. • Solution : Disable the Terminal Services if you do not use them, and do not allow this service to run across the internet • Risk factor : Medium • CVE : CVE-2001-0540Warning found on port apex-mesh (912/tcp) • Description of Vulnerability: This SMTP server is running on a non standard port. This might be a backdoor set up by crackers to send spam or even control your machine. • Solution: Check and clean your configuration • Risk factor : MediumLow Level Vulnerabilities Analysis for Machine 192.168.199.222Information found on port ideafarm-chat (902/tcp) • A VMWare authentication daemon is running on this port: 220 VMware Authentication Daemon Version 1.10: SSL Required, ServerDaemonProtocol:SOAP, MKSDisplayProtocol:VNC ,Information found on port ideafarm-chat (902/tcp) • A SMTP server is running on this port Nessus ID : 14773Information found on port ideafarm-chat (902/tcp) • Description of Vulnerability: According to its banner, the remote host appears to be43 | ACME-Widgets Inc. Penetration Testing Report
  46. 46. running a VMWare server authentication daemon, which likely indicates the remote host is running VMware ESX or GSX Server. See also : http://www.vmware.com/ • Risk factor : NoneInformation found on port apex-mesh (912/tcp) • Description of Vulnerability: A VMWare authentication daemon is running on this port: 220 VMware Authentication Daemon Version 1.0, ServerDaemonProtocol:SOAP, MKSDisplayProtocol:VNC ,Information found on port apex-mesh (912/tcp) • The SMTP server on this port answered with a 530 code to HELO requests. This means that it is unavailable because the OpenVAS server IP is not authorized or blacklisted, or that the hostname is not consistent with the IP.6.5 192.168.199.230 Port ScanMachine: 192.168.199.230Operating System: Windows 2003 Server /Windows .NETSecurity Status : GoodProtocol Port Program Status High Level VulnerabilitiesTcp 135 Epmap OpenTcp 139 Netbios-ssn OpenTcp 445 Microsoft-ds Open Mid Level VulnerabilitiesIcmp general OpenTcp general OpenUdp 137 netbios-ns Open44 | ACME-Widgets Inc. Penetration Testing Report
  47. 47. Low Level VulnerabilitiesTcp 1030 Iad1 OpenUdp 1031 Iad2 OpenUdp General OpenRepartition of the level of security problemsSummaryThe 192.168.199.230 machine seems to be fairly secure. When we were able to access themachine, we did not find much other than the typical weak user passwords.High Level Vulnerabilities Analysis of 192.168.199.230Vulnerability found on port epmap (135/tcp) • The remote host is running a version of Windows which has a flaw in its RPC interface which may allow an attacker to execute arbitrary code and gain SYSTEM privileges. • Solution: Please check this link http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx • Risk factor : High • CVE : CAN-2003-0352Vulnerability found on port netbios-ssn (139/tcp) • It was possible to crash the remote host using the rfparalyze denial of service attack.45 | ACME-Widgets Inc. Penetration Testing Report
  48. 48. • Solution: contact Microsoft for a patch. Meanwhile, filter incoming tcp connections to this port • Risk factor : HighVulnerability found on port microsoft-ds (445/tcp) • The remote Windows 2000 does not have the Service Pack 4 applied. It uses Service Pack 1 instead. • Risk factor : High • Solution: Please update the service pack and check this link http://www.microsoft.com/windows2000/downloads/ CVE : CAN-1999-0662Vulnerability found on port microsoft-ds (445/tcp) • The following registry keys are writeable by users who are not in the admin group : HKLMSoftwareMicrosoftWindowsCurrentVersionRun These keys contain the name of the program that shall be started when the computer starts. The users who have the right to modify them can easily make the admin run a trojan program which will give them admin privileges. • Solution: use regedt32 and set the permissions of this key to : - Admin group : Full Control - System : Full Control - Everyone : Read • Make sure that Power Users do not have any special privilege for this key. • Risk factor : High CVE : CAN-1999-0589Vulnerability found on port microsoft-ds (445/tcp) • Incorrect VBScript Handling in IE can Allow Web Pages to Read Local Files. Impact of vulnerability: Information Disclosure46 | ACME-Widgets Inc. Penetration Testing Report
