Penetration Test Report
Penetration Test Report
Penetration Test Report
TEST REPORT
G-neric Corp.
Addler Security Consultants
42 Rock Wallaby Way
Australia
Email: [email protected]
Web: addlersecurityconsultants.com
TABLE OF CONTENTS
1. Executive summary ............................. 4
Summary of results ............................... 4
2. Attack narrative ................................... 6
Target discovery .................................... 6
Information gathering ............................ 7
Attacking the server............................. 11
3. Conclusion .........................................23
4. References .........................................25
Appendix A: Vulnerability detail and
mitigation ..................................................26
iii
ASC
Penetration test report
1. EXECUTIVE SUMMARY
Addler Security Consultants (ADC) was contracted by G-neric Corp to conduct a 5-days long
penetration test to one server that has a web-based list of the company contact
information to determine its exposure to a targeted attack. All activities were conducted in a
manner that simulated a malicious actor engaged in a targeted attack against G-neric Corp
with the goals of:
• Test the existence of proper accepted security practices.
• Obtain access to the server.
• Determining the impact of a security breach on:
o Confidentiality of the company’s private data.
o Internal infrastructure and availability of G-neric Corp’s information systems
Efforts were placed on the identification and exploitation of security weaknesses that could
allow a remote attacker to gain unauthorized access to organizational data. The attacks
were conducted with the level of access of someone with a device connected to the
internal network. The assessment was conducted under controlled conditions.
Summary of results
To begin this penetration test we obtain the target machine ip address we are interest in
by scanning the active ip addressees on the same network, we proceed to enumerate useful
and available information about the system and its services through the command line and
information from the organization itself via website. We find emails that may correspond
to users in the system.
From there we generate a list of possible users that we use as input for users and passwords
in a brute force tool to crack the password and successfully gain access to target through
SSH with a user with no root privileges.
Then we gather information from inside the system and find some other users, one of the
belonged to a “wheel group” with root access, so we use once again a brute force tool now
providing a particular username and an extended list with the most common passwords as
input. We obtain the password for the user with root privileges; therefore, we
successfully gain access to target through SSH with a user with root privileges.
Logged in with a user with root privileges we find and transfer to our local machine a file
with the hashed passwords, including the one for root user. After that, using a tool for
cracking passwords from hashes we obtain the password for root, subsequently, we can
change the user we are logged in as to root.
As root we search for files with confidential data and we find and transfer to our local
machine an encrypted file that allegedly contains employee information in the FTP
directories.
4
ASC
Penetration test report
After analyzing the filetype we get enough information to develop a script to facilitate the task
of decrypting the file by brute force using OpenSSL -the tool that was used to encrypt it-
assuming the password is the same as the root password according to a note in the passwd
file that said that the root password mustn’t be changed because it will break the FTP
encryption. We successfully decrypt the file and confirm it contains employee’s data.
As final step we fix the vstfp service (FTP) to get another point of access to its folders where
the confidential data we got earlier its contained. We get a successful connection and file
transfer using the service and the credential we previously obtained.
5
ASC
Penetration test report
2. ATTACK NARRATIVE
Target discovery
To begin this penetration test we obtain the ip address we are interest in by scanning the
active ip addressees on the same subnet using netdiscover.
This command sends out ARP requests for each IP address in each subnet range that is
scanned to locate active machines. ARP is a protocol from the network layer, its responsible
for getting the MAC address from connected devices, so, if a node responds with a MAC
address it means that a machine is alive on the requested IP address.
The scanned results show 6 machines running but according to the information from the
output our target is ip 192.168.1.100.
6
ASC
Penetration test report
Information gathering
Enumeration is defined as the process of extracting usernames, machine names, network
resources, shares and services from a system. In this phase, the attacker creates an active
connection to the system and performs directed queries to gain more information about the
target. The gathered information is used to identify the vulnerabilities or weak points in system
security.
Enumeration is often considered as a critical phase in Penetration testing as the outcome of
enumeration can be used directly for exploiting the system.
Service enumeration
We proceed to scan those active ip addresses from the previous step with Nmap, a utility for
network discovery and security auditing. The objective in this step is to know which services
are running, what versions, plugin presence and version and misconfiguration.
The default scan enumerated the services that are running only in 1000 ports from the 65535
total. We discovered 8 running ports.
