Penetration Testing
  • 18
    Jan

Penetration Testing

Penetration testing for businesses.

An Example

Contents

 

Part 1.

Introduction. 4

Internet Service Registration. 4

DNS Issues. 5

Search Engines. 5

Email 6

Website Analytics. 6

Conclusion. 6

Part 2.

Introduction. 7

Nmap Report. 7

Nessus Report. 8

Conclusion. 11

Appendix. 12

WhoIs Information. 12

NSLookup. 13

Drop Tables. 14

Search Engines. 15

HTtrack. 17

Hidden Files. 17

Security Issues. 18

Nmap Report. 19

Nessus Report. 20

References. 21

 

 

Part 1

Introduction

 

The client has asked that both intranet and extranet based security frameworks be tested utilising both passive and active reconnaissance. This report identifies potential threats and security issues that the client could face from passive reconnaissance of a new website hosted on the client’s infrastructure and explains why active reconnaissance needs to be considered.

 

Engebretson (2013) states that to make a client’s systems more secure Penetration Testing can be utilised when properly authorised to successfully exploit a client’s computer systems.  Kim (2014) adds that penetration Testing should start with passive reconnaissance in the form of discovery of what information can be easily accessed regarding the clients systems. It makes use of the immense amount of information available on the web and other media.

Internet Service Registration

 

A good starting point would be to view what information can be gleaned from the information held in the Whois Databases. All domain names must be registered on a database and these databases are controlled by various registrars throughout the world. They provide public information to internet users with Nominet being the official UK registrar controlling domains such as .co.uk .org.uk and .wales (Nominet, 2015).

There are many web based, graphical and command line tools with the ability to look up this information, Nominet provide their own tool and as can be seen in the Appendix (Whois Information), information regarding the target website  is easily available.

This information shows the name of the owner, his address, the date of registration, the expiry date, the hosting company and the name servers. Each piece of this information begins to build up an overall picture, Engebretson (2013, pp.62-63) claims some of which could be utilised for social engineering and penetration testing

The Internet Engineering Task Force(IETF)  have released a Request For Comments Document(RFC), RFC  3912  which provides the protocol specification for Whois (IETF, 2004). However they admit that due to historical reasons there are many security and protocol design issues with the current Whois protocol and although there have been a few attempts to update this protocol, the Whois protocol still has many shortcomings.

 

DNS Issues

 

A main component of the Internet is Domain Name Services (DNS) (IETF, 1987).  According to Holme et al (2011) this service translates IP addresses to names and allows users to type in easily remembered domain names instead of long IP addresses.

The servers that store this IP to address information are an ideal target for hackers and penetration testers as they may contain lists of internal domain names, servers and the physical makeup of the internal network according to Engebretson (2013).

Various tools exist which will allow the interrogation of these DNS servers, a simple one installed on all computer systems is the NSLookup command. This allows the selection of a specific DNS server to be queried using a target domain name as shown in Appendix (NSLookup). The illustration shows the output from this can contain mail server addresses and other server information.

A historical security issue which has all but been resolved by most DNS servers was  the ability to download an entire clients domain, i.e. Zone transfer, by unauthorised people Engebretson (2013) states. However currently Windows Servers default configuration for instance only allows Zone transfers by authorised and authenticated DNS servers in order to share its information across the network according to Northrup & Mackin (2011).

Engebretson (2013) reports that easily accessible commands such as “Dig” and “Fierce” amongst others provides a person with tools to test the security of DNS servers to their limit.

Search Engines

 

Search engines provide a mass of information regarding websites, people and companies. Information garnered from the DNS and WHOIS lookups can be more intensively searched for using a search engine such as Google or a social website search such as Facebook or LinkedIn. For example the website owners name can be searched to find out what his experience and qualifications are. This may provide clues as to the technologies used by the company. If the person is a Linux, Cisco or Microsoft expert then there is a pretty good chance that these technologies are employed at his place of work. Job advertisements by the client will ask for specific experience and knowledge and these adverts also unwittingly provide information regarding the technologies used at the company.