  49. 49. Affected Software: Microsoft Internet Explorer 5.01 Microsoft Internet Explorer 5.5 Microsoft Internet Explorer 6.0 • Reference: http://www.microsoft.com/technet/security/bulletin/ms02-009.mspx and: Microsoft Article Q319847 MS02-009 May Cause Incompatibility Problems Between VBScript and Third-Party Applications o Risk factor : High CVE : CVE-2002-0052Vulnerability found on port microsoft-ds (445/tcp) • The remote Windows host has a ASN.1 library which is vulnerable to a flaw which could allow an attacker to execute arbitrary code on this host. To exploit this flaw, an attacker would need to send a specially crafted ASN.1 encoded packet with improperly advertised lengths. This particular check sent a malformed NTLM packet and determined that the remote host is not patched. • Solution : http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx • Risk factor : High CVE : CAN-2003-0818Vulnerability found on port microsoft-ds (445/tcp) • User administrator has NO password ! • The password of Dumbledore is Dumbledore ! • CVE : CAN-1999-0504, CAN-1999-0506Vulnerability found on port microsoft-ds (445/tcp) • The following shares can be accessed as Dumbledore: - system32 - (readable?) • Solution : To restrict their access under WindowsNT, open the explorer, do a right click on each, go to the sharing tab, and click on permissions47 | ACME-Widgets Inc. Penetration Testing Report
  50. 50. • Risk factor : High CVE : CAN-1999-0519, CAN-1999-0520Vulnerability found on port microsoft-ds (445/tcp) • The remote host is vulnerable to a flaw in the Windows Script Engine, which provides Windows with the ability to execute script code. To exploit this flaw, an attacker would need to lure one user on this host to visit a rogue website or to send him an HTML e-mail with a malicious code in it. • Solution : Please download the patch from http://www.microsoft.com/technet/security/bulletin/ms03-008.mspx • Risk factor : Medium CVE : CAN-2003-0010Vulnerability found on port microsoft-ds (445/tcp) • The account administrator/ is valid. The worm W32/Deloder may use it to break into the remote host and upload infected data in the remote shares See also : CERT advisory CA-2003-08 • Solution : Change your administrator password to a stronger one • Risk factor : HighVulnerability found on port microsoft-ds (445/tcp) • It seems that is was possible to crash the remote windows remotely by sending a specially crafted packet. An attacker may use this flaw to prevent this host from working properly. This attack is known as SMBDie. • Solution : http://www.microsoft.com/technet/security/bulletin/ms02-045.mspx • Risk factor : High CVE : CAN-2002-072448 | ACME-Widgets Inc. Penetration Testing Report
  51. 51. Mid Level Vulnerabilities Analysis of Machine 192.168.199.230Warning found on port microsoft-ds (445/tcp) • The host SID could be used to enumerate the names of the local users of this host this gives extra knowledge to an attacker, which is not a good thing : Administrator account name : Guest account name : Guest administrator (id 500) (id 501) smas (id 1001) GORKHALI (id 1002) kechasolti (id 1004) ser (id 1005) aman (id 1007) barcelona (id 1008) Severus.Snape (id 1009) Dumbledore (id 1011) Morpheus (id 1013) hack (id 1017) Nepali (id 1018 ksr (id 1019) • Risk factor : Medium • Solution : filter incoming connections this port CVE : CVE-2000-1200Warning found on port microsoft-ds (445/tcp) • The list of the SMB shares of this host could be obtained : system32 - IPC$ - Remote IPC ADMIN$ - Remote Admin C$ - Default share This is potentially dangerous as this may help the attack of a potential hacker. • Solution : filter incoming traffic to this port • Risk factor : MediumWarning found on port microsoft-ds (445/tcp) • The following local accounts have passwords which never expire : administrator, aman, and Severus.Snape. Password should have a limited lifetime • Solution : disable password non-expiry49 | ACME-Widgets Inc. Penetration Testing Report
