Security Audit

Security Audit
Mohamed Yassine TRABELSI & Omar MARZOUK
Dedication
I dedicate this work to my beloved mother

To all my family
And every dear one
God bless you.
Thanks
My thanks are addressed to the members of jury who had kindly agreed to evaluate this work.
I wish also to express my sincere gratitude to Ms. Imen SFAXI my supervisor for her
wisdom, guidance and especially her contribution in the success of this project without whom,
this work would not be presented.
Finally, I express my humble gratitude to everyone who contributed in my education,
especially teachers of the National School of Electronic and Telecommunication of Sfax.
Page 1
Security Audit
Summary
Foreword ................................................................................................................................................................ 8
Workbook I Functional specification.................................................................................................................. 9
I.
Introduction .................................................................................................................................................. 10
II.
Administrative specification clauses ............................................................................................................ 10
II.1. Clause1: Consultations aim .......................................................................................................................... 10

II.2. Clause2: Definitions and interpretations ....................................................................................................... 10
II.3. Clause 3: Participation conditions ................................................................................................................. 10
II.4. Clause 4: Duration of the mission to be accomplished .................................................................................. 11
II.5. Clause 5: Reports........................................................................................................................................... 11
II.6. Clause6: Professional secret .......................................................................................................................... 11
III.
Technical specification clauses ................................................................................................................ 12
III.1. Clause 1: Consultations aim........................................................................................................................ 12

III.2. Clause2: Conduct and execution of the Audit mission................................................................................. 12
III.2.1 Pre-audit................................................................................................................................................. 12
III.2.2 Launching audit ..................................................................................................................................... 13
III.2.3 Preparation of the Audit mission ........................................................................................................... 13
III.2.4 Conduct of audit activities ..................................................................................................................... 14
III.2.4.1 Organizational and physical audit .................................................................................................. 14
III.2.4.2 Technical audit ............................................................................................................................... 14
III.2.4.3 Analysis and Risk assessment ........................................................................................................ 15
III.2.5 Audit report ............................................................................................................................................ 15
IV.
Information collect ................................................................................................................................... 16
IV.1. Technical description of the structures to audit ....................................................................................... 16

IV.2. Volumetric description of the structures to audit ..................................................................................... 17
IV.3. Confidentiality contract ........................................................................................................................... 19
IV.4. Inventory ................................................................................................................................................. 20
V.
Conclusion .................................................................................................................................................... 21
Workbook II Generality for audit of computer security ................................................................................... 22

I.
Introduction .................................................................................................................................................. 23
II.
Audit of computer security ........................................................................................................................... 23

II.1. Why secure a network? ............................................................................................................................. 23
II.2. Important principles of safety ................................................................................................................... 23
II.3. Approach to conducting a security audit mission...................................................................................... 24
II.3.1 Security audit approaches ................................................................................................................... 24
II.3.2 Audit missions stages ........................................................................................................................ 24
III.
ISO/IEC 27000 series study .................................................................................................................... 25
III.1. Origins ..................................................................................................................................................... 25

III.2. Definitions ............................................................................................................................................... 25
III.2.1. The ISO/IEC 27000 series ................................................................................................................ 25
Page 2
Security Audit
III.2.2. ISO/IEC 27001 standard................................................................................................................... 26

III.3. The chosen standard................................................................................................................................. 27
IV.
Audit tools................................................................................................................................................ 27
IV.1. What is Information security? ................................................................................................................. 27

IV.2. How to achieve the information security? ............................................................................................... 28
IV.3. Audit tools ............................................................................................................................................... 28
IV.3.1. Nmap ................................................................................................................................................ 28
IV.3.2. NESSUS ........................................................................................................................................... 28
IV.3.3. SATAN ............................................................................................................................................ 28
IV.3.4. Wireshark ......................................................................................................................................... 28
IV.3.5. Nikto................................................................................................................................................. 29
IV.4. Security Tools .......................................................................................................................................... 29
IV.4.1. Firewall ............................................................................................................................................ 29
IV.4.2. IDS (Intrusion Detection System) .................................................................................................... 29
IV.4.3. IPS (Intrusion Prevention System) ................................................................................................... 30
V.
Conclusion .................................................................................................................................................... 30
Workbook III Mehari methodology .................................................................................................................. 31

I.
Foreword ...................................................................................................................................................... 32
II.
Methodology process ................................................................................................................................... 32
III.
Stakes analysis and assets classification .................................................................................................. 33
III.1. Basics ....................................................................................................................................................... 33

III.2. Comments ................................................................................................................................................ 34
IV.
Diagnostic of security services................................................................................................................. 35
IV.1 Questionnaires .......................................................................................................................................... 35

IV.2. Services ................................................................................................................................................... 36
IV.3. Themes .................................................................................................................................................... 37
IV.4. ISO 27002................................................................................................................................................ 37
V.
Risk assessment ............................................................................................................................................ 38

V.1. Expo .......................................................................................................................................................... 38
V.2. Scenarios ................................................................................................................................................... 38
V.3. Risk% asset ............................................................................................................................................... 39
V.4. Risk% event .............................................................................................................................................. 39
VI.
Preparation of an action plan ................................................................................................................... 40
VI.1. Basics....................................................................................................................................................... 40
VI.2. Comment ................................................................................................................................................. 40
Page 3
Security Audit
VII.
Methods permanent elements and parameters ........................................................................................ 41
VII.1. Seriousness ............................................................................................................................................. 41

VII.2. IP-Grids .................................................................................................................................................. 41
VIII.
Conclusion ............................................................................................................................................... 41
Workbook IV Vulnerability report site 1 ............................................................................................................ 42

I.
INTRODUCTION ........................................................................................................................................ 43
II.
Discovered Hosts .......................................................................................................................................... 43
III.
Discovered Web Sites .............................................................................................................................. 44
IV.
Detailed Findings ..................................................................................................................................... 44
V.
RISK SCORE ............................................................................................................................................... 48
VI.
Discovered and Potential Vulnerabilities ................................................................................................. 49
VI.1. Critical Vulnerabilities ............................................................................................................................ 49

VI.1.1 Apache HTTPD: mod-isapi module unload flaw (apache-httpd-cve-2010-0425) ............................ 49
VI.1.2. MS09-001: Remote Code Execution (958687) ................................................................................ 50
VI.1.5. MS11-020: Remote Code Execution (2508429) .............................................................................. 52
VI.1.6. CIFS NULL Session Permitted (cifs-nt-0001) ................................................................................. 53
VI.1.7. Invalid CIFS Logins Permitted (cifs-invalid-logins-permitted) ....................................................... 55
VI.1.9. Http-openssl-cve-2009-3245 ........................................................................................................... 57
VI.2. Severe Vulnerabilities.............................................................................................................................. 57
VI.2.1. Apache HTTPD: insecure LD_LIBRARY_PATH handling (CVE-2012-0883) ............................. 57
VI.2.2. X.509 Certificate Subject CN Does Not Match the Entity Name .................................................... 58
VI.2.3. FTP server does not support AUTH command (ftp-generic-0007) .................................................. 59
VI.2.4. TLS/SSL Server Supports Weak Cipher Algorithms (ssl-weak-ciphers) ......................................... 60
VI.2.5. TLS/SSL Server Supports SSLv2 (sslv2-and-up-enabled)............................................................... 61
VI.2.6. SMB signing disabled (cifs-smb-signing-disabled) ......................................................................... 62
VI.2.7. Apache HTTPD: error responses can expose cookies (CVE-2012-0053) ........................................ 63
VI.3. Moderate Vulnerabilities ......................................................................................................................... 64
VI.3.1 Unencrypted Telnet Service Available (telnet-open-port) ................................................................ 64
VI.3.2. ICMP timestamp response (generic-icmp-timestamp) ..................................................................... 65
VII.
Exploits .................................................................................................................................................... 67
VIII.
Conclusion ............................................................................................................................................... 67
Workbook V Vulnerability report site 2 ............................................................................................................. 68

I.
INTRODUCTION ........................................................................................................................................ 69
II.
Discovered Operating Systems..................................................................................................................... 69
III.
Discovered Hosts ..................................................................................................................................... 70
IV.
Detailed Findings ..................................................................................................................................... 71
V.
RISK SCORE ............................................................................................................................................... 74
Page 4
Security Audit
VI.
Discovered and Potential Vulnerabilities ................................................................................................. 75
VI.1. Critical Vulnerabilities ............................................................................................................................ 75

VI.1.1. PHP Vulnerability: CVE-2011-3268 (php-cve-2011-3268) ............................................................. 75
VI.1.4. MS08-067: Allow Remote Code Execution (958644) ..................................................................... 77
VI.1.10.MS12-020: Remote Code Execution (2671387) ............................................................................. 83
VI.1.11. Invalid CIFS Logins Permitted (cifs-invalid-logins-permitted) ..................................................... 84
VI.1.12. CIFS NULL Session Permitted (cifs-nt-0001) ............................................................................... 85
VI.2. Severe Vulnerabilities.............................................................................................................................. 87
VI.2.1. SMB signing disabled & SMB signing not required ........................................................................ 87
VI.12.2. HTTP TRACE Method Enabled (http-trace-method-enabled) ....................................................... 89
VI.2.3. Apache HTTPD: error responses can expose cookies (CVE-2012-0053) ........................................ 90
VI.3. Moderate Vulnerabilities ......................................................................................................................... 91
VI.3.1. ICMP timestamp response ............................................................................................................... 91
VII.
Exploits .................................................................................................................................................... 93
VIII.
Conclusion ............................................................................................................................................... 93
Workbook VI Solutions implementation ........................................................................................................... 94

I.
Introduction .................................................................................................................................................. 95
II.
Solutions implementation ........................................................................................................................... 95

II.1. Security policy .......................................................................................................................................... 95
II.2. Fixing the vulnerabilities........................................................................................................................... 97
III.
General security issues ........................................................................................................................... 100
IV.
General solutions ................................................................................................................................... 109
V.
Conclusion .................................................................................................................................................. 111
Closure ............................................................................................................................................................... 112

