1. Executive Summary Penetration Testing Report Client: xxxxxx Date: 19 th April 2014 On the 19th of April, a security assessment was carried out on the internal networks of xxxxxx, with the permission of the system administrator, Mr xxxxxx. This test was designed to get a view of the overall security of the network, and to identify areas for improvement. The test was carried out with full view over the network, in order to identify all possible attack vectors. There were multiple vulnerabilities discovered, which together would enable a malicious attacker to obtain sensitive information concerning cadets, and potentially gain access to the MOD WESTMINSTER system. These vulnerabilities have been drawn together below to illustrate a potential attacker s route into this system. Obtain WiFi Password via WPS Vulnerability & Connect to network Setup Man-in-themiddle attack to listen for passwords Retrieve all data from open Management and Training SMB Shares Crack weak Kerberos passwords Intercept email passwords Install malware on target machine Exfiltrate sensitive information /WESTMINSTER Login
2. Contents 1. Executive Summary... 1 2. Contents... 2 3. Testing Methodology... 3 3.1. Legal & NDA... 3 3.2. Methodology... 3 3.3. Scope... 3 3.4. Client Data Destruction Policy... 3 4. Vulnerabilities Discovered... 4 4.1. SMB Shares open on SERVERA CRITICAL... 4 4.2. WPS Enabled on Wireless Router CRITICAL... 4 4.3. Weak Passwords - HIGH... 4 4.4. Vulnerability to Targeted Attack MEDIUM... 5 5. Network Security Overview... 6 5.1. Network Enumeration... 6 5.2. Website... 6 6. Project Staff... 7 7. Appendices... 7 7.1. Nmap Scan results... 7 7.2. Nessus Scan Results... 7
3. Testing Methodology 3.1. Legal & NDA This test was carried out with the express permission of xxxxxxx at xxxxxxx, following a previously agreed upon testing procedure. In this instance, a waiver form was not signed before testing commenced, due to the nonintrusive nature of the testing. 3.2. Methodology This test was carried out as a White-Box security assessment. In this mode of testing, the tester(s) have complete visibility and prior awareness of all devices on a target network. Rather than attempting to mimic an attacker, the focus is on determining the security vulnerabilities present in the network. 3.3. Scope All devices connected to the CLIENT network were in-scope, including the hosted xxxxxxx website. 3.4. Client Data Destruction Policy Any data retained for use in generating this report has been destroyed by secure deletion. As there was/is no material above UK SECRET on the network, this fulfils the data destruction requirements.
4. Vulnerabilities Discovered 4.1. SMB Shares open on SERVERA CRITICAL Whilst enumerating the network shares, it was discovered that a number of network shares on the SERVERA Domain Controller (192.168.1.119) were world accessible. This means that any device with network access was able to read and write to these shares. The shares included the Training Officer and Management shares. Both of these shares contained highly sensitive personal information of both xxxxxxx and staff, in addition to sensitive financial information. Due to the low technical complexity of the attack, and the serious nature of compromise, this has been rated Critical. Mitigation: Limit access to sensitive SMB Shares 4.2. WPS Enabled on Wireless Router CRITICAL A survey of the wireless networks was conducted using the aircrack-ng suite of 802.11 assessment tools. The Sea Cadets wireless network was found to use WPA2 Encryption, with a complex password. However, it also had the WPS (Wi-fi protected Setup) mode enabled. This mode allows devices to be given the wireless password when a button on the router is pressed at the same time as one on the device to be paired. However, there is a vulnerability in the system which allows the WPA2 network password to be obtained (and changed) by a malicious attacker. This would then grant the attacker access to the network. 1 This attack has a moderate technical complexity, but very serious consequences. It is therefore rated Critical. Mitigation: Disable WPS on the router management interface 4.3. Weak Passwords - HIGH Each workstation on the network uses the Kerberos authentication method to log onto the primary domain controller. This allows users to log onto different workstations, but keep their documents and settings. With network access obtained, a man in the middle attack was conducted between a workstation and the domain controller using the tool Cain. This allows the attacker to sit between both endpoints of a connection, and listen to all of the traffic that passes over it. The system administrator then logged a user onto the workstation, and the resulting password hash was then sniffed. 1 http://www.us-cert.gov/ncas/alerts/ta12-006a
Figure 1 - Intercepted Password hashes The current configuration uses a SHA-1 Kerberos hashing implementation, which greatly slows the rate at which passwords can be discovered However, the password in this instance was password. This was guessed by the tool John the Ripper within 0.306 seconds. Due to the very serious nature of this compromise, this attack is rated High. Mitigation: Use more complex passwords and install ARP monitoring tools 4.4. Vulnerability to Targeted Attack MEDIUM A common attack method in use by advanced threats is the use of phishing emails. These emails are sent to recipients containing some form of malware, or malicious attachment. When this is downloaded or run, the resulting infected workstation is then used to steal intellectual property, financial data or sensitive information. This scenario was tested through use of the xxxxxxx email address. A set of malicious emails was sent, and then different configurations of anti-virus tried. As the xxxxxxx generally has a low threat profile, serious by-pass of the anti-virus protection was not attempted. However, the anti-virus can be disabled by the user. This means that malicious payloads can be run by the user (accidentally or otherwise). This led to successful compromise of the administrator endpoint, leading to compromise of sensitive personal information of cadets. This attack could also be leveraged from inside the organisation (e.g. a cadet running a malicious program on the network). The implant used for this attack was capable of monitoring all keystrokes on the workstation, intercepting passwords for logins, and even capturing microphone audio. Figure 2 - Compromised administrator workstation Mitigation: User training on dangerous emails, ensure Anti-Virus is always enabled.
Network Security Overview 4.5. Network Enumeration The Devices on the network were enumerated using the scanning tool NMap. This generated a list of devices, and their open ports. This was then given to the vulnerability scanning tool Nessus, which determined whether or not there were vulnerable versions of software running on the devices. There were no serious vulnerabilities discovered in this manner. The IP Addresses, and their functions, are listed below. I.P. Address Hardware Device Device Function 192.168.1.1 Netgear Router Primary Traffic Router 192.168.1.3 D-Link Router Wireless access point 192.168.1.33 AsusTek Desktop (Windows) Office/Admin computer 192.168.1.36 HP Desktop (Windows) Office/Admin computer 192.168.1.119 HP Server (Windows) - SERVERA Domain Controller / web Server 192.168.1.120 HP Server (Windows) - SERVERB Backup Domain Controller / Server 4.6. Website The website in use currently (xxxxxxxxxxxxxxx) is hosted on a server run on the main internal network. Ordinarily, this might provide a security risk, allowing attackers to gain access to the internal network via the internet. However, the website consists only of static HTML pages, and the web server software is currently up to date. In this configuration, there is very little risk.
5. Project Staff This section details all of the personnel who were employed on the project, their clearances and qualifications. Project Lead: Joseph Greenwood Security Clearance: xxxxxxxxxx Certifications: CREST Registered Tester, 7Safe CSIS/CMI/CFIP, Security+. 6. Appendices 6.1. Nmap Scan results 6.2. Nessus Scan Results