  52. 52. • Risk factor : MediumWarning found on port netbios-ns (137/udp) • The following 6 NetBIOS names have been gathered : ACME-W2K-01 = This is the computer name registered for workstation services by a WINS client. ACME = Workgroup / Domain name ACME-W2K-01 = This is the current logged in user registered for this workstation. ACME-W2K-01 = Computer name ACME-W2K-01$ = This is the current logged in user registered for this workstation. ACME = Workgroup / Domain name (part of the Browser elections) The remote host has the following MAC address on its adapter : 00:03:ff:96:ce:02. • Solution: If you do not want to allow everyone to find the NetBios name of your computer, you should filter incoming traffic to this port. • Risk factor : Medium CVE : CAN-1999-0621Low Level Vulnerabilities Analysis of Machine 192.168.199.230Information found on port netbios-ssn (139/tcp) • An SMB server is running on this portInformation found on port microsoft-ds (445/tcp) • A CIFS server is running on this portInformation found on port microsoft-ds (445/tcp) • The following shares can be accessed as administrator : - C$ - arcldr.exe - arcsetup.exe - ASmith - - boot.ini - cd AUTOEXEC.BAT - CONFIG.SYS - Documents and - IO.SYS50 | ACME-Widgets Inc. Penetration Testing Report
  53. 53. Settings - MSDOS.SYS - net - NTDETECT.COM - ntldr - pagefile.sys - Program Files - RECYCLER - System Volume - WINNT Information - ADMIN$ - system32Information found on port iad1 (1030/tcp) • Distributed Computing Environment (DCE) services running on the remote host can be enumerated by connecting on port 135 and doing the appropriate queries. An attacker may use this fact to gain more knowledge about the remote host. Here is the list of DCE services running on this port: UUID: 1ff70682-0a51-30e8-076d-740be8cee98b, version 1 Endpoint: ncacn_ip_tcp:192.168.199.230[1030] Named pipe : atsvc Win32 service or process : mstask.exe Description : Scheduler service UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1 Endpoint: ncacn_ip_tcp:192.168.199.230[1030] • Solution: filter incoming traffic to this port. • Risk factor: LowInformation found on port iad2 (1031/udp) • Distributed Computing Environment (DCE) services running on the remote host can be enumerated by connecting on port 135 and doing the appropriate queries. An attacker may use this fact to gain more knowledge about the remote host. Here is the list of DCE services running on this port: UUID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 151 | ACME-Widgets Inc. Penetration Testing Report
  54. 54. Endpoint: ncadg_ip_udp:192.168.199.230[1031] Annotation: Messenger Service Named pipe : ntsvcs Win32 service or process : messenger • Description : Messenger service • Solution: filter incoming traffic to this port. • Risk factor : LowWarning found on port microsoft-ds (445/tcp) • The following local accounts have never changed their password : administrator Guest Smas GORKHALI Kechasolti ser Aman Barcelona Severus.Snape Dumbledore Morpheus hack Nepali ksr • To minimize the risk of break-in, users should change their password regularlyWarning found on port microsoft-ds (445/tcp) • The remote host is running a version of the shlwapi.dll which crashes when processing a malformed HTML form. An attacker may use this flaw to prevent the users of this host from working properly. To exploit this flaw, an attacker would need to send a malformed HTML file to the remote user, either by e-mail or by making him visit a rogue web site. • Solution : None • Risk factor : LowWarning found on port general/icmp • The remote host answers to an ICMP timestamp request. This allows an attacker to know the date which is set on your machine. This may help him to defeat all your time52 | ACME-Widgets Inc. Penetration Testing Report
