CYBS 7355 - Penetration Testing and Vulnerability Assessments Mid Term Exam Fall 2015 NAME: James Konderla STUDENT ID: 900860295 4 Questions Total Instructions: Save your exam with the file name CYBS 7355 Mid Term Exam - Name. Once you are finished, post your exam to the Unit 6 Drop Box on the ecollege website. Review the questions carefully as some are worth more than others. You will want to allocate proper time to complete all of the questions. All questions will be graded for full, half, or no credit. Please limit your responses to two pages per question. I certify that this is my own work and I have cited all work that is not mine by quotes and citation or by paraphrasing with citations using APA. I understand that if I have plagiarized or copied materials that are not my own work that I will fail this exam with a grade of zero and be subject to academic review. This includes cutting and pasting. Do not use endnotes or footnotes as this is not the APA method. NAME: James Konderla DATE: 9/30/2015 CYBS 7355 Penetration Testing & Vulnerability Assessments Mid Term Exam, Summer 2015 Page 1
1. 100 Points - In Lab #4 Using Ethical Hacking Techniques to Exploit a Vulnerable Workstation you were able to compromise a remote Linux host using the VSFTP_234_backdoor vulnerability. Review the Victim Vulnerability Scan report you submitted in Unit 4. The vulnerability report identified several High severity vulnerabilities, which could allow a hacker to gain remote access. Repeat the steps in Part 3 (ignore Part 1 and Part 2!).of Lab #4 to search Metasploit for an exploit associated with an additional vulnerability (there are at least six), and then use that exploit to gain remote access and compromise the Linux machine again using a new exploit (e.g. do not use the VSFTP_234_Backdoor exploit you used in Unit #4). Briefly explain the exploit you used and insert the screenshot showing you have gained "root" access using the ifconfig, whoami or userid command on the remote target (NOTE: Getting root access on the VM you are logged on to locally to launch the attack from is not an acceptable answer. You must gain access to the remote machine). Extra Credit: 10 bonus points if you can get a Meterpreter session onto the remote machine (screenshot required) Extra Extra Credit: 15 more bonus points if you send me a.txt file of the password hashes from the remote machine! (Upload to Unit 6 dropbox with exam) Answer: I chose to use the distcc vulnerability and the associated unix/misc/distcc_exec exploit for this exercise. I chose this exploit due to the vulnerability scan s description into its ease of install. In my experience, if an application is easy to install a user will accept all defaults, will rarely check for updates during the install (to get things up and running faster) and will be in a rush to get the app up and running so will typically not check for vulnerabilities. This particular exploit targets a distributed compiler, distcc, which trusts its clients completely by default. CYBS 7355 Penetration Testing & Vulnerability Assessments Mid Term Exam, Summer 2015 Page 2
CYBS 7355 Penetration Testing & Vulnerability Assessments Mid Term Exam, Summer 2015 Page 3
2. 50 Points - Penetration testing requires a very deliberate approach, in order to provide a thorough and safe result. Your textbook describes one methodology, but there are several more widely used methodologies such as the Open Source Security Testing Methodology Manual (OSSTMM) and the increasingly popular Penetration Testing Execution Standard (PTES). Discuss the importance of using a testing methodology. Clearly define what occurs in each phase and the significance of each phase. Be sure to provide supporting evidence for your selection. Answer: Testing methodology provides a way to standardize both the steps and documentation of testing. I have seen this first hand at work with development methodologies: by using a development methodology we standardize not only the documentation of our software but the way we test and develop the software, enabling a new person to take over or enter the development process at any point as well as enabling out managers to tell how we develop and what we are doing at a given development point. A testing framework also establishes the rules of a test, as well as the parameters and scope, protecting both the tester and the systems being tested while also establishing the goals of the test. After looking at the book s example and both OSSTMM and PTES I have decided that PTES is my preferred methodology due to its addition and emphasis placed on communication and pre-engagement interactions. This standard consists of the following: Pre-Engagement Interactions This phase includes the establishment of the scope, start and end dates, goals and the rules of engagement including which locations, times and systems are off limits. This is probably the most important phase of the test as it establishes the boundaries and puts in place protections for both the testers and the organization. Intelligence Gathering This includes selecting a target and gathering information that includes but is not limited to infrastructure, documents, financial, organizational structure, network and identity protection mechanisms and foot printing. Though some consider these pre-test practices, I believe this is when the test actually starts. Threat Modeling The PTES standard defines threats in 2 areas: assets and attackers. Of course both areas have further divisions but the main focus in this phase is using tools to define and model the threats that both areas possess through use of various tools, including a SWOT (Strength, Weakness, Opportunity and Threat) analysis. This process can go as deep as the business or the testers feel necessary. Vulnerability Analysis In this phase