VI.
Bibliography .......................................................................................................................................... 113
Page 5
Security Audit
Figures List
Figure I.1.Site 1 architecture ................................................................................................................................ 16
Figure I.2.Site 2 architecture ................................................................................................................................ 16
Figure II.3.C-I-A triad ........................................................................................................................................... 26
Figure III.4.Classification of data ......................................................................................................................... 33
Figure III.5.Classification of services ................................................................................................................... 34
Figure III.6.Classification of the compliances ...................................................................................................... 34
Figure III.7.01 org ................................................................................................................................................. 35
Figure III.8.14 ISM................................................................................................................................................ 36
Figure III.9.Services .............................................................................................................................................. 36
Figure III.10.themes .............................................................................................................................................. 37
Figure III.11.ISO 27002 ........................................................................................................................................ 37
Figure III.12.Expo ................................................................................................................................................. 38
Figure III.13.Scenarios.......................................................................................................................................... 38
Figure III.14.Risk%asset ....................................................................................................................................... 39
Figure III.15.Risk%event....................................................................................................................................... 39
Figure III.16.Action plan ....................................................................................................................................... 40
Figure III.17.Seriousness ...................................................................................................................................... 41
Figure III.18.IP-Grids ........................................................................................................................................... 41
Figure IV.19.Multiple service instance frequency ................................................................................................ 44
Figure IV.20.Vulnerabilities by severity ............................................................................................................... 45
Figure IV.21.Common vulnerabilities ................................................................................................................... 46
Figure IV.22.Highest risk vulnerabilities .............................................................................................................. 46
Figure IV.23.Operating Systems ........................................................................................................................... 47
Figure IV.24.Common services ............................................................................................................................. 47
Figure IV.25.exploiting vulnerabilities ................................................................................................................. 67
Figure V.26.Operating Systems ............................................................................................................................ 69
Figure V.27.Vulnerabilities diagram .................................................................................................................... 70
Figure V.28.Service Frequency ............................................................................................................................. 71
Figure V.29.Vulnerabilities severity ..................................................................................................................... 72
Figure V.30.Common vulnerabilities .................................................................................................................... 73
Figure V.31.Risk vulnerabilities............................................................................................................................ 73
Figure V.32.Common services .............................................................................................................................. 74
Figure V.33.exploiting vulnerabilities .................................................................................................................. 93
Figure VI.34.MS10-054 patch installation steps................................................................................................... 97
Figure VI.35.Vulnerability scan ............................................................................................................................ 97
Figure VI.36.Firewall activation .......................................................................................................................... 98
Figure VI.37.icmp timestamp request disable ....................................................................................................... 98
Figure VI.38.icmp time stamp stream disable ....................................................................................................... 99
Figure VI.39.Solution check .................................................................................................................................. 99
Figure VI.40.FTP connection ............................................................................................................................. 100
Figure VI.41.FTP sniff ........................................................................................................................................ 101
Figure VI.42.TCP three-way handshake ............................................................................................................. 103
Figure VI.43.Telnet vulnerability ........................................................................................................................ 106
Figure VI.44.Secure Shell encryption ................................................................................................................. 107
Figure VI.45.Snort rules ..................................................................................................................................... 109
Figure VI.46.Fixing address network ................................................................................................................. 110
Figure VI.47.Snort Rules-path ............................................................................................................................ 110
Figure VI.48.Iptables rules ................................................................................................................................. 111
Figure VI.49.Snort log file .................................................................................................................................. 111
Page 6
Security Audit
Tables List
Table I.1.Definitions ............................................................................................................................................. 10
Table 2.Basic knowledge ....................................................................................................................................... 17
Table I.3.Site 1 Servers ......................................................................................................................................... 20
Table I.4.Site 1 Work stations ............................................................................................................................... 20
Table I.5.Site 1 network infrastructure ................................................................................................................. 20
Table I.6.Site 2 servers .......................................................................................................................................... 21
Table I.7.Site 2 workstations ................................................................................................................................. 21
Table I.8.Site 2 network infrastructure ................................................................................................................. 21
Table II.9.Safety principles ................................................................................................................................... 23
Table IV.10.Hosts ................................................................................................................................................. 43
Table IV.11.Web sites ........................................................................................................................................... 44
Table IV.12.Risk score .......................................................................................................................................... 48
Table IV.13.CVE-2010-0425 ................................................................................................................................ 49
Table IV.14.MS09-001 .......................................................................................................................................... 50
Table IV.15.MS10-012 .......................................................................................................................................... 51
Table IV.16.MS10-054 .......................................................................................................................................... 51
Table IV.17.MS11-020 .......................................................................................................................................... 52
Table IV.18.Cifs-nt-0001 ...................................................................................................................................... 53
Table IV.19.Cifs-invalid-logins-permitted ............................................................................................................ 55
Table IV.20.MS12-020 .......................................................................................................................................... 56
Table IV.21.CVE-2009-3245 ................................................................................................................................ 57
Table IV.22.CVE-2012-0883 ................................................................................................................................ 58
Table IV.23.CN-name-mismatch........................................................................................................................... 58
Table IV.24.FTP-generic-0007 ............................................................................................................................. 59
Table IV.25.ssl-weak-ciphers................................................................................................................................ 60
Table IV.26.sslv2-and-up-enabled ........................................................................................................................ 61
Table IV.27.Cifs-smb-signing-disabled ................................................................................................................ 62
Table IV.28.CVE-2012-0053 ................................................................................................................................ 63
Table IV.29.Telnet-open-port ............................................................................................................................... 64
Table IV.30.Generic-icmp-timestamp ................................................................................................................... 65
Table V.31.Operating systems .............................................................................................................................. 69
Table V.32.Hosts................................................................................................................................................... 70
Table V.33.Services .............................................................................................................................................. 71
Table V.34.Risk score ........................................................................................................................................... 74
Table V.35.CVE-2011-3268.................................................................................................................................. 75
Table V.36.CVE-2012-2376.................................................................................................................................. 76
Table V.37.CVE-2012-2688.................................................................................................................................. 76
Table V.38.MS08-067 ........................................................................................................................................... 77
Table V.39.MS09-001 ........................................................................................................................................... 78
Table V.40.MS09-050 ........................................................................................................................................... 79
Table V.41.MS10-012 ........................................................................................................................................... 80
Table V.42.MS10-054 ........................................................................................................................................... 81
Table V.43.MS11-020........................................................................................................................................... 82
Table V.44.MS12-020 ........................................................................................................................................... 84
Table V.45.Cifs-invalid-logins-permitted ............................................................................................................. 85
Table V.46.Cifs-nt-0001........................................................................................................................................ 86
Table V.47.Cifs-smb-signing-disabled/not-required............................................................................................. 87
Table V.48.http-trace-method-enabled ................................................................................................................. 89
Table V.49.CVE-2012-0053.................................................................................................................................. 90
Table V.50.Generic-icmp-timestamp .................................................................................................................... 91
Table VI.51.CVE-2008-2161 .............................................................................................................................. 108
Page 7
Security Audit
Foreword
Nowadays, computer network has become a necessity for everyone, especially for
organizations.
However, with the emergence of the advanced technologies this computer network has
become vulnerable to internal and external risks, namely attacks.
In fact, an unsecured network is an open door for intruders and viruses, malicious codes in
general to come into it. These attacks can have hazardous effects on the information system.
Thus, security measures need to be taken to protect the network from any residual danger.
However, even secured networks are sometimes exposed to those risks through the
exploitation of the different networks loopholes. These latter are flaws in the system that can
give an outsider or even a legitimized person the opportunity to do unwanted things.
So in order to ensure the networks security, a bunch of network security specialists dedicated
themselves to make this security possible and make it hard for hackers or intruders to have
unauthorized access to the network.
This network security consists in making an internal audit for a specific organization that
wishes to secure its information system and this is what the authors have tried to explain all
along this humble memoire.
Page 8
Security Audit
Workbook I
Functional specification
Page 9
Security Audit
I. Introduction
This functional specification represents the Administrative clauses, and technical
clauses for the SYMPHONY enterprise that wishes to launch its internal audit for the
first time, along with an inventory of the organizations assets and the architecture of
its sites.
SYMPHONY is a communication and marketing agency of LA GAZETTE group. It
is specialized in creating a visual corporate identity, creation and management of press
campaigns. In addition, the agency is involved in the production and editing guides
and regional and sectorial economic directories.
II. Administrative specification clauses
II.1. Clause1: Consultations aim
The SYMPHONY enterprise intends to launch a consultation to fulfill an audit mission for the
information systems security as mentioned in the Decree N2004-1250 of May25th, 2004 and
the provisions of this functional specifications clauses.
II.2. Clause2: Definitions and interpretations

The following table explains the key words of an audit mission.
Table I.1.Definitions
Client
Holder
Mission
Security Audit
Information
System
SYMPHONY and the persons called to supervise this mission.

The intern(s) who will be assigned to accomplish the Audit mission.
Any audit action, test, verification including report writing, displacement,
data collection, tests analysis, and any other action taken by the holder on
behalf of the Client in part of the performance of the mission.
Intervention of specialists, using techniques and analytical methods to
assess the information systems security and the potential risks.
All entities and resources (structures, staff, software tools, processing
equipment, network equipment, security equipment, buildings...) in
relation to the functions of information treatment.
II.3. Clause 3: Participation conditions

This consultation is addressed to the interns who are specialized in Administration Security of
Network Systems and who have been assigned to do their training within the SYMPHONY
enterprise.
Page 10
Security Audit
II.4. Clause 4: Duration of the mission to be accomplished

The audit mission must be accomplished within one hundred and eleven (111) working days.
The accomplishment period does not take into account any additional time assigned for
correction (validation) of the various deliverables required in this specification.
II.5. Clause 5: Reports
The holder of the Audit mission is required to provide a report after the fulfillment of each
task.
II.6. Clause6: Professional secret
During the fulfillment of his Audit mission, the holder , must not disclose any relevant
information or results of the Audit mission he had access to, whether in written, oral or
electronic forms.
The client prohibits the holder to deliver via any kind of means of communication, any
confidential information in relation to the information system .especially that can:
give any indication about the networks architecture, hardware or software
configuration, platforms, servers and any component of the information system and
communication.
give any indication about the security policy, on-going or future programs, budget or
any other information related to the private affairs of the audited organization.
give any indication about the access control mechanisms, protection of the information
system and the measures of physical or logical security.
give any indication about any organizational or technical loophole detected.
In addition, the holder is held by the Confidentiality Honor Declaration (Confidentiality
contract).
to keep discreet about everything that concerns the facts, information, studies and decisions
that have been taken during the execution of his mission.
He is not allowed to make any written, electronic and verbal disclosure about his mission or to
deliver documents to any third party.
Page 11
Security Audit
During and to terms to his mission, the holder agrees not to disclose or to file any document in
unsecure places regardless its form (paper, CD, electronic or other) that contains
information about the audited structure. He will have to ensure at the end of his mission to
destroy the used documents or to store them in a highly secured format.
The client has the right to verify the security level of the storage location of the documents
relevant to the mission at any time, and even after the accomplishment of the mission.
III. Technical specification clauses
III.1. Clause 1: Consultations aim
The mission of this consultation concerns the security audit of the information system in the
structures described in appendix A.
The purpose of this Audit mission must comply, at least with the provisions set out in Decree
N2004-1250 of May 25 th, 2004.
This audit should take as basic reference the standard ISO/IEC 27002 and follow a
methodological approach to the mentioned standard as close as possible.
The Audit mission should concerns as well, the organizational, physical and technical aspects
relating to the information system included in the scope of this audit.
III.2. Clause2: Conduct and execution of the Audit mission

This mission will be divided into five (5) stages. The numbered stages from II to V are listed
according to the advice on planning and implementing of audit activities given in standard
ISO 19011.
III.2.1 Pre-audit
This stage is to assist the client to identify his functional specifications of his
information system compared to the security system objectives (Confidentiality,
Integrity and Availability).
The clients identification will allow the auditor to provide the minimum security
requirements for the information system, and to choose the appropriate security
control to apply.
Page 12
Security Audit
The selection process of these controls must involve the management and the
operational personnel within the organization.
III.2.2 Launching audit
At triggering audit, the holder must seek any detail, information and document that are
necessary for his mission about the structures to audit.
A preparatory meeting of the mission will be organized at the beginning of the Audit
mission in order to finalize the details implementing the Audit mission, based on the
clients specifications and the documents prepared by the holder.
III.2.3 Preparation of the Audit mission
Documents review
This stage is to determine the conformity of the existing documents with ISO /
IEC 27002 standard, determine the list of the missing documents required by
this standard and to examine the problems that may occur when updating the
documentation.
The auditor must check specifically whether the provided information in the
documents are:
-
complete (all the expected content in the documents is provided).
correct (the content is consistent with other reliable sources such as

standards and regulations).
coherent (the document is consistent in itself and in relation to the

associated documents).
topical (content is updated).
The documents under review cover the scope of the audit and provide sufficient
information to support the objectives of the audit.
Page 13
Security Audit
III.2.4 Conduct of audit activities

Its the audit stage. It can begin only after the documents review is done.
At this stage, the auditor should verify simultaneously the compliance of operational
procedures with those mentioned in the documents provided.
This phase will mainly cover three (03) sections:
An organizational and physical audit section,
Technical audit section,
Analysis and Risk assessment section.
III.2.4.1 Organizational and physical audit
The security level assessment is performed by interviewing the personnel, and critical
resources analysis.
This section is to assess the security management of the audited structures
organizational aspects.
During this phase, the holder must follow a methodological approach based on the
pre-performed interviews and adapted to the situation of the audited structures.
This approach will lead to a pragmatic assessment of loopholes and risks evaluation. It
will also lead to the right recommend actions for the implementation of organizational
measures and to the appropriate security policy as well.
This audit must take as reference all the chapters of the latest version of standard
ISO/IEC 27002.
III.2.4.2 Technical audit
Technical audit methodology including the type of tests to be performed in each of the
following stages of the technical audit:
-
System architecture audit.
Configuration of each type of component in the scope of the audit presented in

Information collect (volumetric description of the structures to audit) .
Intrusive audit.
Tools used in performing the tests in each stage of the technical audit.
Page 14
Security Audit
III.2.4.3 Analysis and Risk assessment

Methodology for analysis and risk assessment clarifying:
-
Criteria selection of the scope of analysis and risk assessment.
References adequacy of this methodology with the internationally known

standard and methodology in this domain.
Tools to perform analysis and risk assessment.
III.2.5 Audit report

At the end of the Audit mission the holder is required to give a report to the client in
which
He highlights the loopholes classified according to their severity, their impact and an
assessment of their risks including some recommendations as a conclusion.
The recommendations must include at least:

-
detailed urgent organizational and technical measures, to be implemented

immediately to treat the most serious breakdowns.
suggestions to up to date or develop a new security policy.
proposition of an Audit plan extending over three (3) years.
Page 15
Security Audit
IV. Information collect

IV.1. Technical description of the structures to audit
Site 1
-
One main server and a software server, both with limited access control, only those
who have login/password can have access to the mentioned servers above.
NAS (Network Attached storage) only the users who have login/password can
access to it.
Figure I.1.Site 1 architecture
Site2
-
One main server with limited access control, only those who have login/password
can have access to it.
Figure I.2.Site 2 architecture
Page 16
Security Audit
IV.2. Volumetric description of the structures to audit

Table 2.Basic knowledge
Information system
volume
Included in the Audit

perimeter
2 sites
Yes
__
No
No
13
Yes
Win xp, Win 7,Win

2003
Yes
- Average number of PCs using Windows
22
Yes
- Average number of PC using Mac OS
Yes
none
__
no
__
Yes
Win serv 2003/2008

enterprise edition
Yes
41 accounts
Yes
Yes
41 accounts
Yes
- Number of interconnected sites
none
__
- Internal/External subnet number
none
__
- External connection
Internet
Yes
Sites to visit
Number of persons in charge to be
interviewed
Other physical /organizational infrastructure
to audit
PC
Total number of PCs
Type of OS :
- Average number of PC using Linux

Other OS.
Servers
Total number of servers
- Type of OS
- Users number supported

Programs
Programs number (security audit object)
- Users number
Network
Page 17
Security Audit
routers number and connection type

supported
2 ADSL modem
Yes
Switches number
Yes
Administration network tools
__
__
Others:
No
__
Firewalls
Yes
Firewalling system number, their types

and DMZs number supported
__
__
__
__
anti-virus servers number and license

number
__
__
Anti-viral gateways number and its usage (email/FTP)
__
__
Security tools
Activated VPN connection

anti-virus servers
Authentication tools
Authentication internal network server
number and of its supported users
Login/password
41 accounts
Yes
__
__
NIDS number (Network IDS)
__
__
HIDS number(Host IDS)
__
__
Firewalls PC number or Distributed
deactivated
__
Automatic storage tools and its types
__
__
Security integrated tools and its types
__
__
Network authentication server for distant

access and users average number supported
Detection intrusion tools
The table above represents a volumetric description of the organizations structures and it
helps the auditor to estimate the status of the enterprise.
Page 18
Security Audit
IV.3. Confidentiality contract

Confidentiality Honor Declaration
I Mr. Mohamed Yassine TRABELSI, intern at the SYMPHONY enterprise and assigned by
Mr. Anis BAKLOUTI, the Director of the company mentioned above, I promise to keep total
secrecy about any relevant information to the Audit mission, I will have access to during and
after the accomplishment of my mission.
Directors signature
Interns signature
Confidentiality Honor Declaration
I Mr. Omar MARZOUK, intern at the SYMPHONY enterprise and assigned by Mr. Anis
BAKLOUTI, the Director of the company mentioned above, I promise to keep total secrecy
about any relevant information to the Audit mission, I will have access to during and after the
accomplishment of my mission.
Directors signature
Interns signature
Page 19
Security Audit
IV.4. Inventory
Site 1: the three following tables contain some general information collected by the holder of
the audit mission.
Table I.3.Site 1 Servers
Servers
Name
Exploitation system
Functionality
Main-server
Win server 2003

enterprise edition SP2
32 bits
Win server 2008
standard SP1 64 bits
Linux
Domain controller

perimeter
yes
Application server
yes
Storage
yes
Application-server
Storage
The first table represents general information about the servers.

