PENETRATION

TEST REPORT
G-neric Corp.
Addler Security Consultants
42 Rock Wallaby Way

Blaxland NSW 2774,

Australia

Tel: (02) 9705 0991

Email: [email protected]

Web: addlersecurityconsultants.com
TABLE OF CONTENTS
1. Executive summary ............................. 4
Summary of results ............................... 4
2. Attack narrative ................................... 6
Target discovery .................................... 6
Information gathering ............................ 7
Attacking the server............................. 11
3. Conclusion .........................................23
4. References .........................................25
Appendix A: Vulnerability detail and
mitigation ..................................................26

iii
ASC
Penetration test report

1. EXECUTIVE SUMMARY
Addler Security Consultants (ADC) was contracted by G-neric Corp to conduct a 5-days long
penetration test to one server that has a web-based list of the company contact
information to determine its exposure to a targeted attack. All activities were conducted in a
manner that simulated a malicious actor engaged in a targeted attack against G-neric Corp
with the goals of:
• Test the existence of proper accepted security practices.
• Obtain access to the server.
• Determining the impact of a security breach on:
o Confidentiality of the company’s private data.
o Internal infrastructure and availability of G-neric Corp’s information systems
Efforts were placed on the identification and exploitation of security weaknesses that could
allow a remote attacker to gain unauthorized access to organizational data. The attacks
were conducted with the level of access of someone with a device connected to the
internal network. The assessment was conducted under controlled conditions.

Summary of results
To begin this penetration test we obtain the target machine ip address we are interest in
by scanning the active ip addressees on the same network, we proceed to enumerate useful
and available information about the system and its services through the command line and
information from the organization itself via website. We find emails that may correspond
to users in the system.
From there we generate a list of possible users that we use as input for users and passwords
in a brute force tool to crack the password and successfully gain access to target through
SSH with a user with no root privileges.
Then we gather information from inside the system and find some other users, one of the
belonged to a “wheel group” with root access, so we use once again a brute force tool now
providing a particular username and an extended list with the most common passwords as
input. We obtain the password for the user with root privileges; therefore, we
successfully gain access to target through SSH with a user with root privileges.
Logged in with a user with root privileges we find and transfer to our local machine a file
with the hashed passwords, including the one for root user. After that, using a tool for
cracking passwords from hashes we obtain the password for root, subsequently, we can
change the user we are logged in as to root.
As root we search for files with confidential data and we find and transfer to our local
machine an encrypted file that allegedly contains employee information in the FTP
directories.

4
ASC
Penetration test report

After analyzing the filetype we get enough information to develop a script to facilitate the task
of decrypting the file by brute force using OpenSSL -the tool that was used to encrypt it-
assuming the password is the same as the root password according to a note in the passwd
file that said that the root password mustn’t be changed because it will break the FTP
encryption. We successfully decrypt the file and confirm it contains employee’s data.
As final step we fix the vstfp service (FTP) to get another point of access to its folders where
the confidential data we got earlier its contained. We get a successful connection and file
transfer using the service and the credential we previously obtained.

5
ASC
Penetration test report

2. ATTACK NARRATIVE

Target discovery
To begin this penetration test we obtain the ip address we are interest in by scanning the
active ip addressees on the same subnet using netdiscover.
This command sends out ARP requests for each IP address in each subnet range that is
scanned to locate active machines. ARP is a protocol from the network layer, its responsible
for getting the MAC address from connected devices, so, if a node responds with a MAC
address it means that a machine is alive on the requested IP address.
The scanned results show 6 machines running but according to the information from the
output our target is ip 192.168.1.100.

6
ASC
Penetration test report

Information gathering
Enumeration is defined as the process of extracting usernames, machine names, network
resources, shares and services from a system. In this phase, the attacker creates an active
connection to the system and performs directed queries to gain more information about the
target. The gathered information is used to identify the vulnerabilities or weak points in system
security.
Enumeration is often considered as a critical phase in Penetration testing as the outcome of
enumeration can be used directly for exploiting the system.

Service enumeration
We proceed to scan those active ip addresses from the previous step with Nmap, a utility for
network discovery and security auditing. The objective in this step is to know which services
are running, what versions, plugin presence and version and misconfiguration.
The default scan enumerated the services that are running only in 1000 ports from the 65535
total. We discovered 8 running ports.

7
ASC
Penetration test report

Now, in a more specific scan we can obtain more info about those ports. We provide
parameters (or flags) to Nmap for:
• -sS: SYN scan (the default scan method). Nmap sends a SYN TCP packet to the target address
like if meant to communicate with it, if the target responds with the SYN ACK packet, the port
is determined as open.
• -Pn: This option skips nmap’s host discovery (pings). Disabling this option omits the initial scan
and proceeds to run all options against the given IP address range.
• -sV: This option probes open ports for more information to help identify the service and the
version.
• -O Operating System Detection.
• -p target the ports in another more intrusive scan. For this command, the ports are listed
afterwards separated by commas.