  55. 55. based authentication protocols. • Solution: Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14). • Risk factor : LowWarning found on port microsoft-ds (445/tcp) • The registry key HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogonCachedLogonsCoun t is non-null. It means that the remote host locally caches the passwords of the users when they log in, in order to continue to allow the users to log in in the case of the failure of the PDC. • Solution : use regedt32 and set the value of this key to 0 • Risk factor : LowWarning found on port microsoft-ds (445/tcp) • The remote registry can be accessed remotely using the login / password combination used for the SMB tests. Having the registry accessible to the world is not a good thing as it gives extra knowledge to a hacker. • Solution: Apply service pack 3 if not done already, and set the key HKLMSYSTEMCurrentControlSetControlSecurePipeServersWinreg to restrict what can be browsed by non administrators. In addition to this, you should consider filtering incoming packets to this port. • Risk factor : Low CVE : CAN-1999-0562Warning found on port microsoft-ds (445/tcp) • The domain SID can be obtained remotely. Its value is : ACME : 5-21--1552363205--155084131--731358600 An attacker can use it to obtain the list of the local users of this host • Solution : filter the ports 137 to 139 and 44553 | ACME-Widgets Inc. Penetration Testing Report
  56. 56. • Risk factor : Low CVE : CVE-2000-12006.6 192.168.199.232 Port ScanMachine: 192.168.199.232Operating System: Windows 2003 Server /Windows .NETSecurity Status : GoodProtocol Port Program Status High Level VulnerabilitiesTcp 445 Microsoft-ds Open Mid Level VulnerabilitiesUdp 137 Netbios-ns OpenIcmp general OpenTcp 139 netbios-ssn Open Low Level VulnerabilitiesTcp 5000 Complex-main OpenRepartition of the level of security problems:54 | ACME-Widgets Inc. Penetration Testing Report
  57. 57. SummaryThis machine was easily exploitable. One of the lager concerns was that there is a copy of CAIN,a password cracking software” on this machine. Complete with a list of user ID that we wereable to gain access to.High Level Vulnerabilities Analysis of 192.168.199.232Vulnerability found on port microsoft-ds (445/tcp) • Description of Vulnerability: It was possible to log into the remote host using the following login/password combinations : administrator/ administrator/administrator guest/ guest/guest It was possible to log into the remote host using a NULL session. The concept of a NULL session is to provide a null username and a null password, which grants the user the guest access o To prevent null sessions, see MS KB Article Q143474 (NT 4.0) and Q246261 (Windows 2000). Note that this wont completely disable null sessions, but will prevent them from connecting to IPC$ Please see http://msgs.securepoint.com/cgi-bin/get/nessus-0204/50/1.html The remote host defaults to guest when a user logs in using an invalid login. All the smb tests will be done as hpotter/**** in domain HOME CVE : CAN-1999-0504, CAN-1999-0506, CVE-2000-0222, CAN-1999- 0505, CAN-2002-1117Vulnerability found on port microsoft-ds (445/tcp) • Description of Vulnerability: The remote Windows host has a ASN.1 library which is vulnerable to a flaw which could allow an attacker to execute arbitrary code on this host. To exploit this flaw, an attacker would need to send a specially crafted ASN.1 encoded packet with improperly advertised lengths. This particular check sent a malformed NTLM packet and determined that55 | ACME-Widgets Inc. Penetration Testing Report
  58. 58. the remote host is not patched. • Solution : http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx • Risk factor : HighMid Level Vulnerabilities Analysis of Machine 192.168.199.232Warning found on port netbios-ssn (139/tcp) • Description of Vulnerability: A rfpoison packet has been sent to the remote host. This packet is supposed to crash the services.exe process, rendering the system instable. If you see that this attack was successful, have a look at this page : http://support.microsoft.com/support/kb/articles/Q231/4/57.ASP CVE : CVE-1999-0980Warning found on port netbios-ns (137/udp) • Description of Vulnerability: The