Document Details
|
Title |
Details |
|
Completed On |
October 20, 2022 |
|
Report Type |
Manual Scan |
|
Validity |
30 Days |
Contents
1. Executive Summary
2. Method
3. Penetration Test
4. List of Tests Performed
5. List of Vulnerabilities
6. Recommendations & Conclusion
1. Executive Summary
"Sentinal Industries" enlisted the help of "CyberOps" Security to conduct a full penetration test to identify system flaws and vulnerabilities. The purpose of this assessment was to point out security loopholes, business logic errors, vulnerabilities and missing best security practices. The tests were carried out assuming the identity of an attacker or a malicious user but no harm was made to the functionality or working of the network. Security assessment includes testing for loopholes in the scope of considering the whole company network as one working unit. Nothing was assumed at the start of the security assessment. Simulating a real-life assault situation was carried out at Sentinal Industry. The Penetration Testing team was divided into three sections: red, blue, and purple. The main goal of the penetration testing was to see how effective existing defensive mechanisms were against attackers.
2. Method
Sentinal Industries has decided to conduct a penetration test in order to assess the effectiveness of their security measures and to investigate the potential ramifications of any susceptible position. The process has been delegated to CyberOps" a firm that specializes in such VAPTs. The complete process was carried out by three teams as blue, red and purple. Team Red conducted assessments of both the internal and external networks and applications. From the company's end, the Blue team looked into the attacks and the plans for them. The Purple Team analyzed the penetration testing process by analyzing the effectiveness of defensive tactics and controls proposed by the Blue team to protect against vulnerabilities found by the Red team.
3.
Penetration Test
Foot Printing and Reconnaissance
Foot printing is a technique used in the reconnaissance phase to obtain information about a target computer system or network. Foot printing could be both passive and active. Reviewing a company’s website is an example of passive foot printing, whereas attempting to gain access to sensitive information through social engineering is an example of active information gathering. Foot printing is the initial step in the hacking process, in which the hacker gathers as much information as possible in order to uncover ways to break into a target system, or at the very least determine which kind of attacks will be more appropriate for the target.
Information Gathering Using Nmap Scan
Nmap is an open-source tool used by penetration testers to detect open ports on a network, as well as the services and versions that are running on each port.
Use nmap command in the terminal to check if nmap is installed in kali
If it is not installed use sudo apt-install nmap
To see available options use nmap –help
You can get the ip address of the host machine and the scan it
As the first step, to find the network in the target machine, type the ifconfig command in the attack machine and the get the ip address.
The red team then opted to run a port scan of the host in order to learn more about it. From this scan, the read team was able to extract information on the hostname, statues, installed service, and version of the service. Then we did a network scan with the nmap tool to find the host that is connected to the local area network.
In this step, a port scan is performed of the other host that was previously connected to the local area network using the nmap tool to find some of the services in the ports and their versions.
Using the Angry IP Scanner to Scan the Network
The red team used the open-source Angry IP Scanner tool to locate live host systems and verify the results of the Nmap scan. The Angry IP scanner was also used to discover the Web Interfaces of two discovered host systems.
There is a vulnerability in the service installed in port 21 found earlier. To find out the details of that vulnerability, scan the version with the vulnerability in this tool called searchexpoit.
What it does is turn on the metosploit framework. The Metosploit framework is a set of tools designed to hack vulnerabilities.
Then see if the found vulnerability is in the metosploit database and search for that version using the search command.
When you get to the tool set to exploit the vulnerability from the previous one, you need to copy the location using the use command to go inside the tool set.
Now when you go inside the tool set and hit the show option command, we need to input the data. We want to input the data and the spaces where the data should be in the video and then the RHOST space is left. After that, enter the IP address of our host in that space. When we give the show option again, the IP address we entered should have appeared in the space left before that.
After giving the ip address to that host, all you have to do is give the exploit command, and then when the tool exploits and gives the uname, you can see where the host is and a few details, and then you are inside that host.
You can also use the nessus tool to exploit this vulnerability
At the same time, you know that there is an a OS detail of what metosploitable2 is running and everything, so let's login to Nessus and scan the metosploitable2 for about five to ten minutes. The great thing about nessus is that it categorizes each vulnerability, so over here you can see some of the critical ones, as well as some of the high medium ones and some that are more informational, so let's go ahead and click on the vsftpd similey face back face back doll and nessus will describe what this vulnerability is about. An unattended remote attacker could exploit this to execute arbitrary code along its route, and so there will be a solution for this.
Vulnerable Telnet Connection
When they ran an nmap scan of the system ports, the red team discovered another vulnerability that needed to be addressed. Telnet was still used to configure remote connections to other users on port 23.
An attacker can now see the user's username and password extremely easily. To do so, right-click on a telnet packet and choose follow, then TCP stream from the menu. It displays the full framework with which we interacted, as well as the username and password, both in plain language.
6. List of Tests Performed
The following lists of tests are suggestive & not limited to the ones listed. Most importantly, every test case has multiple sub-test cases ranging from a few to sometimes 1000+ sub tests.