The results show:

• The running OS for the targeted machine: Linux 2.6.X
• MAC address from the targeted machine
• Services (ftp, ssh,smtp,http and pop3) and their probable versions.

8
ASC
Penetration test report

To find out more information about some ports that are listed as closed, we run another scan
, now with a flag to make additional enumeration on the ports through:
• enabling OS detection (-O)(described above)
• version detection (-sV) (described above)
• script scanning (-sC). Script scanning makes use of nmaps scripting engine to probe
ports for more information.
• traceroute (—traceroute). It shows the path that is taken to the target server.

We obtain a little more information including:

• Public host keys
• The title of the web page on port 80,
• Debug info on mail server from port 25
• IMAP service on port 143

Ports Service Version

21 FTP vstfpd ?

22 SSH OpenSSH 4.3

25 SMTP Sendmail 8.13.7

80 HTTP Apache + PHP 5.1.2 2.0.55

110 POP3 Openwall popa3d ?

9
ASC
Penetration test report

Website Enumeration (emails, users, and other info)

Sometimes information is hidden in plain sight, maybe providing this contact info in the index
page seemed harmless and useful but it represents a collection of user and possible
credentials to gain unauthorized access.

Top 10 common
Collected emails Possible passwords according to users
passwords

[email protected] 123456 webmaster genniege

[email protected] 123456789 postmaster egennieg
[email protected] qwerty admin gennieg
[email protected] password administrator michaelp
[email protected] 111111 guest pmichael
[email protected] 12345678 root michael
[email protected] abc123 marym longe
[email protected] 1234567 mmary elong
[email protected] password1 mary long
[email protected] 12345 patrickp adamsa
ppatrick aadams
patrick adams
thompsont banterb
tthompson bbanter
thompson banter
benedictb coffeec
bbenedict ccoffee
benedict coffee

10
ASC
Penetration test report

Attacking the server

1. Gaining access to target (ssh) ->user bbanter with hydra
Now that we have some information about the services, we look for usable exploits to those
determined versions of the services.
Using Metasploit console we searched for exploits for ssh, we find some useful ones.

Now we opt for trying to gain access to ssh through brute force using hydra. This tool help us
test many possible usernames and passwords as well.
We use the next flags:
• -L to select a file with possible users
• -P to select a file with possible passwords
• 192.168.1.100 – The target IP address
• ssh – The target protocol

11
ASC
Penetration test report

Now that we find a pair of credentials from the user bbanter we gain access through ssh.

We’re in!

12
ASC
Penetration test report

2. Inside target enumeration

a. Kernel version
Once we’re in the server we try to get the information from the kernel to gather useful
information in order to choose an exploit.

b. Processes run by root

Another thing we can do to obtain info from the server is to give a look to the running
processes and filter the ones that are been executed by root.

13
ASC
Penetration test report

c. Open ports and services

Now we obtained the active connections to find a port that works as a target for exploitation.

d. Users and groups

Next step is to review the file passwd to look for other users to access. We get the full list of
users, their ID and group.

Next step is to review the file group to look for other users to access and have more
information about the groups and permissions they have.

14
ASC
Penetration test report

We see there are 8 groups that have root permissions.

The user we’re using does not have root privileges and it belongs to the users group,
nevertheless the user Addams is part of the group wheel that does have root
privileges.

3. Gaining access to target (ssh)-> user addams

With that info we start a brute force attack to guess the password to the user: Addams and
begin a ssh connection. Hydra has a parameter to indicate how many parallel tasks can be
executed (-t), currently we can indicate from 1 to 64.

It worked! Now we have access to an account with root privileges.

We stablished an ssh session with the user Addams:

15
ASC
Penetration test report

4. Inside target enumeration

a. Privileges check ->Addams has sudo access
Then we confirmed the commands we’re allowed to run as Addams, we have sudo
(administrator) access.

b. Password hashes acquisition and transfer

We successfully access to /etc/shadow file:

There it is! The rules for the password policy and hashes of the passwords of the users of
the system.
NOTE: Hashes are the output of a hashing algorithm that essentially aim to produce unique,
fixed-length string – called “hash” or “hash value” – for a piece of data, like in this case,
passwords. A hashing function is characterized for not being reversible.

16
ASC
Penetration test report

5. Cracking passwords from users and root

We store the hashed passwords for root, Addams, bbanter and ccoffee in a file called
hashes.txt in our local machine. But we are really interested in getting the password for root.

The we proceed to use a tool called John the Ripper, a fast password craker. In the next
command we call the tool and specify a few things:
• a parameter called “single” to use a simple rule set for guessing the password.
• A “pot” that is a file that contains cracked passwords, aka, passwords, and their own
hash.
• And the input file called “hashes.txt” that contains the hashed passwords we collect
in the previous step.