following 8 NetBIOS names have been gathered : HERMIONE = This is the computer name registered for workstation services by a WINS client. HOME = Workgroup / Domain name HERMIONE = This is the current logged in user registered for this workstation. HERMIONE = Computer name HOME = Workgroup / Domain name (part of the Browser elections) DADDY = This is the current logged in user registered for this workstation. HOME __MSBROWSE__ • The remote host has the following MAC address on its adapter: 00:02:b3:27:8e:ff If you do not want to allow everyone to find the NetBios name of your computer, you should filter incoming traffic to this port. • Risk factor : Medium CVE : CAN-1999-0621Warning found on port microsoft-ds (445/tcp) • Description of Vulnerability: The remote registry can be accessed remotely using the56 | ACME-Widgets Inc. Penetration Testing Report
  59. 59. login / password combination used for the SMB tests. Having the registry accessible to the world is not a good thing as it gives extra knowledge to a hacker. • Solution: Apply service pack 3 if not done already, and set the key HKLMSYSTEMCurrentControlSetControlSecurePipeServersWinreg to restrict what can be browsed by non administrators. • In addition to this, you should consider filtering incoming packets to this port. • Risk factor : Low CVE : CAN-1999-0562Warning found on port microsoft-ds (445/tcp) • Description of Vulnerability: The host Security Identifier (SID) can be obtained remotely. Its value is :HERMIONE : 5-21-57989841-152049171-854245398 An attacker can use it to obtain the list of the local users of this host • Solution : filter the ports 137-139 and 445 • Risk factor : Low CVE : CVE-2000-1200Warning found on port microsoft-ds (445/tcp) • Description of Vulnerability: The host SID could be used to enumerate the names of the local usersof this host. We only enumerated users name whose ID is between 1000 and 1200 for performance reasons. This gives extra knowledge to an attacker, which is not a good thing : Administrator (id 500) Guest account HelpAssistant HelpServicesGroup (id 1001) name : Guest (id 1000) (id 501) SUPPORT_388945a0 (id Daddy (id 1003) hpotter (id SQLExecutiveCmdExec (id 1002) 1006) 1007) everest1 (id 1008) backtrack1 (id services (id admn (id 1011) 1009) 1010)57 | ACME-Widgets Inc. Penetration Testing Report
  60. 60. admin (id 1012) ksr (id 1013) • Risk factor : Medium • Solution : filter incoming connections this port CVE : CVE-2000-1200Warning found on port general/icmp • Description of Vulnerability: The remote host answers to an ICMP timestamp request. This allows an attacker to know the date which is set on your machine. This may help him to defeat all your time based authentication protocols. • Solution: filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14). • Risk factor : Low CVE : CAN-1999-0524Warning found on port general/tcp • Description of Vulnerability: The remote host accepts loose source routed IP packets. The feature was designed for testing purpose. An attacker may use it to circumvent poorly designed IP filtering and exploit another flaw. However, it is not dangerous by itself. • Solution: drop source routed packets on this host or on other ingress routers or firewalls. • Risk factor : LowLow Level Vulnerabilities Analysis of Machine 192.168.199.232Information found on port netbios-ssn (139/tcp) • An SMB server is running on this port58 | ACME-Widgets Inc. Penetration Testing Report
  61. 61. ConclusionAfter reviewing all of the information that we were able to gather, we have determined that agood deal of work needs to be done to protect this system. While doing some of the more basicthing is like implementing a password security policy and closing some ports, we feel the biggerrisk would be to follow the activities of some of the users on the network to be sure that they arenot trying to use some of these same vulnerabilities to do damage to your network and yourinformation from the inside. With some simple follow-up and monitoring, we are confident thatyou will have the network locked to meet the specifications of your security policy.59 | ACME-Widgets Inc. Penetration Testing Report
