External Network Penetration Test Report

Transcription

1 External Network Penetration Test Report Jared Doe

2 C O N F I D E N T I A L P a g e 2 Document Information Assessment Information Assessor Kirit Gupta kirit.gupta@rhinosecuritylabs.com (888) Client Acme Company Project Manager Assessment Type Benjamin Caudill Client Jared Doe benjamin.caudill@rhinosecuritylabs.com Contact jared@acmecompany.com (888) External Network Penetration Test Project Number ACM-NPT Report Date Assessment Period Revision History Version Date Author Notes 1.0 October 16, 2015 Kirit Gupta Rough draft 1.1 October 16, 2015 Benjamin Caudill Edits 1.2 October 16, 2015 Kirit Gupta Final Report

3 C O N F I D E N T I A L P a g e 3 1. Executive Summary Rhino Security Labs conducted a network penetration test for Acme Company (Acme Company). This test was performed to assess Acme Company's defensive posture and provide security assistance through proactively identifying vulnerabilities, validating their severity, and providing remediation steps. Rhino Security Labs reviewed the security of Acme Company's infrastructure and has determined a CRITICAL risk of compromise from external attackers, as shown by the presence of multiple serious vulnerabilities. The detailed findings and remediation recommendations for these assessments may be found later in the report. Strategic Recommendations Not all security weaknesses are technical in nature, nor can they all be remediated by security personnel. Companies often have to focus on the root security issues and resolve them at their core. These strategic steps are changes to the operational policy of the organization. Rhino Security Labs recommends the following strategic steps for improving the company's security. 1 Enforce a more secure password policy, and educate users on proper password management. 2 Upgrade all Windows 2003 Servers to 2008 or above. 3 Transition company architecture from cleartext protocols to encrypted versions. 4 Enhance security defenses with additional detection and response capabilities, such as a SIEM 2. Summary Vulnerability Overview Rhino Security Labs performed an external network penetration test for Acme Company (Acme Company) on Scanning is performed to identify vulnerabilities, and manual

4 C O N F I D E N T I A L P a g e 4 testing and validation follows to simulate real-world attack scenarios. The following vulnerabilities were determined to be of highest risk, based on several factors including asset criticality, threat likelihood, and vulnerability severity. Summary An external network penetration test was performed on Acme Company. The following vulnerabilities were found, indicating the overall risk rating of this application is Critical. ID Vulnerability Risk C1 Subdomain takeover Vulnerability Critical Remove the subdomain identifying the server's direct IP address. C2 JBoss Credentials Brute Forced Critical Increase the administrative password complexity, or remove the administrative account if possible. H1 Sensitive Public Information Identified Remove sensitive information on the company from public resources. H2 Nameserver es Recursive Queries Restrict the processing of restrictive queries. H3 Multiple Unpatched Apache Vulnerabilities Update all Apache services and associated modules. H4 Multiple Unpatched PHP Vulnerabilities Update all PHP services and associated modules. H5 Multiple Unpatched OpenSSH Vulnerabilities Regularly patch and update all OpenSSH servers and associated modules. H6 Public Telnet Service Replace Telnet with SSH on all servers.

5 C O N F I D E N T I A L P a g e 5 M1 NTP Clock Variables Information Disclosure Medium Remove NTP from the given systems or apply an ACL that restricts NTP readvar queries from unauthorized clients. M2 Adobe Flash permissive crossdomain.xml policy Medium Edit the crossdomain.xml file, ensuring permissions are restricted to only what s necessary. L1 TCP Sequence Number Approximation Vulnerability Low On Windows systems, install the necessary patches for the given version of Windows. On Linux Systems, enable TCP MD5 signatures. L2 Web Directory is Publicly Browsable Low In the httpd.conf file, disable the Indexes option for the appropriate <Directory> tag by removing it from the Options line. 3. and Methodology Rhino Security Labs used a proprietary methodology to accurately assess the security of Acme Company s networks. This process involves detailed reconnaissance and research into the architecture and environment, performing automated testing for known vulnerabilities, and manually exploiting vulnerabilities for the purpose of detecting security weaknesses in the enterprise. Reconnaissance Information gathering is the first step toward a network penetration test, and provides Rhino Security Labs with crucial data to accurately and efficiently assess Acme Company s security. Network reconnaissance also includes enumeration to determine what hosts are alive and what