Table I.4.Site 1 Work stations
Work stations
Ip address
Management
192.168.59.14
192.168.59.249
192.168.59.130
Development
192.168.59.231
192.168.59.233
Accountancy
192.168.59.101
192.168.59.22
192.168.59.105
Exploitation system

perimeter
Win xp 2002 SP2 32 bits

Mac
Info-graphic
Win xp 2002 pro SP2 32 bits
yes
yes

yes
yes

Win 7 professional 32 bits
Win server 2003 enterprise
edition SP2 32 bits
yes
yes
yes
yes
The second table illustrates general information about the different workstations.
Table I.5.Site 1 network infrastructure
Network infrastructure
Nature
Brand
Number
Modem
Switch
Switch board
Speed touch 510

D-link (DES-1024)
LG-Nortel
1
2
1

perimeter
No
No
No
The third table illustrates basic knowledge of the network infrastructure.
Page 20
Security Audit
Site 2: these tables represent pretty much the same information as the one described in the
previous tables. Except that, it describes the assets of site 2.
Table I.6.Site 2 servers
Servers
Name
Exploitation system
Functionality
Main-server
Win server 2008

enterprise edition SP1
32 bits
Domain controller

perimeter
yes
The first table represents general information about the servers.

Table I.7.Site 2 workstations
Work stations
Ip address
Exploitation system
192.168.1.51
192.168.1.52
192.168.1.31
192.168.1.32
192.168.1.21

Win 7 pro SP1 64 bits

perimeter
yes
yes
yes
yes
yes
The second table illustrates general information about the different workstations.
Table I.8.Site 2 network infrastructure
Network infrastructure
Nature
Brand
Number
Modem
Switch
Switch board
Topnet
LB-link
LG-Nortel
1
1
1

perimeter
No
No
No
The third table illustrates basic knowledge of the network infrastructure.
V. Conclusion
During the audit mission, this functional specification will provide full guidance for
the auditor on how to run his audit mission to ensure the satisfaction of the clients
functional needs.
Page 21
Security Audit
Workbook II
Generality for audit of
computer security
Page 22
Security Audit
I. Introduction
Every organization with computer network needs to guarantee the confidentiality,
integrity and availability of its assets. To reach this aim, there are different approaches
to be followed, different standards and tools to work with.
II. Audit of computer security

II.1. Why secure a network?
An unsecured network is exposed to many risks and vulnerable to external

intruders or even internal ones not to mention the malicious codes that lie all over
the World Wide Web.
Therefore the network needs to be secured and protected from these risks.
II.2. Important principles of safety
Table II.9.Safety principles

Principles
Definitions
Depth defense
Offers several levels of protection against

threats at several points in the network.
Least privilege
Grants
users
privileges
or
or
resources
permissions
the
least
required
to
perform a task.
Minimized attack surface
Reduces the network vulnerable points.
The table above illustrates the different principles of safety along with their
definitions.
Page 23
Security Audit
II.3. Approach to conducting a security audit mission
II.3.1 Security audit approaches
The white box approach:

It is a much more homogeneous audit; the evaluation has a complete
characteristic analysis and the organizational and technical aspects
are treated uniformly.
The black box approach:

It is an audit with a more fragmented view; revealing targeted
loopholes with high technical orientation.
The penetration tests or intrusive tests are part of this audit category.
II.3.2 Audit missions stages

The audit mission will be divided into two different levels:
-
Audit level 1: Organizational and physical audit, risk analysis.

Its main objectives are to have a global view of the information
systems security status and to identify the potential risks.
Audit level 2: technical audit.

It concerns the component of the information system:
Security architectures validation, internal or external vulnerability
tests, code validation.
Page 24
Security Audit
III. ISO/IEC 27000 series study

III.1. Origins
BS 7799 was a standard originally published by BSI Group in 1995. It was written by
the UK Governments DTI and consisted of several parts.
BS 7799-1 was revised in 1998, adopted by ISO (International Organization

for Standardization) as ISO/IEC 17799.
ISO/IEC 17799 was then revised in June 2005 and it was eventually
incorporated in ISO/IEC 27000 series of standards as ISO/IEC 27002 in July
2007.
BS 7799-2 known as BS 7799 part 2 focused on how to implement an

Information Security Management System (ISMS) and later became ISO/IEC
27001 in November 2005.
The 2002 version of BS 7799-2 introduced the PDCA (Plan, Do, Check, Act)
model.
BS7799-3 was published in 2005, covering risk analysis and management. It

aligns with ISO/IEC 27001.
III.2. Definitions
III.2.1. The ISO/IEC 27000 series [1]
The ISO/IEC 27000 series is also known as the ISMS family of standards.
The series provides best practice recommendations on information security
management, risks and controls within the context of an overall information
security management system (ISMS).
And it can be applied to organizations of all shapes and types.
Page 25
Security Audit
III.2.2. ISO/IEC 27001 standard [2]

ISO/IEC 27001 is part of the growing ISO/IEC 27000 family of standards, and its
an ISMS standard published in October 2005.
Its full name is ISO/IEC 27001 Information technology Security techniques
Information security management systems Requirements.
And it formally specifies a management system that is intended to bring
information security under explicit management control. Being a formal
specification means that it mandates specific requirements.

ISO/IEC
27002
is
an information
security standard
entitled
Information
technology Security techniques Code of practice for information security

management.
ISO/IEC 27002 provides best practice recommendations on information security
management for use by those responsible for initiating, implementing or
maintaining ISMS. Information Security is defined within the standard in the
context of the C-I-A triad as illustrated in the following figure.
Figure II.3.C-I-A triad

ISO/IEC
27003 standard is
an information
security standard.
Its
title
is Information Technology - Security techniques - Information security

management system implementation guidance.
This standard provides help and guidance in implementing ISMS.
Page 26
Security Audit

ISO/IEC 27004 standard is an information security standard.
Its full name is Information technology Security techniques Information
security management Measurement.
The purpose of this standard is to help organizations measure, report and hence
systematically improve the effectiveness of their ISMS.
ISO/IEC 27005 standard is an information security standard. Its full title
is ISO/IEC 27005, Information technology Security techniques
Information security risk management.
It provides guidelines for information security risk management.
III.3. The chosen standard
ISO/IEC 27001 is the standard chosen for our Audit mission because the
SYMPHONIE enterprise is going to run its internal audit for the first time so in
order to build the foundations of information security in the above mentioned
organization, we should use this specific standard.
IV. Audit tools

IV.1. What is Information security?
Information security is to protect information from a wide range of threats in order to
ensure business continuity.
Information can exist in many forms. It can be written or printed, stored electronically,
transmitted by post or even spoken. Whatever form the information takes, whatever
means it is shared or stored, it should always be appropriately protected.
The information security consists of preserving the C-I-A triad:
Confidentiality: ensuring that information can only be accessed by those with

proper authorization.
Integrity: the property of safeguarding the accuracy and completeness of

assets.
Availability: ensuring that authorized users have access to information and

associated assets whenever required.
Page 27
Security Audit
IV.2. How to achieve the information security?

Information security can only be achieved through two simple stages.
The first one is the Diagnosis stage where the auditor runs some tests on the structures
to audit.
The second stage is the Treatment stage where the auditor suggests or gives solutions
in order to secure the information system of the organization where the Audit mission
takes place.
These two stages are dependent. In other words, the doctor can only treat an illness
after diagnosing its symptoms.
In our case, it is the same for the auditor; to diagnose, he will need a kit tools
specifically, Audit tools.
IV.3. Audit tools

IV.3.1. Nmap
Nmap (Network Mapper) is a security scanner used in:
Auditing the security of a device by identifying the network connections

which can be made to it.
Identifying open ports on a target host in preparation for auditing.
IV.3.2. NESSUS
NESSUS is a vulnerabilities scanner functions based on the client/server
architecture. It allows the user to detect the networks loopholes, code errors or
backdoors
IV.3.3. SATAN
SATAN (Security Administrator Tool for Analyzing Networks) is a testing and
reporting toolbox that collects a variety of information about networked hosts.
SATAN is written mostly in Perl (programming language) and utilizes a web
browser such as Netscape, Mosaic or Lynx to provide the user interface.
IV.3.4. Wireshark
Wireshark has become the worlds most popular sniffing application.
It allows the user to put network interface controllers that support promiscuous
mode into that mode, in order to see all traffic visible on that interface, not just
Page 28
Security Audit
traffic addressed to one of the interface's configured addresses and

broadcast/multicast traffic.
IV.3.5. Nikto
Nikto is an Open Source (GPL) web server scanner which performs
comprehensive tests against web servers for multiple items.
It is not designed as an overly stealthy tool. It will test a web server in the
quickest time possible, and is fairly obvious in log files. However, it includes
techniques that allow it to escape IDS.
IV.4. Security Tools

IV.4.1. Firewall
i. Firewall Builder
Instead of having to type firewall commands, Firewall Builder allows you
to create firewall rules with user-defined objects.
Firewall Builder makes it easy to configure your firewalls; it is simple,
flexible and time saving.
IV.4.2. IDS (Intrusion Detection System)
i. Snort
Snort's open source network-based intrusion detection system (NIDS) has
the ability to perform real-time traffic analysis and packet logging on
Internet Protocol (IP) networks. Snort performs protocol analysis, content
searching, and content matching.
Page 29
Security Audit
ii. Prelude
Prelude is an agentless, universal, and hybrid security information & event
management (SIEM) system.
Prelude comes with a large set of sensors, each of them monitoring
different kind of events. Prelude permits alert collection to WAN scale,
whether its scope covers a city, a country, a continent or the world.
IV.4.3. IPS (Intrusion Prevention System)
i.
Snort
Snort is not only an IDS but also IPS, Combining the benefits of signature,
protocol, and anomaly-based inspection, Snort is the most widely deployed
IDS/IPS technology worldwide.
V. Conclusion
The security audit of an information system is necessary to any organization with
computer network.
Thus, to ensure the efficiency of this security, a standard must be chosen wisely, and a set
of tools as well, based on the organizations status and its security needs.
Page 30
Security Audit
Workbook III
Mehari methodology
Page 31
Security Audit
I. Foreword
Mehari 2010 is intended to assist the risk audit team in the information risk assessment
and management processes, which require thorough accompanying work, mainly for
the business stakes analysis and threat likelihood for the organization. Also, the risk
treatment phase shall be an opportunity to propose options and additional controls or
security measures to the stake holders in a way that corresponds to their demands in
the same terms they expressed during the stake analysis.
It is expected that the risk analysis instead of being a one shot activity, be a permanent
action possibly included into an ISMS process.
II. Methodology process
The worksheets contained in this workbook, distributed by CLUSIF are organized in
the following order:
Worksheets relative to the stakes analysis and assets classification:

T1, T2 and T3: security requirements of business and transverse processes.
Classif: recap from the three above worksheets, for data, services and
management processes.
Worksheet relative to the diagnostic of security services:

01 org to 14 ISM: parts of the originals worksheets of diagnostic
questionnaires.
Services: a summary of the results from above questionnaires.
Themes: recap ordered by security theme.
ISO 27002: results of the diagnostic distributed according to ISO/IEC
27001/27002.
Worksheets relative to risk assessment:

Expo: evaluation of the natural exposure to the list of threats.
Scenarios: description of the risk scenarios.
Risk% asset and risk% event: recap of the seriousness of the scenarios.
Worksheet relative of the preparation of an action plan:

Action plan: recap of the scenarios by family and of possible action plans.
Worksheets containing permanent elements and parameters of the method:

Seriousness: valuation of the seriousness based on impact and potentiality.
IP-Grids: Impact and potentiality tables depending on the security
measures.
Page 32
Security Audit
III. Stakes analysis and assets classification

III.1. Basics [7]
T1, T2 and T3 are used to report the results of the stakes analysis and asset
classification phase, for each asset type and security criterion.
This is the third phase of stakes analysis, which consists in determining the
malfunction value scale.
Mehari identifies 4 levels of seriousness. This are noted from 1 to 4. Their general
definitions are described below:
4 vital: at this level, the potential risk is very serious. And even the existence
and survival of the entity or at least one of its main activities is in danger.
3 very serious: these malfunctions are considered very serious at the level of
the entity, although its future would not be at risk.
2 serious: malfunctions at this level would have a clear impact on the entitys
operations, results or image. But are globally manageable.
1 insignificant: at this level any resulting damage would have no significant
impact on the results or image of the entity.
The following figure illustrates the classification of data, in each business process.
Figure III.4.Classification of data
Page 33
Security Audit
The following figure illustrates the classification of services, in each business process.
Figure III.5.Classification of services

This figure illustrates the classification of the compliance to laws, in each business process.
Figure III.6.Classification of the compliances

III.2. Comments
T1, T2 and T3 each represents a specific type of classification in context of C-I-A
triad and/or E as in T3 as shown in the figures above.
C stands for confidentiality, I for integrity, A for availability and E for efficiency.
Classif contains synthetic results from the 3 figures drawn above.
Page 34
Security Audit
IV. Diagnostic of security services