Grodinsky (2013) explains that to reduce the number of hits a search engine retrieves, directives can be utilised. These directives force Google to focus more on the exact information that you are looking for. One example is the “Site:” directive which ensures that results are only returned from the explicit site which follows the directive. For example a search for “site: icloud9.co.uk mccherry” provides only 6 results (See Appendix – With Site: Directive) whereas a search for “mccherry” without a site directive returns over a hundred (See Appendix – Without Site: Directive) which would be much more time consuming to go through.

Google confirms that there are many more directives that can be utilised such as allintitle: intitle: and inurl: which limit the search term to just checking the titles or the URL for the search words. (Google, 2012)

 

Email

 

The Australian Government (Australian Signals Directorate, 2015) recognise servers by their very nature force firewalls to allow data in the form of emails to pass through providing a viable path into the internal network. They continue to explain that antivirus software and email filtering solutions must then come into play to prevent malicious email from entering the network.

Many email servers will no longer accept emails with executable or zipped files attached in the fear that end users may click on them and install malicious programs onto their systems.  The email server will filter any such mails and send a message back to the originator that the message has not been delivered. Engebretson (2013) states that often this email contains useful information such as the manufacturer of the antivirus and version or the type of mail server in use.  Engebretson (2013) adds that this type of information can prove to be useful in later stages of an attack and that a dummy email containing a non-malicious executable is a good way of gathering this information.

Website Analytics

 

Many company websites list publicly available information such as email addresses, staff employee names, and business address. Additionally often hidden information can be collected from the website using tools such as HTtrack.

The HTtrack website (HTtrack, 2015) confirms that the software will download a target website to the local computer in its entirety allowing a user to browse the locally held website at will. This provides a view of the internal workings of the files, searching for comments and other possibly valuable information left within the code by the website developers.   However Engebretson (2013) argues that using HTtrack is easily traced and whilst not illegal, cloning a website can be seen as offensive and is therefore not entirely passive.  As can be seen in the diagram Appendix (Security Issues) the developer of the Lanconnectors website has left information regarding Table names and a personal mobile phone number.

Obviously named hidden files have been uncovered such as log.html and stuff.txt which provide more personal information. See Appendix (Hidden Files ). Information contained in comments may include database table names, passwords, email addresses, or phone numbers.  A client enquiry form on the lanconnectors.co.uk website has been provided. However it has been found that this form fails to validate input. SQL Injection flaws such as this create vulnerabilities allowing attackers to insert SQL commands that could create or delete information (OWASP, 2009) as can be seen in Appendix (Drop Tables).

Conclusion

 

Engebretson (2013) states that Passive reconnaissance is an easily overlooked stage of penetration testing but can reap large rewards in terms of information. This information, such as IP addresses, can then be utilised to begin active reconnaissance of the target networks.

Passive Scanning helps to find unknown weaknesses in the security framework. Active Scanning can now be employed by software applications such as Nmap, Nessus and MetaSploit to target those weaknesses. (Tenable, 2015)

 

Part 2

Introduction

 

The next stage of penetration testing involves using the information garnered from the passive reconnaissance stage to actively seek ways in to the target network.  Weidman (2014) observes that everything carried out so far during the passive reconnaissance phase is completely legal but once a potential hacker moves into the active reconnaissance stage legality issues can ensue.

Active Reconnaissance focuses efforts on the identified vulnerabilities found during the passive phase (Tenable, 2015). Tenable continues to explain that the main priority for active scanning is to identify specific vulnerabilities however if these vulnerabilities are easily resolved then they should be, rather than wasting further time and resources.