the system is actively probed for vulnerabilities and these vulnerabilities are outlined. This phase should heavily rely on the scope and breadth of the exercise, as analyzing systems outside of these can result in legal, regulatory or even business issues and fines. Scans can be automated and it is highly suggested that they be. At the conclusion of this phase several high-value targets should be identified. Exploitation This phase has 1 focus: establishing access to the system or a resource. This can include computer systems, buildings or company assets. Using the results of the vulnerability analysis, high-value targets should be attacked within the scope and boundaries of the exercise. Evidence should also be collected starting in this phase to prove a successful exploitation. Post Exploitation Following a successful exploit, each target or compromised system should be cataloged to determine its value in terms of what sensitive data could be exposed, what is the relationship of this asset to other CYBS 7355 Penetration Testing & Vulnerability Assessments Mid Term Exam, Summer 2015 Page 4
network resources and what communication channels does a system open up, to name a few. Exploited systems should also be compromised in such a way to allow later access within the bounds of the exercise. It is highly suggested that documentation on patching the exploit also be presented. Reporting This phase focuses on the reporting of the findings of the exercise. The PTES standard suggests the use of an Information Security Risk Rating Scale to define the overall risk of each system, as well as the network inside the exercise scope as a whole. Reports should not only summarize the data, but provide a user-friendly readout for executives and managers that should include graphs to summarize the data. Recommendations and strategic roadmaps on patching/removing vulnerabilities should also be presented as well as a technical report of all information gathered, systems exploited and data exposed during the attack. I consider this the second most important phase of the test as it is the presentation of not only the information exposed, but of the entire exercise in a readable format. Citations: Main Page. (2014, August 16). Retrieved October 3, 2015, from http://www.penteststandard.org/index.php/main_page Oriyano, S. (2014). Hacking: The Next Generation. In Hacker techniques, tools, and incident handling, second edition (2nd ed., pp. 17-19). Burlington, MA: Jones & Bartlett Learning. CYBS 7355 Penetration Testing & Vulnerability Assessments Mid Term Exam, Summer 2015 Page 5
3. 50 Points - During the last 5 weeks, you have been exposed to numerous testing tools, as well as the phases in which the tools would be used. Describe five (5) of the tools that you would be using during a penetration test. Explain what the tool is intended to do, why it is used, and how the tool, if used by a hacker, could disrupt the target s business. Do not just list tools! Explain the purpose and risk! Answer: The tools I have chosen to cover out of our labs are Maltego, Metasploit, Sam Spade, Wireshark and Nmap. I purposely did not pick Kali/Backtrack since it is more like a toolbox than just a tool. Maltego Maltego is an information gathering and data mining tool. What makes this tool unique is the fact that you can program in a domain name and gather information about that domain including email formats, exposed email addresses, registration information and even location and company information. I plan on playing with this tool a lot when I do a vulnerability assessment on the DFWHDI.org domain later this year. This tool can disrupt a target s business by providing target information without the need to interact with the target (at least in the initial stages). Metasploit Metasploit is the most interesting tool I have ever seen. This tool is a framework that provides the ability to analyze a target and determine its vulnerabilities. The tool goes farther than this, though, by allowing the use of payloads and vulnerabilities themselves to compromise a system with the possibility of gaining a persistent remote console via Meterpreter (though I have been unsuccessful in this so far). Metasploit also provides an easy to use GUI and update capabilities to expand the initial database of vulnerabilities and payloads. The risk of this program to a target is very high, as its database actively contains vulnerabilities and payloads that include viruses, worms remote executables and plenty of other toys for a penetration tester or hacker. The tool s risk is increased by providing a comprehensive wiki that includes documentation on how to use almost every aspect of the framework including installation on windows, linux, apple, and unix environments. Sam Spade Sam Spade is an interesting tool that I discovered was actually abandoned as a project (though I have experimented with some of its functionality and can very easily re-create some of it in C#). This tool has the ability to run several command-prompt diagnostics from a central console, such as nslookup, whois and even traceroute. The tool itself doesn t have a whole lot of uses in an attack but does allow the ability to mine information about a network s infrastructure by analyzing TCP blocks, registrar information, route steps (using traceroute to find each step in a route between localhost and the target domain) and even the ability to view and parse email headers. The risks of this tool are minimal but allow the central use of a lot of tools in 1 place, cutting down intelligence gathering and network analysis times considerably. Wireshark Wireshark, which I first used as Ethereal to perform a few basic network diagnostics, has the capability of intercepting and analyzing network traffic. The most interesting capability of this tool is something I learned a few years ago: promiscuous mode. By placing the network interface Wireshark uses into this mode, you are able to see all traffic and analyze where it is going, what it contains and where it came from. Of course Wireshark can also understand what protocol was used when transmitting traffic which makes it even more useful. The risk of this tool to a target is that it can passively capture unencrypted traffic on a network without being noticed, possibly providing a man-in-the-middle attack by allowing the injection of information into a packet with use of other tools. CYBS 7355 Penetration Testing & Vulnerability Assessments Mid Term Exam, Summer 2015 Page 6