6 C O N F I D E N T I A L P a g e 6 services they are running. Research into these services is then carried out to tailor the test to the discovered systems. Automated Rhino Security Labs used a vulnerability scanner to conduct an automated analysis on Acme Company s network. This scan provides foundation for the full manual assessment, and should be viewed with this detailed report to gain an accurate representation of Acme Company s security posture. Manual Exploitation and Verification Rhino Security s consultants use the results of the vulnerability scan, paired with their expert knowledge and experience, to finally conduct a manual security analysis of the network. The assessors attempt to obtain access to sensitive systems via the published exploits or weaknesses discovered. The detailed results of both the vulnerability scan and the manual testing are shown in the tables below. 4. Constraints The following limitations were placed upon this engagement, as agreed upon with Acme Company: Vulnerabilities which would cause outages or interrupt the client's environment were noted but not validated. Penetration testing was limited to the agreed upon time period, scope, and other additional boundaries set in the contract and service agreement. 5. Research Penetration Notes Rhino Security Labs compiled the following notes during the reconnaissance portion of the web application penetration test. These notes provide the information needed to accurately assess the application and test for vulnerabilities.

7 C O N F I D E N T I A L P a g e 7 Assessment Information Assessment Type Vulnerability Scanner VPN Utilized Number of IP s in scope External Black-box Rapid7 NeXpose / Proprietary Internal Tools None 9 IP Addresses

8 C O N F I D E N T I A L P a g e 8 6. Vulnerability Findings The vulnerabilities below were identified and verified by Rhino Security Labs during the process of this network penetration test for Acme Company. Retesting should be planned following the remediation of these vulnerabilities. Attack Narrative Rhino Security Labs was tasked with performing an external penetration test for Acme Company Industries, an online retailer specializing in the sale of eye care products. This assessment is part of a larger engagement, involving a web application penetration test, social engineering, and an internal penetration test. The consultant assigned to this test began by performing routine reconnaissance and information gathering on the company, mining any useful data which can be used later in the assessment. After a thorough sweep of company websites, document metadata, social media sites and other resources, a cache of sensitive information was identified, including: Internal LDAP-Username Syntax Multiple names and internal LDAP usernames were found in PDF metadata from the corporate website. This is useful because it provides the syntax to create LDAP usernames from known employee names often easy to find. Corporate Syntax Like many organizations, the company names and Addresses were found online in multiple locations. Employee Names - Over 120 Acme employees were found in Linkedin and through other public sources, many of which being high value personnel within the company (IT, Company Executives, etc). Combined with the above syntax, usernames and address were able to be created for each user useful for brute forcing and similar network attacks. Internal Organizational Chart This provided many of the above employee names, and their ranking in the company. Useful for identifying key personnel in IT and other areas.

9 C O N F I D E N T I A L P a g e 9 Using this, we were able to confirm a critical security person was on vacation and response times would be slower useful information to have. DNS enumeration and bruteforcing was also performed on the domain, identifying a total of 46 subdomains. While many of these domains pointed to servers not in scope and should have additional security auditing performed on them (such as dev transfer and shop-dev ), one subdomain (community.acme.com) provided an interesting target. This subdomain pointed to a hosted community site which was no longer being used by acme and could therefore be purchased at the target site essentially hijacking a legitimate company subdomain. With initial information gathering activities completed, port and service scanning on Acme Company s external systems began. The tester encountered telnet and other unencrypted protocols that could be potential threats to the company s online security. During the tester s examination of the ports, port 8080 was identified as being open on one system and confirmed as an old JBoss version (4.0.4), hosting Java applets for Acme Company s online store. After further enumeration of the system, the tester confirmed that the JMX Console (the administrative console to JBoss) required a password. Using the previous list of employee names (specifically, those in IT and dev departments) and the LDAP syntax, a list of 18 possible LDAP usernames were created for brute forcing. A custom dictionary was created using employee names, industry and technology terms, and other words from the company website.