Nmap Report

 

Engebretson (2013) states that almost all networks are connected to the internet to provide services, such as email.  to internal clients or external users. Each of these services requires a port opening on the firewall in order to provide that service. According to Geer(2013) Nmap is a software tool that can scan the IP addresses recorded during the passive reconnaissance phase to examine what ports have been opened on those IP addresses. A list of the port assignments is provided by the IETF in their RFC 1700 (IETF, 1994). As can be seen in the Appendix (Nmap), Nmap has discovered various ports open on the target server:-

Port 53 – RFC 1700 (IETF, 1994) shows this port to be utilised by Domain Name Services.  DNS servers have vulnerabilities that some Worms and Trojans can attack (Speedguide, 2015)

Port 153 – RFC 1700 (IETF, 1994) shows this port to be utilised by the Simple Gateway Monitoring protocol

Port 80 and 443 – RFC 1700 (IETF, 1994) shows these ports are used by HTTP and HHTPS respectively. Port 80 is particularly at risk to many worms (Speedguide, 2015)

Port 3389 – RFC 1700 (IETF, 1994) shows this port is used for Remote Desktop connections and is vulnerable to Denial of Service attacks (Speedguide, 2015)

Port 21 – RFC 1700 (IETF, 1994) shows this port to be utilised by the File transfer protocol and is susceptible to many Trojan and backdoor viruses. (Speedguide, 2015)

Ports 49152- are Dynamic ports used for temporary purposes.  According to the Internet Assigned Numbers Authority (IANA) Dynamic ports should not be used permanently by a software application. (IANA, 2015)

 

Nessus Report

 

Once we have a list of the IP addresses and open ports available we can now begin looking at the vulnerabilities of those ports and the software that uses them. A vulnerability scanner such as Nessus will scan the target server, discovering the software being utilised by the target system and will list any known security holes and vulnerabilities about the software it finds. The table at appendix (Nessus Report) shows a summary of a Nessus scan upon the target server. The following explains more about each vulnerability found and possible solutions:-

Critical Severity – Unsupported version of PHP.

 

PHP is used by many websites and is a popular website scripting language which can be embedded into HTML. It can be used to collect data or generate dynamic page content. The PHP version is updated constantly to enhance security and remove flaws in its design and therefore it should be updated when new versions are released. (PHP Group, 2015)

Critical Severity – DNS Server Vulnerabilities.

 

Domain Name Services(DNS) is a critical component of the internet, it translates IP addresses into easily recognisable names. (IETF, 1987).  In the version of DNS running on the target server vulnerability exists that allows the execution of remote code (Microsoft, 2014)

High Severity – PHP Version Vulnerability.

 

The specific version of PHP running on this server has known vulnerabilities that allows denial of service attacks which if exploited would mean the DNS server becomes overloaded or crashes the server (Tenable, 2015)

Medium Severity – Untrusted SSL certificate.

 

SSL certificates ensure a website belongs to a verified company. An untrusted SSL certificate allows anyone to establish a man-in-the-middle attack by creating a similar website and pretending to be that company. (Tenable, 2015)

Medium Severity – Self Signed SSL certificate.

 

The SSL has not been signed by an accredited authority and therefore the company to which this website belongs cannot be verified. (Tenable, 2015)

 

Medium Severity – SSL version out of date.

 

Secure Sockets Layer(SSL) establishes encrypted links between web servers and client browsers. The version of SSL running on this server is an obsolete and insecure protocol and therefore should be updated, preferably to Transport Layer Security(TLS) according to Moeller (2014).

Medium Severity – Security feature bypass.

 

A vulnerability in SSL and TLS could allow a potential hacker to bypass security (Microsoft, 2014)

 

Medium Severity – SSL Certificate Expiry.

 

SSL certificates for websites must be renewed annually to prevent them expiring. The SSL certificate for domain on the target server has expired.  (Tenable, 2015)

Medium Severity – PHP Configuration Change.

 

The configuration of the PHP server allows for the exploitation of a specific vulnerability that allows access to potentially sensitive information. This resolution of this requires a simple change to the PHP configuration file. (Tenable, 2015)

Medium Severity – DNS Denial of Service attack.

 

The version of DNS server running on the target is susceptible to a Denial of Service attack which will stop users from being able to find internet and intranet based services. (Microsoft, 2012)

Medium Severity – RC4 cipher in use.

 

The RC4 cipher is flawed and if an attacker obtains many ciphertext he may be able to recover the plaintext information (2013)

Medium Severity – SSL padding vulnerability.