  62. 62. ReferencesThese links were found to be very useful during our reconnaissance and documentation phase:http://www.offensive-security.com/metasploit-unleashed/Fast-Track-Updateshttp://svn.secmaniac.com/fasttrack/fast-track.pyhttp://support.microsoft.com/?kbid=823980#Win2003http://support.microsoft.com/?kbid=823980#Win2003http://www.microsoft.com/technet/security/bulletin/ms05-041.mspxhttp://www.kb.cert.org/vuls/id/753212http://www.microsoft.com/technet/security/bulletin/MS03-026.mspxhttp://www.kb.cert.org/vuls/id/568148http://www.microsoft.com/downloads/details.aspx?FamilyId=F8E0FF3A-9F4C-4061-9009-3A212458E92E&displaylang=enhttp://www.cert.org/current/services_ports.htmlhttp://searchenterprisedesktop.techtarget.com/sDefinition/0,,sid192_gci212632,00.htmlhttp://www.speedguide.net/port.php?port=139http://www.linuxquestions.org/questions/linux-security-4/what-is-microsoft-ds-176826/http://www.petri.co.il/whats_port_445_in_w2k_xp_2003.htmhttp://www.cert.org/current/services_ports.html60 | ACME-Widgets Inc. Penetration Testing Report
  63. 63. Penetration Testing LogThese are the unedited logs of testing times and some of the items that were tested. These areprovided as a reference against your internal logs to see what on your end may be being detected.hpotter@bt:~$ sudo –s[sudo] password for hpotter:root@bt:~# nano /etc/passwdroot:x:0:0:root:/root:/bin/bashdaemon:x:1:1:daemon:/usr/sbin:/bin/shbin:x:2:2:bin:/bin:/bin/shsys:x:3:3:sys:/dev:/bin/shsync:x:4:65534:sync:/bin:/bin/syncgames:x:5:60:games:/usr/games:/bin/shman:x:6:12:man:/var/cache/man:/bin/shlp:x:7:7:lp:/var/spool/lpd:/bin/shmail:x:8:8:mail:/var/mail:/bin/shnews:x:9:9:news:/var/spool/news:/bin/shuucp:x:10:10:uucp:/var/spool/uucp:/bin/shproxy:x:13:13:proxy:/bin:/bin/shwww-data:x:33:33:www-data:/var/www:/bin/shbackup:x:34:34:backup:/var/backups:/bin/shlist:x:38:38:Mailing List Manager:/var/list:/bin/shirc:x:39:39:ircd:/var/run/ircd:/bin/shgnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/shnobody:x:65534:65534:nobody:/nonexistent:/bin/shlibuuid:x:100:101::/var/lib/libuuid:/bin/shsyslog:x:101:102::/home/syslog:/bin/falseklog:x:102:103::/home/klog:/bin/falsesshd:x:103:65534::/var/run/sshd:/usr/sbin/nologinmessagebus:x:104:113::/var/run/dbus:/bin/falseavahi:x:105:114:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false61 | ACME-Widgets Inc. Penetration Testing Report
  64. 64. polkituser:x:106:116:PolicyKit,,,:/var/run/PolicyKit:/bin/falsehaldaemon:x:107:117:Hardware abstraction layer,,,:/var/run/hald:/bin/falsemysql:x:108:118:MySQL Server,,,:/var/lib/mysql:/bin/falsemiredo:x:109:65534::/var/run/miredo:/bin/falsestunnel4:x:110:119::/var/run/stunnel4:/bin/falsemiredo-server:x:111:65534::/var/run/miredo-server:/bin/falsesmmta:x:112:120:Mail Transfer Agent,,,:/var/lib/sendmail:/bin/falsesmmsp:x:113:121:Mail Submission Program,,,:/var/lib/sendmail:/bin/falsedhcpd:x:114:122::/nonexistent:/bin/falseclamav:x:115:124::/var/lib/clamav:/bin/falsenstxd:x:116:65534::/var/run/nstxd:/bin/falsentop:x:117:125::/var/lib/ntop:/bin/falsepostgres:x:118:127:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/basharpalert:x:119:128::/var/lib/arpalert:/bin/shstudent:x:1000:0:Student,,,:/home/student:/bin/bashhpotter:x:1001:0:Hermione,,,:/home/hpotter:/bin/bashbacktrack:x:1001:1003:backtrack:/root:/bin/bashroot@bt:~# nano /etc/shadowroot:$6$DxdNAgcd$vdHn./juP.XUIqpKp2Ons4YhhSPoPAcBoIQ5a4wWPSXlAfzHeea22H2ROg/HAJnsr/lCLsTRdN1ONbC9JhVBv0:14718:0:99999:7:::daemon:x:14592:0:99999:7:::bin:x:14592:0:99999:7:::sys:x:14592:0:99999:7:::sync:x:14592:0:99999:7:::games:x:14592:0:99999:7:::man:x:14592:0:99999:7:::lp:x:14592:0:99999:7:::mail:x:14592:0:99999:7:::news:x:14592:0:99999:7:::uucp:x:14592:0:99999:7:::62 | ACME-Widgets Inc. Penetration Testing Report