10 C O N F I D E N T I A L P a g e 10 Using this highly-targeted brute force, a valid username and password were confirmed MAnthony acmedev1. Rhino Security consultants gained access to the administrative console and began exploitation. From here, the tester engaged the system, uploading a malicious WAR file (Java Applet) and created a backdoor to the system, allowing initial access to the system although with limited privileges. Using this foothold, the tester quickly identified the operating system as Windows 2003, uploaded a local exploit, and escalated to system level privileges. With these privileges, the tester was able to dump the local system hashes. After inserting these hashes into Rhino Security Labs password cracking box, 95% were cracked within just a few hours, and provided access to additional publically-accessible services. Upon further enumeration of the system, it was identified as being connected to the internal network, and thus could be used as a pivot onto internal resources a total breach of perimeter systems and the primary objective for the assessment, as outlined by the client.

11 C O N F I D E N T I A L P a g e 11 External Network Details Exploited Vulnerabilities The vulnerabilities listed in the tables below were exploited by Rhino Security Labs during the course of the assessment. Evidence of the exploit is provided, along with recommended remediation steps to correct these vulnerabilities. Subdomain Takeover Vulnerability Report ID C1 Risk Critical IP(s) Critical During the subdomain enumeration process, a CNAME record was found pointing to a hosted community site (ning.com) no longer being used. Since the DNS record is still in place, it can be purchased/registered on the community hosting site and seized by an unauthorized user. Remove the affected CNAME record which is no longer being used. This issue was identified by first enumerating subdomains, which were then tied to specific DNS records and IP addresses. The given CNAME record was identified as pointing to a forum site which is no longer being utilized by the company. JBoss Credentials Brute Forced Report ID C2 Risk Critical IP(s) Critical

12 C O N F I D E N T I A L P a g e 12 The administrative credentials for a publicly facing JBoss server are easily bruteforced (admin::admin). See the above narrative for more details. Increase the administrative password complexity, remove the administrative account if possible, and remove public access to JMX Console if possible. See above narrative manually tested. Sensitive Public Information Identified Report ID H1 Risk IP(s) N/A Critical A number of major sources of sensitive information were publically identified, eventually being leveraged in a targeted brute-force against public resources. Remove sensitive information on the company from public resources, including social media and the corporate website. Sources such as Linkedin, Twitter, and multiple company websites were scraped for information, as well as documents mined for metadata. See above narrative for additional details.

13 C O N F I D E N T I A L P a g e 13 Notable Vulnerabilities The following vulnerabilities were not exploited by Rhino Security Labs. However, they still represent a risk to ACME s network security. Nameserver es Recursive Queries Report ID H2 Risk IP(s) Allowing nameservers to process recursive queries coming from any system may, in certain situations, help attackers conduct denial of service or cache poisoning attacks. Restrict the processing of recursive queries to only systems that should be allowed to use this nameserver. NSE (Nmap Scripting Engine) was used to test for Recursive DNS queries with a given list of domains. Multiple Unpatched Apache Vulnerabilities Report ID H3 Risk App(s) Multiple Apache HTTPD vulnerabilities were found on the external network.