 

A vulnerability in SSL could allow a man in the middle attack (MITM), Web servers should be updated to use versions of TLS later than 1.2. (ImperialViolet, 2014)

 

Medium Severity – TLS padding vulnerability.

 

A vulnerability in TLS could allow a man in the middle attack (MITM), Web servers should be updated to use versions of TLS later than 1.2. (ImperialViolet, 2014)

Medium Severity – Clickjacking vulnerability

 

Clickjacking is a vulnerability that hides what the user is actually clicking on and therefore potentially allows for the input of sensitive information. (Tenable, 2015)

Low Severity – Unsupported version of PHP.

 

The Server is running a File Transfer Protocol(FTP) service.  This server allows unencrypted transmission of login and passwords which could be intercepted. (Tenable, 2015)

 

Conclusion

 

CoreSecurity (2015) recommends that Penetration Testing should be scheduled regularly and especially after new network infrastructure has been added or after significant modifications such as new offices, large security patches or end user policies changed.

It is impossible to keep all information private all of the time, Jobs and their requirements must be advertised. Websites must be developed and Email Services provided.  On top of this vulnerabilities in the systems used are discovered every day (CoreSecurity, 2015)

Passive and Active Penetration testing allows the client to prioritize issues, apply needed security patches and allocate security resources more efficiently. (National Institute of Standards and Technology , 2008)

 

 

Appendix

WhoIs Information

whois

 

 

NSLookup

 

nslookup

 

 

Drop Tables

droptables

 

Search Engines

 

With Site: Directive

 directive

Without Site: Directive

nodirective

HTtrack

httrack

Hidden Files

hidden

 

Security Issues

Security

 

 

Nmap Report

nmap

Nessus Report

 

 

Severity Plugin Id Name
Critical (10.0) 58987 PHP Unsupported Version Detection
Critical (10.0) 72836 MS11-058: Vulnerabilities in DNS Server Could Allow Remote Code Execution (2562485) (uncredentialed check)
High (7.5) 77285 PHP 5.3.x < 5.3.29 Multiple Vulnerabilities
Medium (6.4) 51192 SSL Certificate Cannot Be Trusted
Medium (6.4) 57582 SSL Self-Signed Certificate
Medium (5.8) 63643 MS13-006: Vulnerability in Microsoft Windows Could Allow Security Feature Bypass (2785220) (uncredentialed check)
Medium (5.0) 15901 SSL Certificate Expiry
Medium (5.0) 20007 SSL Version 2 and 3 Protocol Detection
Medium (5.0) 46803 PHP expose_php Information Disclosure
Medium (5.0) 72837 MS12-017: Vulnerability in DNS Server Could Allow Denial of Service (2647170) (uncredentialed check)
Medium (4.3) 65821 SSL RC4 Cipher Suites Supported (Bar Mitzvah)
Medium (4.3) 78479 SSLv3 Padding Oracle On Downgraded Legacy Encryption Vulnerability (POODLE)
Medium (4.3) 80035 TLS Padding Oracle Information Disclosure Vulnerability (TLS POODLE)
Medium (4.3) 85582 Web Application Potentially Vulnerable to Clickjacking
Low (2.6) 34324 FTP Supports Cleartext Authentication

 

 

References

 

Australian Signals Directorate (2015) Malicious Email Mitigation Strategies Guide. Available at:  HYPERLINK “http://www.asd.gov.au/publications/protect/malicious_email_mitigation.htm” http://www.asd.gov.au/publications/protect/malicious_email_mitigation.htm  (Accessed: 2nd December 2015).

Cisco (2015) Comparing 802.11 Standards. Available at:  HYPERLINK “https://static-course-assets.s3.amazonaws.com/ScaN503/en/index.html” \l “4.1.1.5” https://static-course-assets.s3.amazonaws.com/ScaN503/en/index.html#4.1.1.5  (Accessed: 8th November 2915).

CoreSecurity (2015) Penetration testing Overview. Available at:  HYPERLINK “http://www.coresecurity.com/penetration-testing-overview” http://www.coresecurity.com/penetration-testing-overview  (Accessed: 18th November 2015).