7
ASC
Penetration test report
Now, in a more specific scan we can obtain more info about those ports. We provide
parameters (or flags) to Nmap for:
• -sS: SYN scan (the default scan method). Nmap sends a SYN TCP packet to the target address
like if meant to communicate with it, if the target responds with the SYN ACK packet, the port
is determined as open.
• -Pn: This option skips nmap’s host discovery (pings). Disabling this option omits the initial scan
and proceeds to run all options against the given IP address range.
• -sV: This option probes open ports for more information to help identify the service and the
version.
• -O Operating System Detection.
• -p target the ports in another more intrusive scan. For this command, the ports are listed
afterwards separated by commas.
8
ASC
Penetration test report
To find out more information about some ports that are listed as closed, we run another scan
, now with a flag to make additional enumeration on the ports through:
• enabling OS detection (-O)(described above)
• version detection (-sV) (described above)
• script scanning (-sC). Script scanning makes use of nmaps scripting engine to probe
ports for more information.
• traceroute (—traceroute). It shows the path that is taken to the target server.
21 FTP vstfpd ?
9
ASC
Penetration test report
Top 10 common
Collected emails Possible passwords according to users
passwords
10
ASC
Penetration test report
Now we opt for trying to gain access to ssh through brute force using hydra. This tool help us
test many possible usernames and passwords as well.
We use the next flags:
• -L to select a file with possible users
• -P to select a file with possible passwords
• 192.168.1.100 – The target IP address
• ssh – The target protocol
11
ASC
Penetration test report
Now that we find a pair of credentials from the user bbanter we gain access through ssh.
We’re in!
12
ASC
Penetration test report
13
ASC
Penetration test report
Next step is to review the file group to look for other users to access and have more
information about the groups and permissions they have.
14
ASC
Penetration test report
The user we’re using does not have root privileges and it belongs to the users group,
nevertheless the user Addams is part of the group wheel that does have root
privileges.
15
ASC
Penetration test report
There it is! The rules for the password policy and hashes of the passwords of the users of
the system.
NOTE: Hashes are the output of a hashing algorithm that essentially aim to produce unique,
fixed-length string – called “hash” or “hash value” – for a piece of data, like in this case,
passwords. A hashing function is characterized for not being reversible.
16
ASC
Penetration test report
The we proceed to use a tool called John the Ripper, a fast password craker. In the next
command we call the tool and specify a few things:
• a parameter called “single” to use a simple rule set for guessing the password.
• A “pot” that is a file that contains cracked passwords, aka, passwords, and their own
hash.
• And the input file called “hashes.txt” that contains the hashed passwords we collect
in the previous step.
With the previous command we only get the password for bbanter, so we will try a more
powerful set of parameters by adding a wordlist.
17
ASC
Penetration test report
This time we obtain the passwords for aadams, ccoffee and root :
root tarot
aadams nostradamus
ccoffee hierophant
bbanter bbanter
As we expected we cannot login as root through SSH. But we can try to login with addams
the user that has root privileges and once we’re in , change the user.
18
ASC
Penetration test report
19
ASC
Penetration test report
It says that root password shouldn’t be changed because it would break the FTP encryption,
and the encrypted file we took from the server belong to the ftp files , therefore we have
reasons to believe that the password for the confidential cvs file is the root password “tarot”,
but we still don’t know which encryption algorithm was used.
Under this circumstances a brute force approach is likely to get us good results, consequently
we create a simple script to try all the possible algorithms that OpenSSL uses to encrypt and
when we execute said script we provide as a parameter the possible password for decryption,
the encrypted file path and a folder to store the results.
After executing it a single file with the decrypted cvs file full of personal data from employees
is outputted in the results folder.
20
ASC
Penetration test report
21
ASC
Penetration test report
22
ASC
Penetration test report
3. CONCLUSION
G-neric Corp suffered a series of control failures, which led to a complete compromise of
critical company assets. These failures would have had a dramatic effect on G-neric Corp
confidentiality if a malicious party had exploited them. Current policies concerning password
reuse and deployed access controls are not adequate to mitigate the impact of the discovered
vulnerabilities.
The specific goals of the penetration test were stated as:
• Test the existence of proper accepted security practices.
• Obtain access to the server.