Nmap Nmap is a scanning software whose primary use is discovering ports and exposed services on a remote computer. Nmap can also discover a host s operating system if the host is not properly configured (which does not happen by default). Of course Nmap has much more functionality but by far its most useful functions are service and OS discovery. Nmap itself can disrupt a target s business by providing a list of exposed services and operating systems used on a target s network. CYBS 7355 Penetration Testing & Vulnerability Assessments Mid Term Exam, Summer 2015 Page 7
4. 50 Points As someone who has had the opportunity to use a very popular social engineering tool (e.g. SpoofCard ) you realize the potential danger that social engineering presents to users in your company or school. Now the CIO of your company is growing concerned regarding the risks this presents to the company. He knows that you are taking a course on hacking so he calls you in and asks what can be done to help limit the risk to the company. What are some things that can be done on a corporate level to help reduce the risk of social engineering? Be as detailed as possible. Do not exceed 2 pages. Answer: The first thing that comes to mind is training. By providing training to the company as a whole you can inform them of not only the risks of social engineering but even of some examples of the techniques. PepsiCo conducts an annual, mandatory, security training that must be taken by all employees and contractors as well as third parties who have systems access. Of course training can only go so far and it is easy to forget your training when you are the target of an attack. I would suggest the implementation of more extensive training to personnel who are particularly at risk for social engineering attacks, such as the service desk. While at the service desk I have seen many attempts, a few successful, at social engineering and I can say that, even with the same base training as the rest of the company the service desk is not prepared. By providing an enhanced training that includes verification prior to trusting an individual, the service desk can not only gain the ability to better identify attacks but also gain insight into how to better defend the company even when an attack is not happening. One example I often use is verification questions: the service desk at PepsiCo is now required to ask our customers where an individual is based (city and state) and what the phone number on record in our CMS system is. This system feeds from HR but also has a lag of 48 hours, which enables a further defense. Beyond these verification questions, if a customer requires assistance resetting a password, more verification is required, though I will not reveal that here. I would also recommend the separation of credentials. Even though it is best practice to not allow administrator access to a computer, I have too often seen it at companies. I recommend separating admin and basic user credentials for all users and requiring users to request access to administrative credentials with both manager and security team approval to ensure that administrative access is provided on a need-only basis. In the case temporary access is needed, I recommend the creation of a script to give time-limited access to a specific user for administrative access. I remember hearing about this capability when I had first started at the service desk (though it has since been removed to the dismay of the security team and is in the process of being reimplemented): this script has the capability of giving a user an hour or 2 of administrative access (3 was the maximum). After the user logs off and back on the user s access takes place and the access can be revoked 1 of 2 ways: the user logs off before the allotted time or the allotted time passes and the user is forcibly logged off with the script disabling the administrative access during the logoff process. This would be essential in limiting the impact of an attack if a social engineer does gain access to a system. My last recommendation is one that I recently learned at PepsiCo: regular access audits. In this a specialized system is put into place to regularly (every 90 days in our case) look at a particular access (our system is set up for almost every access that could grant system or financial access) and alert the user s manager to verify that they need the access. The user s manager has 1 week from that point to approve the access before the manager s manager is alerted. That senior manager has 1 more week to verify and, in the event they fail to verify CYBS 7355 Penetration Testing & Vulnerability Assessments Mid Term Exam, Summer 2015 Page 8
the access or in the event an access verification is declined, the access is immediately revoked. Of course a few systems, such as time tracking, have the ability for the employee themselves to complete mandatory training as well. No company is fully securable but I believe with these things in place I believe the company can be defended a lot better. CYBS 7355 Penetration Testing & Vulnerability Assessments Mid Term Exam, Summer 2015 Page 9