IV.1 Questionnaires [8]
Mehari contains 14 questionnaires made in compliance with the ISO/IEC 27002
international standard.
Each questionnaire covers a certain service and sub-services, and there are three
possible answers to these questionnaires, which are:
1 for yes
0 for no
X for irrelevant
The following figure represents a part of the first questionnaire which covers the organization
of security.
Figure III.7.01 org
Page 35
Security Audit
This figure represents a part of the final questionnaire which covers the ISM domain.
Figure III.8.14 ISM

IV.2. Services
The services table automatically calculates the results of the questionnaire based on
the given previous answers.
Figure III.9.Services
Page 36
Security Audit
IV.3. Themes
Figure III.10.themes
Mehari security themes tables present the current level of the services also based on
the given answers in the questionnaires from 01 org to 14 ISM, along with the target
level.
And based on the given results we find that some of the services are on the required
level and some others are up and down, whether with a very low level or with an
average level.
IV.4. ISO 27002
Figure III.11.ISO 27002

This figure illustrates the ISO 27002 table which, permits evaluating a scoring (from
0 to 10) in compliance with the ISO/IEC 27002 international standard code of
practice, Based on the yes answers to the mehari questionnaires.
Page 37
Security Audit
V. Risk assessment [9]

V.1. Expo
Expo represents the different types of events and natural exposure in this table we find
a standard of exposure levels given by the CLUSIF.
However you can put the decided level value depending on the organizations status
that youre analyzing, using the usual scale from 1 to 4 as illustrated in the figure
above.
Figure III.12.Expo
V.2. Scenarios
The scenarios worksheet in mehari is the cornerstone of risk assessment and describes
all the risk scenarios of the knowledge base.
And based on the given scenarios the holder of the audit mission evaluates the level
value of the impact and likelihood, in order to determine the final seriousness level
and take it into account in the risk treatment phase.
Figure III.13.Scenarios
Page 38
Security Audit
V.3. Risk% asset

Risk asset table contains a summary statement for each type of asset of the number of
the scenarios, ordered by a security criterion (A, I, C or E) and seriousness level (from
1 to 4).
Figure III.14.Risk%asset
V.4. Risk% event
Risk event table contains a summary statement for each type of event (threat) of
the
number of the scenarios, ordered by a seriousness level (from 1 to 4).
Figure III.15.Risk%event
Page 39
Security Audit
VI. Preparation of an action plan

VI.1. Basics
The action plan is made for the reduction of a risk level, based on actions chosen by the
auditor.
To reduce the seriousness level we need to reduce the impact or the likelihood of the risk,
however choosing a certain action may depend on the type of plan.
The columns from G to the right of the action plans worksheet propose security services
allowing to reduce risk for several scenarios at a time, in each family of scenarios.
It means that these services are mentioned in the scenarios of the family, possibly in more
than 80% of the scenarios (type E) or less (type A to D). To reduce the likelihood only the
deterrence and the prevention values will be affected.
And to reduce the impact only the confining and palliation values will be affected.
Figure III.16.Action plan

VI.2. Comment
In the first scenario loss of data for applications we find that the deterrence type of plan
A is set to 1 which means that a corrective action will be taken for certain services, in
order to reduce the likelihood level. As for the reduction of the impact level we find that
the palliation type of plan E is also set to 1, as for the other measures that are set to 0
it means that no corrective action will be taken, in other words the risk level of certain
services is accepted as it is.
Page 40
Security Audit
VII. Methods permanent elements and parameters

VII.1. Seriousness
The worksheet seriousness contains the standard table as illustrated above, proposed by
CLUSIF, establishing the seriousness level of risks as a function of the impact and
likelihood.
Figure III.17.Seriousness
VII.2. IP-Grids
This figure illustrates the decision tables used by the method to evaluate the impact and
likelihood values based on their intrinsic values and their risk reduction factors in place or
anticipated.
Figure III.18.IP-Grids
VIII. Conclusion
To conclude, mehari is a complete methodology for risk analysis and treatment. It allows the
auditor to obtain a complete analysis and a view of the different organizations assets. Plus, it
determines what is at stake and what is not? Besides, mehari helps you to take the right
treatment procedure through showing the auditor the seriousness scale of each asset.
Page 41
Security Audit
Workbook IV
Vulnerability report site 1
Page 42
Security Audit
I. INTRODUCTION
This report represents a security audit. It contains confidential information about the
state of your network.
Access to this information by unauthorized personnel may allow them to compromise
your network.
During this test, 11 hosts with a total of 286 exposed services and 376 vulnerabilities
were discovered.
II.
Discovered Hosts
Table IV.10.Hosts
IP Address
Hostname
192.168.59.101
192.168.59.101
192.168.59.249
Mac Apple
192.168.59.105
Communication-s
192.168.59.22
Bibliotheque
192.168.59.14
pc6
192.168.59.231
dm1
192.168.59.130
192.168.59.130
192.168.59.233
pc10
192.168.59.111
Communication-s
192.168.59.100
Serveur-Application
192.168.59.150
NAS-SYMPHONY
OS
Services Vulns Status
Microsoft
6
113 success
Windows
Mac OS
6
14
success
X
Microsoft
16
11
success
Windows
Microsoft
12
5
success
Windows
Microsoft
6
1
success
Windows
Microsoft
6
6
success
Windows
Microsoft
3
2
success
Windows
Microsoft
6
6
success
Windows
Microsoft
192
1
success
Windows
Microsoft
33
173 success
Windows
Linux
_
44
success
2.6.38
The previous table represents the discovered hosts along with some general
information obtained during the vulnerability scan.
Page 43
Security Audit
III. Discovered Web Sites

Table IV.11.Web sites
IP Address
192.168.59.100
192.168.59.100
192.168.59.100
192.168.59.101
192.168.59.105
192.168.59.111
192.168.59.111
192.168.59.233
Hostname
Serveur-Application
Serveur-Application
Serveur-Application
192.168.59.101
Communication-s
Communication-s
Communication-s
pc10
Port
443
8443
9090
8090
80
80
8080
80
Sites
1
1
1
1
1
1
1
1
The table above represents the discovered web sites during the vulnerability scan,
along with the used port and the host thats connected to these sites.
IV. Detailed Findings

This figure illustrates all the services with multiple running instances, also, discovered
during the vulnerability scan.
Figure IV.19.Multiple service instance frequency
Page 44
Security Audit
The audit was performed on 11 systems, 11 of which were found to be active and were
scanned.
There were 376 vulnerabilities found during this scan. Of these, 70 were critical
vulnerabilities. Critical vulnerabilities require immediate attention. They are relatively easy
for attackers to exploit and may provide them with full control of the affected systems.
274 vulnerabilities were severe. Severe vulnerabilities are often harder to exploit and may not
provide the same access to affected systems.
There were 32 moderate vulnerabilities discovered. These often provide information to
attackers that may assist them in mounting subsequent attacks on your network. These should
also be fixed in a timely manner, but are not as urgent as the other vulnerabilities.
Critical vulnerabilities were found to exist on 10 of the systems, making them most
susceptible to attack.
8 systems were found to have severe vulnerabilities. Moderate vulnerabilities were found on 9
systems. No systems were free of vulnerabilities.
Figure IV.20.Vulnerabilities by severity
Page 45
Security Audit
There were 10 occurrences of the cifs-smb-signing-disabled and cifs-smb-signing-notrequired vulnerabilities, making them the most common vulnerabilities. There were 310
vulnerabilities in the HTTP category, making it the most common vulnerability category.
Figure IV.21.Common vulnerabilities
The cifs-smb-signing-disabled vulnerability poses the highest risk to the organization with a
risk score of 3,828. Risk scores are based on the types and numbers of vulnerabilities on
affected assets.
Figure IV.22.Highest risk vulnerabilities
Page 46
Security Audit
There were 3 operating systems identified and 28 services found to be running during this
scan.
The Microsoft Windows operating system was found on 9 systems, making it the most
common operating system.
Figure IV.23.Operating Systems
The CIFS Name Service was found on 9 systems, making it the most common service. The
HTTPS service was found to have the most vulnerabilities during this scan with 199
vulnerabilities.
Figure IV.24.Common services
Page 47
Security Audit
V. RISK SCORE
Table IV.12.Risk score
Node
Operating System
Risk
Aliases
192.168.59.100
Microsoft Windows
Server 2008
Standard Edition
63,546
Serveur-Application
39,600
14,961
NAS-SYMPHONY
9,214
Mac
192.168.59.101
192.168.59.150
192.168.59.249
192.168.59.105
192.168.59.233
192.168.59.231
192.168.59.22
192.168.59.14
192.168.59.130
192.168.59.111
Microsoft Windows
Linux 2.6.38
Apple Mac OS X
10.4.11
Microsoft Windows
Server 2003
SP2
Microsoft Windows
XP
Microsoft Windows
XP
Microsoft Windows 7
Professional
Edition
Microsoft Windows
XP
Microsoft Windows
Server 2003
Microsoft Windows
Server 2003
6,462
Communication-s
3,610
PC10
2,981
Dm1
2,036
Bibliotheque
859
PC6
520
0.0
Communication-s
The table above represents the risk score of each discovered node in the vulnerability
scan, however, the risk score generated in this report was calculated depending on the
number and types of the vulnerabilities of each asset.
Page 48
Security Audit
VI. Discovered and Potential Vulnerabilities

VI.1. Critical Vulnerabilities
VI.1.1 Apache HTTPD: mod-isapi module unload flaw (apache-httpd-cve-2010-0425)
Description:
The affected asset is vulnerable to this vulnerability ONLY if it is running one of the
following modules: mod-isapi. Review your web server configuration for validation. A
flaw was found with within mod-isapi which would attempt to unload the ISAPI dll
when it encountered various error states. This could leave the callbacks in an
undefined state and result in a segfault. On Windows platforms using mod-isapi, a
remote attacker could send a malicious request to trigger this issue, and as win32
MPM runs only one process, this would result in a denial of service, and potentially
allow arbitrary code execution.
Affected Nodes:
Table IV.13.CVE-2010-0425
Affected Nodes
192.168.59.100:90
192.168.59.100:443
Additional Information
Vulnerable OS: Microsoft Windows Server 2008
Standard Edition
Running HTTP serviceProduct HTTPD exists -Apache HTTPD 2.2.14
Vulnerable version of product HTTPD found -Apache HTTPD 2.2.14
Standard Edition
Running HTTPS serviceProduct HTTPD exists -Apache HTTPD 2.2.14
Vulnerability Solution:
Apache HTTPD >= 2.2 and < 2.2.15
Upgrade to Apache HTTPD version 2.2.15
Page 49
Security Audit
VI.1.2. MS09-001: Remote Code Execution (958687)

Description:
This security update resolves two privately reported vulnerabilities and one publicly
disclosed vulnerability in Microsoft Server Message Block (SMB) Protocol. The
vulnerabilities could allow remote code execution on affected systems. An attacker
who successfully exploited these vulnerabilities could install programs; view, change,
or delete data; or create new accounts with full user rights.
Affected Nodes:
Table IV.14.MS09-001
Affected Nodes
192.168.59.100:139
192.168.59.100:445
Standard Edition
\LSARPC: WriteAndX succeeded with offset 77
Standard Edition
MS09-001: Security Update for Windows Server 2008 (KB958687)

Description:
This security update resolves several privately reported vulnerabilities in Microsoft
Windows. The most severe of these vulnerabilities could allow remote code execution
if an attacker created a specially crafted SMB packet and sent the packet to an affected
system.
Affected Nodes:
Page 50
Security Audit
Affected Nodes
192.168.59.100:139
192.168.59.100:445
Running CIFS serviceVulnerable OS: Microsoft
Windows Server 2008 Standard
Edition
Based on the result of the "MS09-001:
Vulnerabilities in SMB Could Allow
Remote Code Execution (958687)" test.
445 Running CIFS serviceVulnerable OS:
Microsoft Windows Server 2008 Standard
Edition
MS10-012: Security Update for Windows Server 2008 (KB971468).

Description:
Windows. The most severe of these vulnerabilities could allow remote code execution if
an attacker created a specially crafted SMB packet and sent the packet to an affected
system.
Affected Nodes:
Affected Nodes
192.168.59.100:139
192.168.59.100:139
192.168.59.100:445
Edition. Based on the result of the "MS09-050:
Vulnerabilities in SMBv2 Could Allow
Windows Server 2008 Standard Edition
Page 51
Security Audit
192.168.59.100:445

Vulnerability Solution: (see workbook VI, page 97)

MS10-054: Security Update for Windows Server 2008 (KB982214).