• Determining the impact of a security breach on:
o Confidentiality of the company’s private data.
o Internal infrastructure and availability of G-neric Corp’s information systems
These goals of the penetration test were met. A targeted attack against G-neric Corp can
result in a complete compromise of the tested asset. Multiple issues that would typically be
considered minor were leveraged in concert, resulting in a total compromise of the G-neric
Corp’s information system. It is important to note that the unauthorized access with admin
privileges can be greatly attributed to insufficient access controls and weak
password policy at both the network boundary and host levels. Appropriate efforts
should be undertaken to introduce best security practices to protect the access to the host
and the network.
Recommendations
Due to the impact to the overall organization as uncovered by this penetration test,
appropriate resources should be allocated to ensure that remediation efforts are
accomplished in a timely manner. While a comprehensive list of items that should be
implemented is beyond the scope of this engagement, some high level items are important
to mention.
Addler Security Consultants recommends the following:
1. Ensure that strong credentials are use everywhere in the organization. The
compromise of G-neric Corp system as drastically impacted by the use of weak
passwords as well as the reuse of passwords across systems of differing security
levels.
2. Establish trust boundaries. Create logical boundaries of trust where appropriate on
the internal network. Each logical trust segment should be able to be compromised
without the breach easily cascading to other segments.
3. Implement a patch management program: Operating a consistent patch
management program is an important component in maintaining good security
23
ASC
Penetration test report
posture. This will help to limit the attack surface that results from running unpatched
internal services.
4. Conduct regular vulnerability assessments. As part of an effective
organizational risk management strategy, vulnerability assessments should be
conducted on a regular basis. Doing so will allow the organization to determine if
the installed security controls are properly installed, operating as intended, and
producing the desired outcome.
Risk Rating
The overall risk identified to G-neric Corp as a result of the penetration test is Medium.
Considering the criticaltity of this server and the scope of this penetration test. It is reasonable
to believe that a malicious entity would be able to successfully execute an attack against this
G-neric Corp’ server through targeted attacks if the attacker get in the internal the network
(by any means).
24
ASC
Penetration test report
4. REFERENCES
Greycampus. (2020). Retrieved 17 February 2020, from
https://www.greycampus.com/opencampus/ethical-hacking/enumeration-and-its-types
Chapter 15. Nmap Reference Guide | Nmap Network Scanning. (2020). Retrieved 17
February 2020, from https://nmap.org/book/man.html
De-ICE S1.100 (Level 1) - A Beginners Guide - Things all the hacking. (2020). Retrieved 17
February 2020, from http://blog.nullmode.com/blog/2013/11/01/de-ice-s1-dot-100-level-1-a-
beginners-guide/
Technical Guide to Information Security Testing and Assessment. (2020). Retrieved 10 May
2020, from https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-115.pdf
Dosal, E. (2020). Top 9 Cybersecurity Threats and Vulnerabilities. Retrieved 9 May 2020,
from https://www.compuquip.com/blog/top-5-cybersecurity-threats-and-vulnerabilities
Understanding /etc/passwd File Format - nixCraft. (2020). Retrieved 9 May 2020, from
https://www.cyberciti.biz/faq/understanding-etcpasswd-file-format/
Ficheros de usuarios /etc/passwd y /etc/shadow. (2020). Retrieved 10 May 2020, from
http://www.nexolinux.com/ficheros-de-usuarios-etcpasswd-y-etcshadow/
Arias, D. (2020). Adding Salt to Hashing: A Better Way to Store Passwords. Retrieved 10
May 2020, from https://auth0.com/blog/adding-salt-to-hashing-a-better-way-to-store-
passwords/
(2020). Retrieved 10 May 2020, from https://www.offensive-security.com/reports/sample-
penetration-testing-report.pdf
25
ASC
Penetration test report
26
ASC
Penetration test report
Patch management
Rating: High
Description:
G-neric Corp’s internal server contains unpatched systems and application.
Impact:
A combination of weak authentication and unpatched hosts, which contain known
vulnerabilities with publicly available exploits, allows an attacker to gain unauthorized
access to the tested G-neric Corp’s asset. Specifically, OpenSSH version has 17 listed
vulnerabilities in the CVE security vulnerability data source. It is vulnerable to denial
of service by different means and different level of required access. This appears to
be an indication of an insufficient patch management policy and its implementation.
Remediation:
All corporate assets should be kept current with latest vendor-supplied security
patches. This can be achieved with vendor-native tools or third-party
applications, which can provide an overview of all missing patches. In many
instances, third-party tools can also be used for patch deployment throughout a
heterogeneous environment.
27