  65. 65. proxy:x:14592:0:99999:7:::www-data:x:14592:0:99999:7:::backup:x:14592:0:99999:7:::list:x:14592:0:99999:7:::irc:x:14592:0:99999:7:::gnats:x:14592:0:99999:7:::nobody:x:14592:0:99999:7:::libuuid:x:14592:0:99999:7:::syslog:x:14592:0:99999:7:::klog:x:14592:0:99999:7:::sshd:x:14592:0:99999:7:::messagebus:x:14592:0:99999:7:::avahi:x:14592:0:99999:7:::polkituser:x:14592:0:99999:7:::haldaemon:x:14592:0:99999:7:::mysql:x:14592:0:99999:7:::miredo:x:14592:0:99999:7:::stunnel4:x:14592:0:99999:7:::miredo-server:x:14592:0:99999:7:::smmta:x:14592:0:99999:7:::smmsp:x:14592:0:99999:7:::dhcpd:x:14592:0:99999:7:::clamav:x:14592:0:99999:7:::nstxd:x:14592:0:99999:7:::ntop:x:14592:0:99999:7:::postgres:x:14592:0:99999:7:::arpalert:!:14592:0:99999:7:::student:$6$AC.CKcte$zz3m3pkRwx1wQUpGLZCjZxVn5kcQJxwVyRRjlkZeT9wrZh3yOZwd7WHJ0HEu2h9jFWlmLh2kvinoWGvSw1pES/:14704:0:99999:7:::hpotter:$6$kicAOegB$8JpDh0yzMu1.iIMFvAbaqsdlEsGEeKVQvkQunbJs4F9MdJMOaCvXsgj63 | ACME-Widgets Inc. Penetration Testing Report
  66. 66. lLct4nArWt5IcQmgPENd0G6qkwaUjM1:14718:0:99999:7:::backtrack:$6$Sp2wiv.C$GQoVFJ/W/Rmeon.QFpSTqpH1aIm8zjT/Az2CXBgpOVYTmPgCdSEpJNYf395UuuLXvcdCrwCyY2JDBRdzOQnuV/:14712:0:99999:7:::root@bt:~# nano /etc/security/access.conf# Login access control table.## Comment line must start with "#", no space at front.# Order of lines is important.## When someone logs in, the table is scanned for the first entry that# matches the (user, host) combination, or, in case of non-networked# logins, the first entry that matches the (user, tty) combination. The# permissions field of that table entry determines whether the login will# be accepted or refused.## Format of the login access control table is three fields separated by a# ":" character:## [Note, if you supply a fieldsep=| argument to the pam_access.so# module, you can change the field separation character to be# |. This is useful for configurations where you are trying to use# pam_access with X applications that provide PAM_TTY values that are# the display variable like "host:0".]## permission : users : origins## The first field should be a "+" (access granted) or "-" (access denied)# character.#64 | ACME-Widgets Inc. Penetration Testing Report
  67. 67. # The second field should be a list of one or more login names, group# names, or ALL (always matches). A pattern of the form user@host is# matched when the login name matches the "user" part, and when the# "host" part matches the local machine name.## The third field should be a list of one or more tty names (for# non-networked logins), host names, domain names (begin with "."), host# addresses, internet network numbers (end with "."), ALL (always# matches), NONE (matches no tty on non-networked logins) or# LOCAL (matches any string that does not contain a "." character).## You can use @netgroupname in host or user patterns; this even works# for @usergroup@@hostgroup patterns.## The EXCEPT operator makes it possible to write very compact rules.root@bt:~# nmap -O 192.168.199.1-254Starting Nmap 5.21 ( http://nmap.org ) at 2010-04-21 18:34 EDTNmap scan report for my.firewall (192.168.199.1)Host is up (0.0088s latency).Not shown: 994 closed portsPORT STATE SERVICE22/tcp open ssh53/tcp filtered domain80/tcp open http264/tcp open bgmp443/tcp open https981/tcp open unknownMAC Address: 00:08:DA:70:AB:75 (SofaWare Technologies)65 | ACME-Widgets Inc. Penetration Testing Report
  68. 68. Device type: firewallRunning: Check Point Linux 2.4.XOS details: Check Point VPN-1 UTM applianceNetwork Distance: 1 hopNmap scan report for 192.168.199.24Host is up (0.27s latency).All 1000 scanned ports on 192.168.199.24 are closedMAC Address: 00:0C:29:B9:69:E2 (VMware)Warning: OSScan results may be unreliable because we could not find at least 1 open and 1closed portDevice type: general purposeRunning: Minix 3.XOS details: Minix 3.1.2aNetwork Distance: 1 hopNmap scan report for 192.168.199.70Host is up (0.00046s latency).Not shown: 998 closed portsPORT STATE SERVICE135/tcp open msrpc139/tcp open netbios-ssnMAC Address: 00:0C:29:C7:26:B9 (VMware)Device type: general purposeRunning: Microsoft Windows NTOS details: Microsoft Windows NT 4.0 SP5 - SP6aNetwork Distance: 1 hopNmap scan report for 192.168.199.99Host is up (0.00016s latency).66 | ACME-Widgets Inc. Penetration Testing Report

×