Additional test cases will be performed based on factors such as:
1. Technology Stack
2. Server Side Programming Language, Front-end frameworks
3. Framework/CMS/APIs
4. Type of application (Payment integrations, external integrations)
6.1 OWASP Top 10
|
For Web Applications |
|
|
1 |
SQL Injection |
|
2 |
Broken Authentication |
|
3 |
Sensitive Data Exposure |
|
4 |
XML External Entities (XXL) |
|
5 |
Broken Access Control |
|
6 |
Security Misconfiguration |
|
7 |
Cross-Site Scripting (XSS) |
|
8 |
Insecure Deserialization |
|
9 |
Using Components with Known Vulnerabilities |
|
10 |
Insufficient Logging and Monitoring |
|
For Mobile Applications |
|
|
1 |
Improper Platform Usage |
|
2 |
Insecure Data Storage |
|
3 |
Insecure Communication |
|
4 |
Insecure Authentication |
|
5 |
Insufficient Cryptography |
|
6 |
Insecure Authorization |
|
7 |
Client Mode Quality |
|
8 |
Code Tampering |
|
9 |
Reverse Engineering |
|
10 |
Extraneous Functionality |
6.2 SANS 25 Software Errors/Tests
|
1 |
Improper Restriction of Operations within the Bounds of a Memory Buffer |
|
2 |
Improper Neutralization of Input During Web Page Generation ('XSS') |
|
3 |
Improper Input Validation |
|
4 |
Information Exposure |
|
5 |
Out-of-bounds Read |
|
6 |
Improper Neutralization of Special Elements used in an SQL Command (SQLi) |
|
7 |
Use After Free |
|
8 |
Integer Overflow or Wraparound |
|
9 |
Cross-Site Request Forgery (CSRF) |
|
10 |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
|
11 |
Improper Neutralization of Special Elements used in an OS Command |
|
12 |
Out-of-bounds Write |
|
13 |
Improper Authentication |
|
14 |
NULL Pointer Dereference |
|
15 |
Incorrect Permission Assignment for Critical Resource |
|
16 |
Unrestricted Upload of File with Dangerous Type |
|
17 |
Improper Restriction of XML External Entity Reference |
|
18 |
Improper Control of Generation of Code ('Code Injection') |
|
19 |
Uncontrolled Resource Consumption |
|
20 |
Missing Release of Resource after Effective Lifetime |
|
21 |
Untrusted Search Path |
|
22 |
Deserialization of Untrusted Data |
|
23 |
Improper Certificate Validation |
|
24 |
Use of Hard-coded Credentials |
|
25 |
Improper Privilege Management |
6.3 Test Cases for Windows
 |
5. List of Vulnerabilities
The below graphical representations from CyberOp’s VAPT dashboard will provide you an overall summary of the security audit scan results, including, vulnerabilities discovered, severity, respective CVSS Score, and other vulnerability details such as its impact, detailed PoC, steps to reproduce, affected URLs/network parameters, and recommended fixes.
# |
Vulnerability |
Severity |
CVSS Score |
Status |
1 |
Missing API Security Headers |
Low |
6 |
Unsolved |
2 |
Stored Cross-Site Scripting (XSS) |
Medium |
7 |
Resolved |
3 |
SQL Injection |
Low |
5 |
Resolved |
4 |
Stack Overflow Vulnerability |
High |
9 |
Unsolved |
5 |
Incorrect Constructor Name |
Low |
6 |
Unsolved |
6 |
Null Pointer dereference Vulnerability |
Medium |
7 |
Resolved |
7 |
Insecure Input Handling |
Low |
5 |
Unsolved |
|
Vulnerability Severity |
No. of Vulnerabilities Found |
|
Critical |
0 |
|
High |
1 |
|
Medium |
2 |
|
Low |
4 |
|
Recommendations |
10 |
6. Recommendations & Conclusion
As a Result of thorough Investigating and analyzing into both external and internal systems of the ‘Sentinal Industries’, a total of 7 vulnerabilities and threats have been discovered. During the threat modeling and vulnerability analysis stages, these were given a more in-depth look. Out of these 7 vulnerabilities only one is considered to be high in severity and needs immediate fixing. Other than that 2 vulnerabilities are of medium threat level and the other 4 are of low threat level. Although the other threats are of low level we recommend that you should fix all of these vulnerabilities in your system immediately because although the threat is small it is still a threat indeed.
Here are our recommendations on how to fix the above found vulnerabilities;
|
1 |
|
|
2 |
|
|
3 |
|
|
4 |
|
|
5 |
|
|
6 |
|
|
7 |
|
|
8 |
|
|
9 |
|
|
10 |
|
By implementing our recommended fixes for the found Vulnerabilities in the system of ‘Sentinal Industry’ we can guarantee that your System can be 99% Safe from any form of cyber-attack or threat. We Hope that you are satisfied with “CyberOp’s” service and we hope to do more business with “Sentinal Industries” in the future.
Stay Informed, Stay Safe!