With the previous command we only get the password for bbanter, so we will try a more
powerful set of parameters by adding a wordlist.

17
ASC
Penetration test report

This time we obtain the passwords for aadams, ccoffee and root :

root tarot

aadams nostradamus

ccoffee hierophant

bbanter bbanter

6. Gaining access to target as root (ssh)

Remote connections through SSH usually are configured to deny connections for root as
user, but we need to test it.

As we expected we cannot login as root through SSH. But we can try to login with addams
the user that has root privileges and once we’re in , change the user.

Now we have access as root.

18
ASC
Penetration test report

7. Inside target enumeration

a. List contents of user’s (and root’s) home directories
Inside aadams and root home directories we perform a search for files that might contain
confidential data and we find an encrypted file called “salary_dec2003.cvs.enc”

b. Transfer confidential file

In our local machine we prepare a “listener” to receive the file directly from the compromised
server from G-neric Corps.

The we proceed to send the file from the compromised server.

We successfully receive the file on our local machine.

19
ASC
Penetration test report

8. Decrypting stolen file

a. Analyzing file type and string head
With the next commands we find out that the file was encrypted with openssl and it has a
salted password.
NOTE: OpenSSL is a full-featured toolkit for the Transport Layer Security (TLS) and Secure
Sockets Layer (SSL) protocols. It is also a general-purpose cryptography library.
A “salt” is random data that is used as an additional input to a one-way function that hashes
a password, making it more secure or hard to crack.

b. Script for decrypting by brute force

When we displayed the /etc/passwd file, we looked at this particular sentence.

It says that root password shouldn’t be changed because it would break the FTP encryption,
and the encrypted file we took from the server belong to the ftp files , therefore we have
reasons to believe that the password for the confidential cvs file is the root password “tarot”,
but we still don’t know which encryption algorithm was used.
Under this circumstances a brute force approach is likely to get us good results, consequently
we create a simple script to try all the possible algorithms that OpenSSL uses to encrypt and
when we execute said script we provide as a parameter the possible password for decryption,
the encrypted file path and a folder to store the results.

After executing it a single file with the decrypted cvs file full of personal data from employees
is outputted in the results folder.

c. Display of decrypted file

These are the columns that the confidential file contained

20
ASC
Penetration test report

9. Fixing FTP to get access to its folders

At the information gathering phase we found out that the ftp service wasn’t working properly
to be accessed from outside the server, so , now that we have root access we can try to fix it
and have another way to access unauthorizedly to the confidential files.
a. Confirm vstfp existence in the server

b. Fix 1: Change configuration in file

After some search about the error displayed by nmap previously, we believe that it can be
fixed by changing the parameter listen from the vsftpd.conf from “yes” to “no” so it wont run
in standalone mode. Now we can log to the ftp service but we cannot list the files.

c. Fix 2: Add module to kernel

After some search about the error displayed by the login we conclude that a model needs to
be added to the server , this is done by a very simple command run by root

21
ASC
Penetration test report

d. Successful connection and file transfer

With the previous fixes now is possible for us to access directly through ftp to get all the files
that are uploaded to the server, as the encrypted one we took earlier by other means.

22
ASC
Penetration test report

3. CONCLUSION
G-neric Corp suffered a series of control failures, which led to a complete compromise of
critical company assets. These failures would have had a dramatic effect on G-neric Corp
confidentiality if a malicious party had exploited them. Current policies concerning password
reuse and deployed access controls are not adequate to mitigate the impact of the discovered
vulnerabilities.
The specific goals of the penetration test were stated as:
• Test the existence of proper accepted security practices.
• Obtain access to the server.
• Determining the impact of a security breach on:
o Confidentiality of the company’s private data.
o Internal infrastructure and availability of G-neric Corp’s information systems
These goals of the penetration test were met. A targeted attack against G-neric Corp can
result in a complete compromise of the tested asset. Multiple issues that would typically be
considered minor were leveraged in concert, resulting in a total compromise of the G-neric
Corp’s information system. It is important to note that the unauthorized access with admin
privileges can be greatly attributed to insufficient access controls and weak
password policy at both the network boundary and host levels. Appropriate efforts
should be undertaken to introduce best security practices to protect the access to the host
and the network.
Recommendations
Due to the impact to the overall organization as uncovered by this penetration test,
appropriate resources should be allocated to ensure that remediation efforts are
accomplished in a timely manner. While a comprehensive list of items that should be
implemented is beyond the scope of this engagement, some high level items are important
to mention.
Addler Security Consultants recommends the following:
1. Ensure that strong credentials are use everywhere in the organization. The
compromise of G-neric Corp system as drastically impacted by the use of weak
passwords as well as the reuse of passwords across systems of differing security
levels.
2. Establish trust boundaries. Create logical boundaries of trust where appropriate on
the internal network. Each logical trust segment should be able to be compromised
without the breach easily cascading to other segments.
3. Implement a patch management program: Operating a consistent patch
management program is an important component in maintaining good security