Eisenblatter, A., Geerdes, H.-F. & Siomina, I., (2014) Integrated Access Point Placement. Norrkoping, Sweden: ITN, Linkoping University Available at:  HYPERLINK “http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.66.1568&rep=rep1&type=pdf” http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.66.1568&rep=rep1&type=pdf  (Accessed: 8th November 2015).

Engebretson, P. (2013) The Basics of hacking and penetration testing. 2nd edn.Katsaropoulos, C. (ed.) Waltham, Massachusetts: Elseveier Inc.

Google (2012) Search Operators. Available at:  HYPERLINK “https://support.google.com/websearch/answer/2466433?hl=en” https://support.google.com/websearch/answer/2466433?hl=en  (Accessed: 15th November 2015).

Grodzinsky, M. (2013) Understanding where 802.11ad WiGig fits into the gigabit Wi-Fi picture. Available at:  HYPERLINK “http://www.networkworld.com/article/2172394/tech-primers/understanding-where-802-11ad-wigig-fits-into-the-gigabit-wi-fi-picture.html” http://www.networkworld.com/article/2172394/tech-primers/understanding-where-802-11ad-wigig-fits-into-the-gigabit-wi-fi-picture.html  (Accessed: 8th November 2015).

Harper, A. et al. (2011) Grey Hat hacking. 3rd edn.Baucom, M. (ed.) McGraw Hill.

Holme, D., Ruest, N., Ruest, D. & Kellington, J. (2011) Configuring Windows Server. 2nd edn.Koch, J. (ed.) Redmond, Washington: Microsoft press.

HTtrack (2015) HTTrack Website copier. Available at:  HYPERLINK “https://www.httrack.com/page/1/en/index.html” https://www.httrack.com/page/1/en/index.html  (Accessed: 17th November 2015).

IANA (2015) Service Name and Transport Protocol Port Number Registry. Available at:  HYPERLINK “http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml” http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml  (Accessed: 21st November 2015).

IETF (1987) RFC 1034. Available at:  HYPERLINK “https://www.ietf.org/rfc/rfc1034.txt” https://www.ietf.org/rfc/rfc1034.txt  (Accessed: 17th November 2015).

IETF (1994) Assigned numbers. Available at:  HYPERLINK “https://www.ietf.org/rfc/rfc1700.txt” https://www.ietf.org/rfc/rfc1700.txt  (Accessed: 21st November 2015).

IETF (2004) WHOIS Protocol Specification. Available at:  HYPERLINK “https://tools.ietf.org/html/rfc3912” https://tools.ietf.org/html/rfc3912  (Accessed: 15th November 2015).

ImperialViolet (2014) ImperialViolet. Available at:  HYPERLINK “https://www.imperialviolet.org/2014/12/08/poodleagain.html” https://www.imperialviolet.org/2014/12/08/poodleagain.html  (Accessed: 22nd November 2015).

Kim, P. (2014) The Hacker Playbook. 1st edn. North Charleston, South Carolina: Secure planet LLC.

Mathias, C.J. (2015) The 802.11ad standard is fast, but do we need that much throughput? Available at:  HYPERLINK “http://searchnetworking.techtarget.com/feature/The-80211ad-standard-is-fast-but-do-we-need-that-much-throughput” http://searchnetworking.techtarget.com/feature/The-80211ad-standard-is-fast-but-do-we-need-that-much-throughput  (Accessed: 8th November 2915).

Microsoft (2012) Microsoft Security Bulletin MS12-017 – Important. Available at:  HYPERLINK “https://technet.microsoft.com/library/security/ms12-017” https://technet.microsoft.com/library/security/ms12-017  (Accessed: 22nd November 2015).

Microsoft (2014) Microsoft Security Bulletin MS11-058 – Critical. Available at:  HYPERLINK “https://technet.microsoft.com/library/security/ms11-058” https://technet.microsoft.com/library/security/ms11-058  (Accessed: 22nd November 2015).

Microsoft (2014) Microsoft Security Bulletin MS13-006 – Important. Available at:  HYPERLINK “https://technet.microsoft.com/library/security/ms13-006” https://technet.microsoft.com/library/security/ms13-006  (Accessed: 21st November 2015).