Description:
This security update resolves a privately reported vulnerability in Microsoft Windows.
The vulnerability could allow remote code execution if an attacker created a specially
crafted SMB packet and sent the packet to an affected system. Firewall best practices
and standard default firewall configurations can help protect networks from attacks
originating outside the enterprise perimeter that would attempt to exploit these
vulnerabilities.
Affected Nodes:
Affected Nodes
192.168.59.100:139
192.168.59.100:139
192.168.59.100:445
192.168.59.100:445
Page 52
Security Audit
VI.1.6. CIFS NULL Session Permitted (cifs-nt-0001)

Description:
NULL sessions allow anonymous users to establish unauthenticated CIFS sessions with
Windows or third-party CIFS implementations such as Samba or the Solaris CIFS
Server. These anonymous users may be able to enumerate local users, groups, servers,
shares, domains, domain policies, and may be able to access various MSRPC services
through RPC function calls. These services have been historically affected by
numerous vulnerabilities. The wealth of information available to attackers through
NULL sessions may also allow them to carry out more sophisticated attacks.
Affected Nodes:
Table IV.18.Cifs-nt-0001
Affected Nodes
192.168.59.150
Found server name: NAS-SYMPHONY Found

policy for domain(s): NASSYMPHONY Builtin
Found server name: DM1
Found server name: PC10
Found server name: MACFound policy for
domain(s): MAC Builtin
192.168.59.231
192.168.59.233
192.168.59.249
Microsoft Windows XP Professional
Disable NULL sessions for Windows XP
- Modify the registry key:
HKEY_LOCAL_MACHINE\SYSTEM\Current Control Set\Control\Lsa\
with the following values:
Value Name: Restrict Anonymous
Data Type: REG_DWORD
Data Value: 1
Value Name: Restrict Anonymous SAM
Page 53
Security Audit

Data Value: 1
Value Name: Everyone Includes Anonymous
Data Value: 0
-
Modify the registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lanm
anServer\Parameters\
Value Name: Restrict Null SessAccess
Data Value: 1
Value Name: NullSessionPipes
Data Type: REG_MULTI_SZ
Data Value: "" (empty string, without quotes)
Open Local Security Settings, and disable the following setting:

Security Settings -> Local Policies -> Security Options ->
Network access: Allow anonymous SID/Name translation: Disabled
Finally, reboot the machine.
Samba on Linux
Restrict anonymous access
- To restrict anonymous access to Samba, modify your "smb.conf" settings
as follows:
guest account = nobody
restrict anonymous = 1
Page 54
Security Audit
VI.1.7. Invalid CIFS Logins Permitted (cifs-invalid-logins-permitted)
Description:
Windows XP (and possibly Vista) includes a "ForceGuest" operating mode whereby
the CIFS service allows unauthenticated users to connect to the service with limited
access.
The "ForceGuest" mode is enabled by default on Windows XP installations which
aren't joined to a domain and have Simple File Sharing enabled.
This operating mode accepts any set of login credentials, but forces the logged on user
to operate under the access restrictions of a guest user on the system.
Affected Nodes:
Table IV.19.Cifs-invalid-logins-permitted
Affected Nodes
192.168.59.150
192.168.59.233
Established CIFS connection with randomly
generated credentials:
A2D2E24C720C00C0
generated credentials:
6849FC89B734821F
In the 'Local Security Settings' feature of the Windows Control Panel, modify the
following settings:
Set the 'Local Policies->User Rights Assignment->Deny access to this computer
from the network' to include the guest account
Set the 'Local Policies->Security Options->Accounts: Guest account status to
'Disabled'.
Page 55
Security Audit
Description:
This security update resolves two privately reported vulnerabilities in the Remote
Desktop Protocol. The more severe of these vulnerabilities could allow remote code
execution if an attacker sends a sequence of specially crafted RDP packets to an
affected system. By default, the Remote Desktop Protocol (RDP) is not enabled on
any Windows operating system. Systems that do not have RDP enabled are not at risk.
Affected Nodes:
Affected Nodes
192.168.59.100:3389
192.168.59.105:3389
192.168.59.130:3389
192.168.59.22:3389
192.168.59.231:3389
Running Microsoft Remote Display Protocol
serviceUser 1 was able to connect to the channel
assigned to User 2.
assigned to User 2
assigned to User 2.
assigned to User 2.
assigned to User 2.
MS12-020: Security Update for Windows XP (KB2621440)
Page 56
Security Audit
VI.1.9. Http-openssl-cve-2009-3245
Description:
OpenSSL before 0.9.8m does not check for a NULL return value from bn_wexpand
function calls in (1) crypto/bn/bn_div.c, (2)
crypto/bn/bn_gf2m.c, (3) crypto/ec/ec2_smpl.c, and (4) engines/e_ubsec.c, which has
unspecified impact and context-dependent attack vectors.
Affected Nodes:
Affected Nodes
192.168.59.100:80
192.168.59.100:443
192.168.59.150:80
192.168.59.150:443
90 Running HTTP serviceProduct HTTPD exists
-- Apache HTTPD 2.2.14
Vulnerable version of component OpenSSL
found -- OpenSSL 0.9.8l
found -- OpenSSL 0.9.8l
found -- OpenSSL 0.9.8g
found -- OpenSSL 0.9.8g
Upgrade to version 0.9.8m of OpenSSL.
VI.2. Severe Vulnerabilities

VI.2.1. Apache HTTPD: insecure LD_LIBRARY_PATH handling (CVE-2012-0883)
Description:
Insecure handling of LD_LIBRARY_PATH was found that could lead to the current
working directory to be searched for DSOs. This could allow a local user to execute
code as root if an administrator runs apachectl from an untrusted directory.
Page 57
Security Audit
Affected Nodes:
Affected Nodes
192.168.59.100:90
192.168.59.100:443
VI.2.2. X.509 Certificate Subject CN Does Not Match the Entity Name
Description:
The subject common name (CN) field in the X.509 certificate does not match the name of
the entity presenting the certificate.
Before issuing a certificate, a Certification Authority (CA) must check the identity of the
entity requesting the certificate, as specified in the CA's Certification Practice Statement
(CPS). Thus, standard certificate validation procedures require the subject CN field of a
certificate to match the actual name of the entity presenting the certificate.
A CN mismatch most often occurs due to a configuration error, though it can also indicate
that a man-in-the-middle attack is being conducted.
Affected Nodes:
Table IV.23.CN-name-mismatch
Affected Nodes
192.168.59.100:443
The subject common name found in the X.509
certificate ('CN=localhost') does
not seem to match the scan target
Page 58
Security Audit
192.168.59.105:500
192.168.59.150:443
'192.168.59.100':Subject CN 'localhost' does

not match node name '192.168.59.100'Subject
CN's resolved IP address
'localhost/127.0.0.1' differs from node IP address
'/192.168.59.100'Subject CN's
resolved IP address 'localhost/0:0:0:0:0:0:0:1'
differs from node IP address
'/192.168.59.100'
certificate ('CN=Administrateur')
does not seem to match the scan target
'192.168.59.105':Subject CN 'Administrateur'
does not match node name '192.168.59.105'
certificate ('CN=nas-symphony')
does not seem to match the scan target
'192.168.59.150':Subject CN 'nassymphony'
does not match node name '192.168.59.150'
The subject's common name (CN) field in the X.509 certificate should be fixed to
reflect the name of the entity presenting the certificate (e.g., the hostname). This is
done by generating a new certificate usually signed by a Certification Authority
(CA) trusted by both the client and server.
VI.2.3. FTP server does not support AUTH command (ftp-generic-0007)
Description:
FTP clients send credentials (user ID and password) in clear text to the FTP server by
default. This allows malicious users to intercept the credentials if they can eavesdrop
on the connection.
Newer FTP servers support the AUTH command, which provides enhanced
authentication options such as TLS, Kerberos, GSSAPI, etc. This should be used to
prevent eavesdropping on FTP connections.
Affected Nodes:
Table IV.24.FTP-generic-0007
Affected Nodes
192.168.59.100:21
192.168.59.150:21
Server supports none of the following AUTH
mechanisms: TLS TLS-C
KERBEROS_V4 GSSAPI SSL
Page 59
Security Audit
192.168.59.233:21

Upgrade/migrate to a FTP server that supports the AUTH command.
VI.2.4. TLS/SSL Server Supports Weak Cipher Algorithms (ssl-weak-ciphers)

Description:
The TLS/SSL server supports cipher suites based on weak algorithms. This may
enable an attacker to launch man-in-the-middle attacks and monitor or tamper with
sensitive data.
Affected Nodes:
Table IV.25.ssl-weak-ciphers
Affected Nodes
192.168.59.100:443
192.168.59.100:8443
192.168.59.105:500
Negotiated with the following insecure cipher suites. SSLv2 ciphers:
SSL_CK_RC4_128_WITH_MD5SSL_CK_RC4_128_EXPORT40_WITH
_MD5
SSL_CK_RC2_128_CBC_WITH_MD5
SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5
SSL_CK_IDEA_128_CBC_WITH_MD5SSL_CK_DES_64_CBC_WITH_
MD5
SSL_CK_DES_192_EDE3_CBC_WITH_MD5SSLv3 ciphers:
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_RSA_WITH_DES_CBC_SHASSL_RSA_WITH_DES_CBC_
SHA
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_RSA_WITH_DES_CBC_SHASSL_RSA_WITH_DES_CBC_
SHA
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_CK_RC4_128_WITH_MD5SSL_CK_DES_192_EDE3_CBC_WITH
_MD5
SSL_CK_RC2_128_CBC_WITH_MD5SSL_CK_DES_64_CBC_WITH_
MD5
SSL_CK_RC4_128_EXPORT40_WITH_MD5
SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5SSLv3 ciphers:
SSL_RSA_WITH_DES_CBC_SHASSL_RSA_EXPORT_WITH_RC4_40
_MD5
Page 60
Security Audit
Configure the server to disable support for weak ciphers.
For Microsoft IIS web servers, see Microsoft Knowledgebase article 245030 for
instructions on disabling weak ciphers.
For Apache web servers with mod_ssl, edit the Apache configuration file and
change the SSLCipherSuite line to read: SSLCipherSuite
ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
VI.2.5. TLS/SSL Server Supports SSLv2 (sslv2-and-up-enabled)
Description:
Although the server accepts clients using TLS or SSLv3, it also accepts clients using
SSLv2. SSLv2 is an older implementation of the Secure Sockets Layer protocol. It
suffers from a number of security flaws allowing attackers to capture and alter
information passed between a client and the server, including the following
weaknesses:
No protection from against man-in-the-middle attacks during the handshake.
Weak MAC construction and MAC relying solely on the MD5 hash function.
Exportable cipher suites unnecessarily weaken the MACs Same cryptographic keys
used for message authentication and encryption.
Vulnerable to truncation attacks by forged TCP FIN packets SSLv2 has been
deprecated and is no longer recommended. Note that neither SSLv2 nor SSLv3 meet
the U.S. FIPS 140-2 standard, which governs cryptographic modules for use in federal
information systems. Only the newer TLS (Transport Layer Security) protocol meets
FIPS 140-2 requirements. In addition, the presence of an SSLv2-only service on a host
is deemed a failure by the PCI (Payment Card Industry) Data Security Standard.
Affected Nodes:
Table IV.26.sslv2-and-up-enabled
Affected Nodes
192.168.59.100:443
192.168.59.105:500
SSLv2 is supported
SSLv2 is supported
Page 61
Security Audit
Apache HTTPD
Disable SSLv2 protocol support in Apache HTTPD
For Apache web servers with mod_ssl, edit the Apache configuration file and
change the SSLCipherSuite line to read: SSLCipherSuite
ALL:!ADH:RC4+RSA:+HIGH:!SSLv2
The ! (Exclamation point) before SSLv2 is what disables this protocol.
Windows
Disable SSLv2 protocol support in Microsoft Windows
Configure the server to require clients to use at least SSLv3 or TLS.
VI.2.6. SMB signing disabled (cifs-smb-signing-disabled)
Description:
This system does not allow SMB signing. SMB signing allows the recipient of SMB
packets to confirm their authenticity and helps prevent man in the middle attacks against
SMB. SMB signing can be configured in one of three ways: disabled entirely (least
secure), enabled, and required (most secure).
Affected Nodes:
Table IV.27.Cifs-smb-signing-disabled
Affected Nodes
192.168.59.150:139
192.168.59.150:445
192.168.59.22:139
192.168.59.22:445
192.168.59.231:139
192.168.59.231:445
192.168.59.233:139
192.168.59.233:445
192.168.59.249:139
192.168.59.249:445
Negotiate protocol response's security mode 3
indicates that SMB signing is disabled
Page 62
Security Audit
Microsoft Windows
Configure the system to enable or require SMB signing as appropriate
Make sure that SMB signing configuration is done for incoming connections (Server).
Samba
Configure Samba to enable or require SMB signing as appropriate. To enable SMB
signing, put the following in the Samba configuration file, typically smb.conf, in the
global section:
server signing = auto
To require SMB signing, put the following in the Samba configuration file, typically
smb.conf, in the global section:
server signing = mandatory
VI.2.7. Apache HTTPD: error responses can expose cookies (CVE-2012-0053)
Description:
A flaw was found in the default error response for status code 400. This flaw could be
used by an attacker to expose "httpOnly" cookies when no custom ErrorDocument is
specified.
Affected Nodes:
Affected Nodes
192.168.59.100:90
Running HTTP serviceProduct HTTPD exists -- Apache HTTPD 2.2.14

Vulnerable version of product HTTPD found -- Apache HTTPD 2.2.14
Running HTTP serviceHTTP GET request to http://192.168.59.100:90/
HTTP response code was an expected 400
9: <h1>Bad Request</h1>
10: <p>Your browser sent a request that this server could not understand.
11: Request header field is missing ':' separator.<br />
12: <pre>
9:R7TESTR7TESTR7TESTR7TESTR7TESTR7TESTR7TESTR7TESTR7T
ESTR7TESTR7TESTR7TE...
Running HTTPS serviceProduct HTTPD exists -- Apache HTTPD 2.2.14
Running HTTPS serviceHTTP GET request to https://192.168.59.100/
192.168.59.100:90
192.168.59.100:443
192.168.59.100:443
Page 63
Security Audit
192.168.59.150:80
192.168.59.150:443
10: <p>Your browser sent a request that this server could not understand.
12: <pre>
Running HTTP serviceHTTP GET request to http://192.168.59.150/
9: <H1>Bad Request</H1>
10: Your browser sent a request that this server could not understand.<P>
11: Request header field is missing colon separator.<P>
12: <PRE>
9: <H1>Bad Request</H1>
10: Your browser sent a request that this server could not understand.<P>
11: Request header field is missing colon separator.<P>
12: <PRE>
VI.3. Moderate Vulnerabilities

VI.3.1 Unencrypted Telnet Service Available (telnet-open-port)
Description:
Telnet is an unencrypted protocol; as such it sends sensitive data (usernames and
passwords) in clear text. For this reason, it is a violation of PCI DSS section 2.3 to
have telnet enabled, unless a business case can be made for why it is required.
Affected Nodes:
Table IV.29.Telnet-open-port
Affected Nodes
192.168.59.100:23
Running Telnet service
Page 64
Security Audit
Disable the telnet service. Replace it with technologies such as SSH, VPN, or TLS.
VI.3.2. ICMP timestamp response (generic-icmp-timestamp)

Description:
The remote host responded to an ICMP timestamp request. The ICMP timestamp response
contains the remote host's date and time.
This information could theoretically be used against some systems to exploit weak timebased random number generators in other services.
In addition, the versions of some operating systems can be accurately fingerprinted by
analyzing their responses to invalid ICMP timestamp requests.
Affected Nodes:
Table IV.30.Generic-icmp-timestamp
Affected Nodes
192.168.59.100
192.168.59.101
192.168.59.105
192.168.59.111
192.168.59.130
192.168.59.150
192.168.59.22
192.168.59.231
192.168.59.233
Remote system time: 13:28:28.000 CEST

Disable ICMP timestamp responses on Windows XP/2K3
ICMP timestamp responses can be disabled by deselecting the "allow incoming
timestamp request" option in the ICMP configuration panel of Windows Firewall.
Go to the Network Connections control panel.
Right click on the network adapter and select "properties", or select the internet adapter
and select File->Properties.
Select the "Advanced" tab.
Page 65
Security Audit
In the Windows Firewall box, select "Settings".