14 C O N F I D E N T I A L P a g e 14 Update all Apache services and associated modules to the newest version available, and ensure appropriate patch management policies are in place. Using a port scanner, ports 80 and 443 were tested to verify the Apache version and associated vulnerabilities. Multiple Unpatched PHP Vulnerabilities Report ID H4 Risk App(s) Multiple Unpatched PHP Vulnerabilities were found on the external network. Update all PHP services and associated modules (such as Apache) to the newest version available, and ensure appropriate patch management policies are in place. Using port scanners and version detection tools, the web server was tested for its version of Apache, which was correlated to a corresponding version of PHP. Multiple Unpatched OpenSSH Vulnerabilities Report ID H5 Risk App(s) Multiple OpenSSH vulnerabilities, which compromises the confidentiality, integrity, and availability of SSH services.

15 C O N F I D E N T I A L P a g e 15 Ensure all OpenSSH servers remain up-to-date by regularly patching OpenSSH and associated modules. A port scanner and version-detection tools were used to verify service versions and vulnerabilities. Public Telnet Service Report ID H6 Risk App(s) Public telnet services were found on the external network. For command-line access, disable telnet and replace with SSH, which utilizes encrypted sessions. Using a telnet client, port-23 was checked to verify telnet connectivity. Minor Vulnerabilities The following vulnerabilities are of lower risk to the environment NTP Clock Variables Information Disclosure Report ID M1 Risk Medium App(s) Medium Critical This system allows the internal NTP variables to be queried. These variables contain potentially sensitive information, such as the NTP software version, operating system version, peers and more.

16 C O N F I D E N T I A L P a g e 16 Remove NTP from the given systems or apply an ACL that restricts NTP readvar queries from unauthorized clients. NTP 'readvar' queries are sent to the given NTP server, which then respond with identifying information. Adobe Flash permissive crossdomain.xml policy Report ID M2 Risk Medium App(s) Medium Medium Permissive crossdomain.xml policy files allow external Adobe Flash (SWF) scripts to interact with your website. Depending on how authorization is restricted on your website, this could inadvertently expose data to other domains or allow invocation of functionality across domains. Edit the crossdomain.xml file, ensuring permissions are restricted to only what's necessary. A web browser was used to verify the following HTTP response: '...domain-policy><site-control permitted-cross-domain-policies='all'' TCP Sequence Number Approximation Vulnerability Report ID L1 Risk Low App(s) Low Low

17 C O N F I D E N T I A L P a g e 17 Certain conditions make it easier for remote attackers to cause denial-of-service (DoS) against local users by injecting TCP RST packets and ending current sessions. On Windows systems, install the necessary patches for the given version of Windows. On Linux Systems, enable TCP MD5 signatures to prevent this type of TCP injection attack. Vulnerability was found using a vulnerability scanner. Explicit testing against this vulnerability was not performed due to the results of the attack (Denial of Service). Web Directory is Publicly Browsable Report ID L2 Risk Low App(s) Medium Low A web directory was found to be browsable, which means that anyone can see the entire contents of the web directory. In the httpd.conf file, disable the Indexes option for the appropriate <Directory> tag by removing it from the Options line. View the directories found in the scanner output and verify the vulnerability.

18 C O N F I D E N T I A L P a g e 18 Appendix A: Definitions and Criteria The risk ratings assigned to each vulnerability are determined through averaging several aspects of the exploit and the environment, including reputation, difficulty, and criticality. Risk Rating Definitions CRITICAL HIGH MEDIUM LOW INFORMATIONAL Critical vulnerabilities pose very high threat to a company's data, and should be fixed on a top-priority basis. They can allow a hacker to completely compromise the environment or cause other serious impacts to the security of the application severity vulnerabilities should be considered a top priority in terms of mitigation. These are the most severe issues and generally cause an immediate security concern to the enterprise Medium severity vulnerabilities are a lower priority, but should still be remediated in a timely manner. These are moderate exploits that have less of an impact on the environment. Low severity vulnerabilities are real but trivially impactful to the environment. These should only be remediated after the HIGH and MEDIUM vulnerabilities are resolved. Informational vulnerabilities have no impact as such to the environment by themselves. However, they might provide an attacker with information to exploit other vulnerabilities.