Moeller, B. (2014) This POODLE Bites: Exploiting The. Available at:  HYPERLINK “https://www.openssl.org/~bodo/ssl-poodle.pdf” https://www.openssl.org/~bodo/ssl-poodle.pdf  (Accessed: 22nd November 2015).

National Institute of Standards and Technology, 2008. Technical Guide to information Security testing and Assesment. [Online] Available at:  HYPERLINK “http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf” http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf  [Accessed 2nd December 2015].

Nominet (2015) Nominet. Available at:  HYPERLINK “http://www.nominet.uk/whois/” http://www.nominet.uk/whois/  (Accessed: 15th November 2015).

Northrup, T. & Mackin, J.C. (2011) Configuring Windows Server Infrastructure. 2nd edn.Koch, J. (ed.) Redmond, Washington: microsoft press.

OWASP (2009) SQL Injection Prevention Cheat Sheet. Available at:  HYPERLINK “https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet” https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet  (Accessed: 3rd December 2015).

Paterson, K. (2013) On the Security of RC4 in TLS and WPA. Available at:  HYPERLINK “http://www.isg.rhul.ac.uk/tls/” http://www.isg.rhul.ac.uk/tls/  (Accessed: 22nd November 2015).

PHP Group (2015) PHP. Available at:  HYPERLINK “http://php.net/” http://php.net/  (Accessed: 22nd November 2015).

Speedguide (2014) Port 53 details. Available at:  HYPERLINK “http://www.speedguide.net/port.php?port=53” http://www.speedguide.net/port.php?port=53  (Accessed: 21st November 2015).

Speedguide (2015) Port 53 Details. Available at:  HYPERLINK “http://www.speedguide.net/port.php?port=53” http://www.speedguide.net/port.php?port=53  (Accessed: 21st November 2015).

Tenable (2015) Combining Penetration Testing with Active and Passive Vulnerability Scanning. Available at:  HYPERLINK “https://www.tenable.com/blog/combining-penetration-testing-with-active-and-passive-vulnerability-scanning” https://www.tenable.com/blog/combining-penetration-testing-with-active-and-passive-vulnerability-scanning  (Accessed: 2nd December 2015).

Tenable (2015) FTP Supports Cleartext Authentication. Available at:  HYPERLINK “http://www.tenable.com/plugins/index.php?view=single&id=34324” http://www.tenable.com/plugins/index.php?view=single&id=34324  (Accessed: 22nd November 2015).

Tenable (2015) PHP 5.3.x< 5.3.29 Multiple Vulnerabilities. Available at:  HYPERLINK “http://www.tenable.com/plugins/index.php?view=single&id=77285” http://www.tenable.com/plugins/index.php?view=single&id=77285  (Accessed: 21st November 2015).

Tenable (2015) PHP expose_php Information Disclosure. Available at:  HYPERLINK “http://www.tenable.com/plugins/index.php?view=single&id=46803” http://www.tenable.com/plugins/index.php?view=single&id=46803  (Accessed: 22nd November 2015).

Tenable (2015) SSL Certificate Expiry. Available at:  HYPERLINK “http://www.tenable.com/plugins/index.php?view=single&id=15901” http://www.tenable.com/plugins/index.php?view=single&id=15901  (Accessed: 21st November 2015).

Tenable (2015) SSL Self-Signed Certificate. Available at:  HYPERLINK “http://www.tenable.com/plugins/index.php?view=single&id=57582” http://www.tenable.com/plugins/index.php?view=single&id=57582  (Accessed: 21st November 2015).

Tenable (2015) Web Application Potentially Vulnerable to Clickjacking. Available at:  HYPERLINK “http://www.tenable.com/plugins/index.php?view=single&id=85582” http://www.tenable.com/plugins/index.php?view=single&id=85582  (Accessed: 22nd November 2015).

Weidman, G. (2014) Penetration testing.Law, A. (ed.) San Francisco: William Pollock.

 

 

Comments are closed.