Select the "General" tab.
Enable the firewall by selecting the "on (recommended)" option.
Select the "Advanced" tab.
In the ICMP box, select "Settings".
Deselect (uncheck) the "Allow incoming timestamp request" option.
Select "OK" to exit the ICMP Settings dialog and save the settings.
Select "OK" to exit the Windows Firewall dialog and save the settings.
Select "OK" to exit the internet adapter dialog.
Disable ICMP timestamp responses on Windows Vista/2008
ICMP timestamp responses can be disabled via the netsh command line utility.
1. Go to the Windows Control Panel.
2. Select "Windows Firewall".
3. In the Windows Firewall box, select "Change Settings".
4. Enable the firewall by selecting the "on (recommended)" option.
5. Open a Command Prompt.
6. Enter "netsh firewall set icmpsetting 13 disable"
The easiest and most effective solution is to configure your firewall to block incoming and
outgoing ICMP packets with ICMP types 13 (timestamp request) and 14 (timestamp
response).
Page 66
Security Audit
VII. Exploits
In the following figure we were able to exploit some of the loopholes that we detected
in order to gain remote access to the assets connected to the network.
This figure illustrates four attacks that were launched on four different machines each.
Figure IV.25.exploiting vulnerabilities
VIII. Conclusion
The scanned site was found to be vulnerable, and the vulnerabilities represented in this
report were found to be the most common ones with the highest risk rate regardless of
its type (critical, severe and moderate).
We were therefore able to successfully trigger some of the mentioned loopholes by
hacking into the network and launching passive attacks.
Page 67
Security Audit
Workbook V
Vulnerability report site 2
Page 68
Security Audit
I. INTRODUCTION
This report represents a security audit. It contains confidential information about the
state of your network. Access to this information by unauthorized personnel may
allow them to compromise your network.
During this test, 6 hosts with a total of 58 exposed services and 139 vulnerabilities
were discovered.
II. Discovered Operating Systems

Table V.31.Operating systems
Operating System
Hosts
Services
Vulnerabilities
Microsoft Windows
58
139
The table above represents the operating systems of the different hosts on which the
vulnerability scan was run on.
The following figure illustrates the percentage of the hosts operating systems.
Figure V.26.Operating Systems
Page 69
Security Audit
III. Discovered Hosts

Table V.32.Hosts
IP Address
Hostname
OS
Services
Vulns
Status
192.168.1.51
sonia-pc
Microsoft
Windows
12
14
success
192.168.1.52
sana-pc
Microsoft
Windows
91
success
192.168.1.31
pc1-41933e504a3
Microsoft
Windows
10
success
192.168.1.32
manel-pc
Microsoft
Windows
10
success
192.168.1.21
LENOVO-PC
Microsoft
Windows
success
192.168.1.253
WINE3OMF312OOT
Microsoft
Windows
21
12
success
The table above represents the discovered hosts along with some general information
obtained during the vulnerability scan.
This figure illustrates the number of the discovered loopholes of each node.
Figure V.27.Vulnerabilities diagram
Page 70
Security Audit
IV. Detailed Findings

Table V.33.Services
Service
Protocol
Port
Instances
smb
Tcp
445
http
tcp
80
https
tcp
443
telnet
Tcp
23
dns
Udp
53
ftp
tcp
21
The following table presents some protocols that we discovered while scanning the
network.
This figure illustrates a global view of all discovered services with multiple running
instances and some of these services are mentioned in the table above.
Figure V.28.Service Frequency
Page 71
Security Audit
The audit was performed on 6 systems, 6 of which were found to be active and were scanned.
There were 138 vulnerabilities found during this scan. Of these, 38 were critical
vulnerabilities. Critical vulnerabilities require immediate attention.
They are relatively easy for attackers to exploit and may provide them with full control of the
affected systems.
84 vulnerabilities were severe. Severe vulnerabilities are often harder to exploit and may not
provide the same access to affected systems.
There were 16 moderate vulnerabilities discovered. These often provide information to
attackers that may assist them in mounting subsequent attacks on your network.
These should also be fixed in a timely manner, but are not as urgent as the other
vulnerabilities.
Critical vulnerabilities were found to exist on 5 of the systems, making them most susceptible
to attack. 6 systems were found to have severe vulnerabilities. Moderate vulnerabilities were
found on 6 systems. No systems were free of vulnerabilities.
Figure V.29.Vulnerabilities severity
Page 72
Security Audit
There were 10 occurrences of the cifs-smb-signing-disabled and cifs-smb-signing-notrequired vulnerabilities, making them the most common vulnerabilities. There were 135
vulnerabilities in the HTTP category, making it the most common vulnerability category.
Figure V.30.Common vulnerabilities

One operating system was identified during this scan, along, with 24 services were found to
be running. The cifs-smb-signing-disabled vulnerability poses the highest risk to the
organization with a risk score of 3,828.
Figure V.31.Risk vulnerabilities
Page 73
Security Audit
The CIFS, CIFS Name Service and DCE Endpoint Resolution services were found on 6
systems, making them the most common services.
The HTTP service was found to have the most vulnerabilities during this scan with 88
vulnerabilities.
Figure V.32.Common services

V. RISK SCORE
Table V.34.Risk score
Node
Operating System
Risk
Aliases
192.168.1.52
Microsoft Windows
XP
30,467
SANA-PC
192.168.1.51
Microsoft Windows
XP
9,060
SONIA-PC
192.168.1.31
Microsoft Windows
XP
6,844
PC1-41933E504A3
Microsoft Windows
Server 2008
6,339
192.168.1.253
WIN-E3OMF312OOT
Enterprise Edition
192.168.1.32
Microsoft Windows
XP SP3
4,084
MANEL-PC
192.168.1.21
Microsoft Windows 7
Professional SP1
1,516
LENOVO-PC
The table above represents the risk score of each discovered node in the vulnerability
scan, however, the risk score generated in this report was calculated depending on the
number and types of the vulnerabilities of each asset.
Page 74
Security Audit
VI. Discovered and Potential Vulnerabilities
VI.1. Critical Vulnerabilities

VI.1.1. PHP Vulnerability: CVE-2011-3268 (php-cve-2011-3268)
Description:
Buffer overflow in the crypt function in PHP before 5.3.7 allows contextdependent attackers to have an unspecified impact via a long salt argument, a
different vulnerability than CVE-2011-2483.
Affected Nodes:
Table V.35.CVE-2011-3268
Affected Nodes
192.168.1.52:80
Vulnerable version of component PHP found -PHP 5.3.5
192.168.1.52:443

An upgrade for the installed version must be applied.
Description:
Buffer overflow in the com_print_typeinfo function in PHP 5.4.3 and earlier on
Windows allows remote attackers to execute arbitrary code via crafted arguments
that trigger incorrect handling of COM object VARIANT types, as exploited in the
wild in May 2012.
Affected Nodes:
Page 75
Security Audit
Table V.36.CVE-2012-2376
Affected Nodes
Vulnerable OS: Microsoft Windows XP
192.168.1.52:80
Running HTTP serviceProduct HTTPD exists -Apache HTTPD 2.2.17 Vulnerable version of
component PHP found -- PHP 5.3.5
192.168.1.52:443

An upgrade for the installed version must be applied.

Description:
Unspecified vulnerability in the _php_stream_scandir function in the stream
implementation in PHP before 5.3.15 and 5.4.x before 5.4.5 has unknown impact
and remote attack vectors, related to an "overflow."
Affected Nodes:
Table V.37.CVE-2012-2688
Affected Nodes
192.168.1.52:80
192.168.1.52:443
Page 76
Security Audit
Upgrade to PHP version 5.4.5
VI.1.4. MS08-067: Allow Remote Code Execution (958644)

Description:
This security update resolves a privately reported vulnerability in the Server
service. The vulnerability could allow remote code execution if an affected system
received a specially crafted RPC request. On Microsoft Windows 2000, Windows
XP, and Windows Server 2003 systems, an attacker could exploit this vulnerability
without authentication to run arbitrary code. It is possible that this vulnerability
could be used in the crafting of a wormable exploit. Firewall best practices and
standard default firewall configurations can help protect network resources from
attacks that originate outside the enterprise perimeter.
Affected Nodes:
Table V.38.MS08-067
Affected Nodes
192.168.1.31:139
Windows XP
Received vulnerable status reply
192.168.1.31:445

Windows XP
Received vulnerable status reply
MS08-067: Security Update for Windows XP (KB958644).
Page 77
Security Audit

Description:
This security update resolves two privately reported vulnerabilities and one
publicly disclosed vulnerability in Microsoft Server Message Block (SMB)
Protocol. The vulnerabilities could allow remote code execution on affected
systems. An attacker who successfully exploited these vulnerabilities could
install programs; view, change, or delete data; or create new accounts with full
user rights.
Affected Nodes:
Table V.39.MS09-001
Affected Nodes
192.168.1.253:139

Enterprise Edition
192.168.1.253:445

Enterprise Edition
192.168.1.31:139

\BROWSER: WriteAndX succeeded with offset
77
192.168.1.31:445

\BROWSER: WriteAndX succeeded with offset
77
192.168.1.51:139
139 Vulnerable OS: Microsoft Windows XP

\SPOOLSS: WriteAndX succeeded with offset
77
192.168.1.51:445

\SPOOLSS: WriteAndX succeeded with offset
77
Page 78
Security Audit

Description:
This security update resolves one publicly disclosed and two privately reported
vulnerabilities in Server Message Block Version 2 (SMBv2). The most severe of
the vulnerabilities could allow remote code execution if an attacker sent a specially
crafted SMB packet to a computer running the Server service.
Affected Nodes:
Table V.40.MS09-050
Affected Nodes
192.168.1.253:445

Enterprise Edition. System replied with a
malformed SMB packet
MS09-050: Security Update for Windows Server 2008 x64 Edition
(KB975517).

Description:
Windows. The most severe of these vulnerabilities could allow remote code
execution if an attacker created a specially crafted SMB packet and sent the packet
to an affected system.
Affected Nodes:
Page 79
Security Audit
Table V.41.MS10-012
Affected Nodes
192.168.1.253:139
192.168.1.253:445
192.168.1.31:139
192.168.1.31:445
192.168.1.51:139
192.168.1.51:445
Windows Server 2008 Enterprise Edition. Based
on the result of the "MS09-001: Vulnerabilities in
SMB Could Allow Remote Code Execution
(958687)" test.
(958687)" test.
Windows XP. Based on the result of the "MS09001: Vulnerabilities in SMB Could Allow
MS10-012: Security Update for Windows XP (KB971468).
Page 80
Security Audit

Description:
Windows. The most severe of these vulnerabilities could allow remote code
execution if an attacker created a specially crafted SMB packet and sent the packet
to an affected system.
Affected Nodes:
Table V.42.MS10-054
Affected Nodes
192.168.1.253:139
192.168.1.253:
192.168.1.253:445
192.168.1.253:445
192.168.1.31:139
192.168.1.31:445

SMBv2 Could Allow Remote Code Execution
(975517)" test.
139 Running CIFS serviceVulnerable OS:

Microsoft Windows Server 2008 Enterprise
Vulnerabilities in SMB Could Allow Remote
Code Execution (958687)" test.
(975517)" test.
(958687)" test.
Page 81
Security Audit

192.168.1.51:139
192.168.1.51:445


MS10-054: Security Update for Windows XP Edition (KB982214)

Description:
This security update resolves a privately reported vulnerability in Microsoft
Windows. The vulnerability could allow remote code execution if an attacker
created a specially crafted SMB packet and sent the packet to an affected system.
Affected Nodes:
Table V.43.MS11-020
Affected Nodes
192.168.1.253:139
192.168.1.253:139
192.168.1.253:445
(975517)" test.
(958687)" test.
Page 82
Security Audit

(958687)" test.
192.168.1.253:445
192.168.1.31:139
192.168.1.31:445
192.168.1.51:139
192.168.1.51:445

(975517)" test.
VI.1.10.MS12-020: Remote Code Execution (2671387)

Description:
This security update resolves two privately reported vulnerabilities in the
Remote Desktop Protocol. The more severe of these vulnerabilities could allow
remote code execution if an attacker sends a sequence of specially crafted RDP
packets to an affected system. By default, the Remote Desktop Protocol (RDP)
is not enabled on any Windows operating system. Systems that do not have
RDP enabled are not at risk.
Page 83
Security Audit
Affected Nodes:
Table V.44.MS12-020
Affected Nodes
192.168.1.253:3389

assigned to User 2.
192.168.1.31:3389

assigned to User 2.
192.168.1.51:3389

assigned to User 2.
MS12-020: Security Update for Windows Server 2008 x64 Edition
(KB2621440)
VI.1.11. Invalid CIFS Logins Permitted (cifs-invalid-logins-permitted)