23
ASC
Penetration test report

posture. This will help to limit the attack surface that results from running unpatched
internal services.
4. Conduct regular vulnerability assessments. As part of an effective
organizational risk management strategy, vulnerability assessments should be
conducted on a regular basis. Doing so will allow the organization to determine if
the installed security controls are properly installed, operating as intended, and
producing the desired outcome.
Risk Rating
The overall risk identified to G-neric Corp as a result of the penetration test is Medium.
Considering the criticaltity of this server and the scope of this penetration test. It is reasonable
to believe that a malicious entity would be able to successfully execute an attack against this
G-neric Corp’ server through targeted attacks if the attacker get in the internal the network
(by any means).

24
ASC
Penetration test report

4. REFERENCES
Greycampus. (2020). Retrieved 17 February 2020, from
https://www.greycampus.com/opencampus/ethical-hacking/enumeration-and-its-types
Chapter 15. Nmap Reference Guide | Nmap Network Scanning. (2020). Retrieved 17
February 2020, from https://nmap.org/book/man.html
De-ICE S1.100 (Level 1) - A Beginners Guide - Things all the hacking. (2020). Retrieved 17
February 2020, from http://blog.nullmode.com/blog/2013/11/01/de-ice-s1-dot-100-level-1-a-
beginners-guide/
Technical Guide to Information Security Testing and Assessment. (2020). Retrieved 10 May
2020, from https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-115.pdf
Dosal, E. (2020). Top 9 Cybersecurity Threats and Vulnerabilities. Retrieved 9 May 2020,
from https://www.compuquip.com/blog/top-5-cybersecurity-threats-and-vulnerabilities
Understanding /etc/passwd File Format - nixCraft. (2020). Retrieved 9 May 2020, from
https://www.cyberciti.biz/faq/understanding-etcpasswd-file-format/
Ficheros de usuarios /etc/passwd y /etc/shadow. (2020). Retrieved 10 May 2020, from
http://www.nexolinux.com/ficheros-de-usuarios-etcpasswd-y-etcshadow/
Arias, D. (2020). Adding Salt to Hashing: A Better Way to Store Passwords. Retrieved 10
May 2020, from https://auth0.com/blog/adding-salt-to-hashing-a-better-way-to-store-
passwords/
(2020). Retrieved 10 May 2020, from https://www.offensive-security.com/reports/sample-
penetration-testing-report.pdf

25
ASC
Penetration test report

APPENDIX A: VULNERABILITY DETAIL

AND MITIGATION
Risk rating scale
In accordance with NIST SP 800-30, exploited vulnerabilities are ranked based upon
likelihood and impact to determine overall risk.
Default or Weak credentials
Rating: High
Description:
Many internally exposed administrative interfaces are only protected with a weak
password.
Impact:
Using common enumeration and brute-forcing techniques, it is possible to retrieve
the administrative password for the server and the FTP service and other user level
passwords for the system. Due to the lack of any additional authentication
mechanisms, it is also possible to retrieve all user password hashes in the system.
Remediation:
Ensure that all administrative interfaces are protected with complex passwords or
passphrases. Avoid use of common or business-related words (or related with the
usernames), which could be found or easily constructed with the help of a dictionary.
Password reuse
Rating: High
Description:
G-neric Corp user “root” was found to be reusing credentials for the FTP server.
Impact:
Password reuse in general is a practice which should be highly discouraged and
prevented to the extent possible. In this case, the reuse of the password was
commented on a file. This compromise potentially allows a substantial increase in the
attack surface.
Remediation:
Update the password management policies to enforce the use of strong, unique,
passwords for all disparate services. The use of password managers should be
encouraged to more easily allow employees to utilize unique passwords across the
various systems

26
ASC
Penetration test report

Patch management
Rating: High
Description:
G-neric Corp’s internal server contains unpatched systems and application.
Impact:
A combination of weak authentication and unpatched hosts, which contain known
vulnerabilities with publicly available exploits, allows an attacker to gain unauthorized
access to the tested G-neric Corp’s asset. Specifically, OpenSSH version has 17 listed
vulnerabilities in the CVE security vulnerability data source. It is vulnerable to denial
of service by different means and different level of required access. This appears to
be an indication of an insufficient patch management policy and its implementation.
Remediation:
All corporate assets should be kept current with latest vendor-supplied security
patches. This can be achieved with vendor-native tools or third-party
applications, which can provide an overview of all missing patches. In many
instances, third-party tools can also be used for patch deployment throughout a
heterogeneous environment.

27