Description:
Windows XP (and possibly Vista) includes a "ForceGuest" operating mode
whereby the CIFS service allows unauthenticated users to connect to the
service with limited access. The "ForceGuest" mode is enabled by default on
Windows XP installations which aren't joined to a domain and have Simple
File Sharing enabled.
This operating mode accepts any set of login credentials, but forces the logged
on user to operate under the access restrictions of a guest user on the system.
Affected Nodes:
Page 84
Security Audit
Table V.45.Cifs-invalid-logins-permitted
Affected Nodes
192.168.1.32

generated credentials: 58854610A2E0DC68
192.168.1.51

generated credentials: 0849BA09B2320613
192.168.1.52

generated credentials: ADA321C795FB5C75
In the 'Local Security Settings' feature of the Windows Control Panel, modify the
following settings:
Set the 'Local Policies->User Rights Assignment->Deny access to this computer from
the network' to include the guest account
Set the 'Local Policies->Security Options->Accounts: Guest account status' to
'Disabled'.
VI.1.12. CIFS NULL Session Permitted (cifs-nt-0001)

Description:
NULL sessions allow anonymous users to establish unauthenticated CIFS
sessions with Windows or third-party CIFS implementations such as Samba or the
Solaris CIFS Server. These anonymous users may be able to enumerate local
users, groups, servers, shares,domains, domain policies, and may be able to access
various MSRPC services through RPC function calls. These services have been
historically affected by numerous vulnerabilities. The wealth of information
available to attackers through NULL sessions may also allow them to carry out
more sophisticated attacks.
Affected Nodes:
Page 85
Security Audit
Table V.46.Cifs-nt-0001
Affected Nodes
192.168.1.31
Found server name: PC1-41933E504A3
192.168.1.32
Found server name: MANEL-PC
192.168.1.52
Found server name: SANA-PC
Disable NULL sessions for Windows XP
-

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\

Value Name: RestrictAnonymous
Data Value: 1
Value Name: RestrictAnonymousSAM
Data Value: 1
Value Name: EveryoneIncludesAnonymous
Data Value: 0
-

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Pa
rameters\
With the following values:
Page 86
Security Audit
Value Name: RestrictNullSessAccess

Data Value: 1
Value Name: NullSessionPipes
Data Type: REG_MULTI_SZ
Data Value: "" (empty string, without quotes)
Open Local Security Settings, and disable the following setting:
Security Settings -> Local Policies -> Security Options ->
Network access: Allow anonymous SID/Name translation: Disabled
Finally, reboot the machine.
VI.2. Severe Vulnerabilities

VI.2.1. SMB signing disabled & SMB signing not required
Description:
This system does not allow SMB signing / this system enables, but does not
require SMB signing. SMB signing allows the recipient of SMB packets to
confirm their authenticity and helps prevent man in the middle attacks against
SMB.
Affected Nodes:
Table V.47.Cifs-smb-signing-disabled/not-required
Affected Nodes
192.168.1.21:139

indicates that SMB signing is disabled/ not
required
192.168.1.21:445

required
Page 87
Security Audit
192.168.1.31:139

required
192.168.1.31:445

required
192.168.1.32:139

required
192.168.1.32:445

required
192.168.1.51:139

required
192.168.1.51:445

required
192.168.1.52:139

required
192.168.1.52:445

required
Microsoft Windows
Configure the system to enable or require SMB signing as appropriate.
Make sure that SMB signing configuration is done for incoming connections (Server).
Page 88
Security Audit
VI.12.2. HTTP TRACE Method Enabled (http-trace-method-enabled)

Description:
The HTTP TRACE method is normally used to return the full HTTP request back
to the requesting client for proxy-debugging purposes.
An attacker can create a webpage using XMLHTTP, ActiveX, or XMLDOM to
cause a client to issue a TRACE request and capture the client's cookies. This
effectively results in a Cross-Site Scripting attack.
Affected Nodes:
Table V.48.http-trace-method-enabled
Affected Nodes
Running HTTP serviceHTTP TRACE request to
http://192.168.1.51/
192.168.1.51:80
3: TRACE / HTTP/1.1
4: Host: 192.168.1.51
3: Cookie: vulnerable=yes
Running HTTP serviceHTTP TRACE request to
http://192.168.1.52/
192.168.1.52:80
3: TRACE / HTTP/1.1
4: Host: 192.168.1.52
Running HTTPS serviceHTTP TRACE request
to https://192.168.1.52/
192.168.1.52:443
3: TRACE / HTTP/1.1
4: Host: 192.168.1.52:443
Page 89
Security Audit
Apache HTTPD
Disable HTTP TRACE Method for Apache
-
Newer versions of Apache (1.3.34 and 2.0.55 and later) provide a configuration
directive called TraceEnable. To deny TRACE requests, add the following line to the
server configuration:
TraceEnable off
VI.2.3. Apache HTTPD: error responses can expose cookies (CVE-2012-0053)
Description:
A flaw was found in the default error response for status code 400. This flaw could
be used by an attacker to expose "httpOnly" cookies when no custom
ErrorDocument is specified.
Affected Nodes:
Table V.49.CVE-2012-0053
Affected Nodes
192.168.1.52:80
Running HTTP serviceProduct HTTPD exists -- Apache HTTPD 2.2.17
Running HTTP serviceHTTP GET request to http://192.168.1.52/
192.168.1.52:80
10: <p>Your browser sent a request that this server could not understan...
12: <pre>
9:R7TESTR7TESTR7TESTR7TESTR7TESTR7TESTR7TESTR7TESTR7TES
TR7TESTR7TESTR7TE...
192.168.1.52:443
Page 90
Security Audit
10: <p>Your browser sent a request that this server could not understan...
12: <pre>
9:R7TESTR7TESTR7TESTR7TESTR7TESTR7TESTR7TESTR7TESTR7TES
TR7TESTR7TESTR7TE...
192.168.1.52:443
Running HTTPS serviceProduct HTTPD exists -- Apache HTTPD 2.2.17

VI.3. Moderate Vulnerabilities

VI.3.1. ICMP timestamp response
Description:
The remote host responded to an ICMP timestamp request. The ICMP timestamp
response contains the remote host's date and time.
This information could theoretically be used against some systems to exploit weak
time-based random number generators in other services.
Affected Nodes:
Table V.50.Generic-icmp-timestamp
Affected Nodes
192.168.1.21
192.168.1.253
192.168.1.31
192.168.1.32
192.168.1.51
192.168.1.52
Page 91
Security Audit

Disable ICMP timestamp responses on Windows Vista/2008
ICMP timestamp responses can be disabled via the netsh command line utility.
Go to the Windows Control Panel.
1. Select "Windows Firewall".
2. In the Windows Firewall box, select "Change Settings".
3. Enable the firewall by selecting the "on (recommended)" option.
4. Open a Command Prompt.
5. Enter "netsh firewall set icmpsetting 13 disable"
Disable ICMP timestamp responses
Disable ICMP timestamp replies for the device. If the device does not support this
level of configuration, the easiest and most effective solution is to configure your
firewall to block incoming and outgoing ICMP packets with ICMP types 13
(timestamp request) and 14(timestamp response).
Page 92
Security Audit
VII. Exploits
The following figure represents three different types of attacks that were successfully
launched on three different machines by exploiting their vulnerabilities.
The first attack consists in sniffing the entered data by the legitimate user and the
second one gives the hacker a remote access to the exploited asset. The third one
however exploits the machines webcam.
Figure V.33.exploiting vulnerabilities
VIII. Conclusion
The scanned site was found to be vulnerable, and the vulnerabilities represented in this
report were found to be the most common ones with the highest risk rate regardless of
its type (critical, severe and moderate).
We were therefore able to successfully trigger some of the mentioned loopholes by
hacking into the network and launching passive attacks.
Page 93
Security Audit
Workbook VI
Solutions implementation
Page 94
Security Audit
I.
Introduction
As we have seen, an unsecured computer network is always vulnerable and exposed to
many risks, external and internal ones.
Therefore, we need to take certain procedures to secure the network and to ensure the
business efficiency and continuity as well.
II.
Solutions implementation
One of the first solutions that needs to be implemented is an appropriate security
policy for the organization running its internal audit as it is stated in the ISO/IEC
27001 standard.
Then, the right solutions for the contextual vulnerabilities will be implemented.
II.1. Security policy

The organization is required to establish a security policy for the insurance of their
information system.
This security policy is to be documented, revised by the management periodically and
known by all the teams members.
A structure that will be responsible for ensuring information security has to be
provided such as (firewall, antivirus).
All sensitive information is to be identified and classified by a protection level.
All the assets must be documented and classified by a protection level.
The security level given to each asset must be adequate to its value in the information
system.
The access risks of the teams partners are to be identified and every unauthorized
access to be restricted.
The hardware assets are to be placed and installed in a secure area with restricted
access.
The responsibility of employees towards the security of information system is to be
mentioned in employment contracts.
Page 95
Security Audit
All access rights of employees are to be removed upon termination of their

employment.
The cabling method must be based on security terms.
Protection measures are to be planned and be ready to be taken in case of incidents.
The maintenance of equipments is to be done once per month.
A termination procedure must be followed for no longer needed equipments.
Every exchange of information within the organization must be secure.
The server is to be implemented in a secure DMZ.
The antivirus is to be updated periodically.
Passwords:
Are to be kept confidential.
To be changed whenever there is any indication of possible system or password

compromise.
Easy to remember.
Not based on anything someone else could easily guess or obtain using personal
information; e.g. names, telephones, date of birth
Not vulnerable to dictionary attacks (i.e. not based on words included in

dictionaries)
Free of consecutive identical, all numeric or all alphabetic characters.
Change passwords at regular intervals.
Passwords minimum length: 8 characters.
The organization must run its internal audit regularly.
Page 96
Security Audit
II.2. Fixing the vulnerabilities

The following figure illustrates the steps on how to fix a loophole of the ms family
vulnerabilities.
The solution is very simple as mentioned in the previous vulnerability reports; a patch
needs to be installed, depending on the machines OS.
Fixing ms10-054 vulnerability on win server 2003 32 bits
Figure VI.34.MS10-054 patch installation steps
This figure shows the existing vulnerabilities on the 192.168.1.32 pc as its shown in
the Workbook V vulnerability report site 2 before implementing the appropriate
solutions.
Figure VI.35.Vulnerability scan
Page 97
Security Audit
Implementing icmp timestamp loopholes solution, on the 192.168.1.32

machine.
Figure VI.36.Firewall activation

Step one: activating the firewall of the vulnerable machine.
Figure VI.37.icmp timestamp request disable

Then we open the command prompt and type the following command:
netsh firewall set icmpsetting 13 disable this command will only close the
icmp timestamp request. However, our system will still be vulnerable to the
icmp timestamp response, thats why we need to enter the netsh firewall set
icmpsetting 14 disable to fix the response loophole.
Page 98
Security Audit
Figure VI.38.icmp time stamp stream disable
A simple command that fixes the reply and response for icmp timestamp
vulnerability at the same time.
The command is netsh firewall set icmpsetting all disable.
Verifying the validity of our proposed solution.
Figure VI.39.Solution check

-
After implementing the appropriate solution for icmp timestamp vulnerability,

we notice that the number of the existing vulnerabilities went down from 8 to
4; which means that we succeeded in fixing the loophole.
During this procedure, other loopholes got fixed along with the original one.
Page 99
Security Audit
III.
General security issues
DNS
DNS, the Domain Name System, provides naming services on the Internet. DNS is primarily
used to convert names, such as www.google.com to their corresponding IP address for use by
network programs, such as a browser.
Vulnerability
DNS cache poisoning is a computer hacking attack, whereby data is introduced into
a Domain Name System (DNS) name server's cache database, causing the name server to
return an incorrect IP address, diverting traffic to another computer (often the attacker's).
FTP
FTP, the File Transfer Protocol, is used to transfer files between systems. On the Internet, it is
often used on web pages to download files from a web site using a browser. FTP uses two
connections, one for control connections used to authenticate, navigate the FTP server and
initiate file transfers. The other connection is used to transfer data, such as files or directory
listings.
Figure VI.40.FTP connection
Page 100
Security Audit
Figure VI.41.FTP sniff

Vulnerability
The original FTP specification only provided means for authentication with clear text user ids
and passwords. Though FTP has added support for more secure mechanisms such as
Kerberos, clear text authentication is still the primary mechanism. If a malicious user is in a
position to monitor FTP traffic, user ids and passwords can be stolen.
HTTP
HTTP, the Hyper Text Transfer Protocol, is used to exchange multimedia content on the
World Wide Web. The multimedia files commonly used with HTTP include text, sound,
images and video.
Vulnerability
Simple authentication scheme:
Many HTTP servers use BASIC as their primary mechanism for user authentication. This is a
very simple scheme that uses base 64 to encode the clear text user id and password. If a
malicious user is in a position to monitor HTTP traffic, user ids and passwords can be stolen
by decoding the base 64 authentication data. To secure the authentication process, use HTTPS
(HTTP over TLS/SSL) connections to transmit the authentication data.
Page 101
Security Audit
HTTPS
HTTPS, the Hyper Text Transfer Protocol over TLS/SSL, is used to exchange multimedia
content on the World Wide Web using encrypted (TLS/SSL) connections. Once the TLS/SSL
connection is established, the standard HTTP protocol is used. The multimedia files
commonly used with HTTP include text, sound, images and video.
Vulnerability
Https is vulnerable to heartbleed OpenSSL, since Secure-Socket Layer (SSL) and Transport
Layer Security (TLS) are at the heart of Internet security, this security hole is serious.
The flaw can potentially be used to reveal not just the contents of a secured-message, such as
a credit-card transaction over HTTPS, but the primary and secondary SSL keys themselves.
This data could then, in theory, be used as skeleton keys to bypass secure servers without
leaving a trace that a site had been hacked.
Kerberos [10]
Kerberos is a network authentication and encryption protocol. A client will first authenticate
itself to a Kerberos server, in other words, using some shared secret information, the client
first proves to the server that he is actually who he says he is and that he is allowed access to
the specified systems he is asking to use. A Kerberos server has domain over a specific set of
servers and services, and if the client can be authenticated the server provides the client with a
ticket, allowing him to access the requested services. Kerberos provides support for renewing
and extending the scope of that ticket. In addition, once the client has obtained a ticket, all
data sent between the client and other Kerberos protected services are strongly encrypted.
This prevents malicious eavesdropping or non authenticated clients from hijacking established
sessions. Kerberos also has a secure password administration protocol that operates on a
different port that the main Kerberos authentication protocol.
Page 102
Security Audit
Vulnerabilities
Buffer overrun: enables the attacker to have root access.
Denial of Service May issue bogus tickets or unknown errors:

The obvious danger with this security vulnerability is that the realms KDC can be
corrupted which will prevent valid users from accessing the Kerberos security realm.
The corruption varies in degree from issuing bogus tickets, to not allowing
authorized users into the Kerberos realm, to causing the KDC to crash.
LDAP [11]
LDAP, the Lightweight Directory Access Protocol, is used to access and manipulate X.500
directories. X.500 directories are often used to store user information for an organization,
including full name, e-mail address, phone numbers, etc.
Vulnerability
-
The TCP three-way handshake for user authentication can be exploited by a Dos
attack
Figure VI.42.TCP three-way handshake
Page 103
Security Audit
LDAPS
LDAPS, the Lightweight Directory Access Protocol over TLS/SSL, is used to access and
manipulate X.500 directories using encrypted (TLS/SSL) connections. X.500 directories are
often used to store user information for an organization, including full name, email address,
phone numbers, etc.
Vulnerability
Active Directory Application Mode (ADAM), and Active Directory Lightweight Directory
Service (AD LDS). The vulnerability could allow elevation of privilege if Active Directory is
configured to use LDAP over SSL (LDAPS) and an attacker acquires a revoked certificate
that is associated with a valid domain account and then uses that revoked certificate to
authenticate to the Active Directory domain.
LPD
The Line Printer Daemon Protocol (LPD) specifies a method by which clients can send
documents to a printer or print daemon over TCP/IP.
Vulnerability
There is a buffer overflow in several implementations of in.lpd, a BSD line printer daemon.
An intruder can send a specially crafted print job to the target and then request a display of the
print queue to trigger the buffer overflow. The intruder may be able use this overflow to
execute arbitrary commands on the system with super-user privileges.
NTP
The Network Time Protocol (NTP) is used to keep the clocks of machines on a network
synchronized. Provisions are made in the protocol to account for network disruption and
packet latency.
Vulnerability
Vulnerability in the "monlist" feature of ntpd can allow remote attackers to cause distributed
denial of service attack (DDoS) via forged requests. US-CERT and the Canadian Cyber
Page 104
Security Audit
Incident Response Center (CCIRC) have both observed active use of this attack vector in
recent DDoS attacks.
Oracle
Oracle Database is a database server providing Structured Query Language (SQL) access to
its data. TNS, the Transparent Network Substrate, is the native data access protocol.
Vulnerability
The CVE-2012-1675 is in the TNS listener which has been recently disclosed as TNS
Listener Poison Attack affecting the Oracle Database Server. This vulnerability may be
remotely exploitable without authentication, i.e. it may be exploited over a network without
the need for a username and password. A remote user can exploit this vulnerability to impact
the confidentiality, integrity and availability of systems that do not have recommended
solution applied.
SMTP
SMTP, the Simple Mail Transfer Protocol, is the Internet standard way to send e-mail
messages between hosts. Clients typically submit outgoing e-mail to their SMTP server,
which then forwards the message on through other SMTP servers until it reaches its final
destination.
Vulnerability
Installed by default
By default, most UNIX workstations come installed with the sendmail (or equivalent) SMTP
server to handle mail for the local host (e.g.the output of some cron jobs is sent to the root
account via email). Check your workstations to see if sendmail is running, by telnetting to
port 25/tcp. If sendmail is running, you will see something like this: $ telnet mybox 25 Trying
192.168.0.1... Connected to mybox.
Escape character is '^]'. 220 mybox.
ESMTP Sendmail 8.12.2/8.12.2; Thu, 9 May 2002 03:16:26 -0700 (PDT)
If sendmail is running and you don't need it, then disable it via /etc/rc.conf or your operating
system's equivalent startup configuration file. If you do need SMTP for the localhost, make
Page 105
Security Audit
sure that the server is only listening on the loopback interface (127.0.0.1) and is not reachable
by other hosts. Also be sure to check port 587/tcp, which some versions of sendmail use for
outgoing mail submissions.
Promiscuous relay
Perhaps the most common security issue with SMTP servers is servers which act as a
"promiscuous relay", or "open relay". This describes servers which accept and relay mail from
anywhere to anywhere. This setup allows unauthenticated 3rd parties (spammers) to use your
mail server to send their spam to unwitting recipients. Promiscuous relay checks are
performed on all discovered SMTP servers.
Telnet
The telnet service provides console access to a machine remotely.
Figure VI.43.Telnet vulnerability
Page 106
Security Audit
Vulnerability
No Support for Encryption
All data, including usernames and passwords, is sent in cleartext over TCP.
The number one vulnerability that the telnet service faces is its inherent lack of support for
encryption. This is an artifact from the time period in which it was invented, 1971. There
existed little knowledge of cryptography outside of military environments, and computer
technology was not yet advanced enough to handle its real-time use.
SSH should be used instead of telnet.
System Architecture Information Leakage
Most telnet servers will broadcast a banner which details the exact system type (i.e. hardware
and operating system versions) to any connecting client, without requiring authentication.
This information is crucial for carrying out serious attacks on the system.
SSH
SSH, or Secure SHell, is designed to be a replacement for the aging Telnet protocol.
It primarily adds encryption and data integrity to Telnet, but can also provide superior
authentication mechanisms such as public key authentication.
Figure VI.44.Secure Shell encryption
Page 107
Security Audit
Vulnerability
The ssh package includes a program called the ssh-agent. The ssh-agent manages the RSA
keys for the ssh program, and is used primarily to help users avoid having to type in their pass
phrase every time they wish to use ssh, slogin or scp. When invoked, the ssh-agent program
creates a mode 700 directory in the /tmp directory, and then creates an AF_UNIX socket in
that directory. Later, the user will run a program namedssh-add, which adds his or her private
key to the set of keys managed by the ssh-agent program. When a user wishes to utilize a
program
which
requires
RSA
key
authentication,
the ssh client
connects
to
theAF_UNIX socket and asks the ssh-agent program for the appropriate key.
The vulnerability lies in the fact that when the ssh client connects to the AF_UNIX socket, it
is running as super-user, or root, and performs insufficient permissions checking. This makes
it possible for users to trick their tt>ssh clients into using credentials belonging to other users.
In other words, any users who utilize RSA authentication and use the ssh-agent program may
have their credentials improperly used by a malicious user, who then may improperly access
services or programs on a host machine.
TFTP
TFTP, or Trivial File Transfer Protocol, is a simplified version of FTP. It is designed to work
over UDP, and supports only file reading and file writing, but not directory listing.
No authentication mechanism exists.
Vulnerability
Table VI.51.CVE-2008-2161
Confidentiality
There is total information disclosure, resulting in all system files being
Impact
revealed.
Integrity Impact
There is a total compromise of system integrity. There is a complete loss

of system protection, resulting in the entire system being compromised.
Availability Impact
There is a total shutdown of the affected resource. The attacker can render
the resource completely unavailable.
Authentication
Not required
The table above illustrates the cve-2008-2161(Execute Code Overflow) vulnerability.

Page 108
Security Audit
IV.
General solutions
An Intrusion Detection System (IDS) must be implemented in the network architecture to

secure the network from any malicious attempt.
-
In the following figure the illustrated rules allow generating an alert for a certain
action respectively. The first rule allows detecting a root log on attempt using the
telnet service.
The second rule allows detecting the establishment of an ssh connection from an
external machine.
The third rule is to detect an attempt to establish an ftp connection.
The fourth rule is to generate an alert when a ping is detected.
Figure VI.45.Snort rules
Page 109
Security Audit
This figure illustrates the set-up of the network address using the command ipvar.
Figure VI.46.Fixing address network

This figure shows how to set the RULE_PATH to the file which contains all the rules.
Figure VI.47.Snort Rules-path
Page 110
Security Audit
In this figure we see the list of iptables rules set to control the data stream by setting a
certain security policy. Through these rules we can choose whether to accept or refuse
certain data stream.
Figure VI.48.Iptables rules

The log file keeps a trace for every suspicious connection attempt.
Figure VI.49.Snort log file

V.
Conclusion
It is only through identifying the risks and the networks loopholes that we managed to
take the right procedures to secure the information system.
With the implemented solutions, illustrated in this chapter, we managed to secure the
network from any residual risk whether it is internal or external.
Page 111
Security Audit
Closure
As a roundup, this memoire contains the different stages of a security audit, presented in the
six previous workbooks.
At the outset, the functional specification defines the relationship between the holder of the
audit mission and the client. Added to that, it provides full guidance for the auditor in order to
fulfill his part of the bargain.
As for the second workbook, it contains general information concerning the knowledge every
auditor or security specialist needs to have.
As far as the last four workbooks are concerned, they represent the real beginning of audit
mission. According to workbook III, a security methodology needs to be chosen for the risk
analysis as it is stated in the international ISO/IEC 27001 Identify a risk assessment
methodology that is suited to the ISMS, and the identified business information security, legal
and regulatory requirements.
After the risk analysis phase is completed, the auditor has to identify the networks loopholes
and generate a vulnerability report as shown in workbook IV and workbook V.
Last but not least, the auditor is held to take corrective measures for the identified
vulnerabilities along with other general corrective procedures, to ensure the security and the
stability of the information system as the ones, taken in workbook VI.
To conclude, in order to build the security of an information system on solid foundations, an
international standard needs to be chosen. This latter has to be based on the status of the
organization, along with a security methodology, to help guiding the auditor through the
different stages of his audit mission, and to take the right procedures for the fulfillment of his
task.
Page 112
Security Audit
VI.
Bibliography
[1] ISO/IEC 27000:2012-Technologies de linformation-Techniques de scuritsystmes de management de la scurit de linformation- Vue densemble et de
vocabulaire.
[2] ISO/IEC 27001:2005- INB secteur interdisciplinaire de normalisation.
[3] ISO/IEC 27002:2005 Technologies de l'information Techniques de scurit
Code de bonne pratique pour la gestion de la scurit de l'information.
[4] ISO/IEC 27003:2010- Technologies de linformation - Techniques de scurit
Lignes directrices pour la mise en uvre du systme de management de la scurit de
linformation.
[5] ISO/IEC 27004:2009- Technologies de linformation - Techniques de scurit
Management de la scurit de linformation- Mesurage.
[6] ISO/IEC 27005 :2011- Technologies de linformation - Techniques de scurit
Gestion des risques lis la scurit de linformation.
[7] Mehari 2010- Stakes-analysis-and-classification-guide.
[8] Mehari 2010-Evaluation-guide.
[9] Mehari 2010-Risk-analysis-and-Treatment-guide.
[10] Jay Holcomb-Kerberos Network authentication security protocol recent security
vulnerabilities-GIAC level one security-Essential practical assignment for
certification.
[11] C. Obimbo and B. Ferriman, "Vulnerabilities of LDAP As An Authentication
Service," Journal of Information Security, Vol. 2 No. 4, 2011, pp. 151-157.
Page 113

Security Audit

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Security Audit

Uploaded by

Copyright:

Available Formats

Security Audit

Mohamed Yassine TRABELSI & Omar MARZOUK

I dedicate this work to my beloved mother

Mohamed Yassine TRABELSI & Omar MARZOUK

Administrative specification clauses ............................................................................................................ 10

II.1. Clause1: Consultations aim .......................................................................................................................... 10

Technical specification clauses ................................................................................................................ 12

III.1. Clause 1: Consultations aim........................................................................................................................ 12

Information collect ................................................................................................................................... 16

IV.1. Technical description of the structures to audit ....................................................................................... 16

Workbook II Generality for audit of computer security ................................................................................... 22

Audit of computer security ........................................................................................................................... 23

ISO/IEC 27000 series study .................................................................................................................... 25

III.1. Origins ..................................................................................................................................................... 25

Mohamed Yassine TRABELSI & Omar MARZOUK

III.2.2. ISO/IEC 27001 standard................................................................................................................... 26

IV.1. What is Information security? ................................................................................................................. 27

Workbook III Mehari methodology .................................................................................................................. 31

Methodology process ................................................................................................................................... 32

Stakes analysis and assets classification .................................................................................................. 33

III.1. Basics ....................................................................................................................................................... 33

Diagnostic of security services................................................................................................................. 35

IV.1 Questionnaires .......................................................................................................................................... 35

Risk assessment ............................................................................................................................................ 38

Preparation of an action plan ................................................................................................................... 40

Mohamed Yassine TRABELSI & Omar MARZOUK

Methods permanent elements and parameters ........................................................................................ 41

VII.1. Seriousness ............................................................................................................................................. 41

Workbook IV Vulnerability report site 1 ............................................................................................................ 42

Discovered Hosts .......................................................................................................................................... 43

Discovered Web Sites .............................................................................................................................. 44

Detailed Findings ..................................................................................................................................... 44

RISK SCORE ............................................................................................................................................... 48

Discovered and Potential Vulnerabilities ................................................................................................. 49

VI.1. Critical Vulnerabilities ............................................................................................................................ 49

Workbook V Vulnerability report site 2 ............................................................................................................. 68

Discovered Operating Systems..................................................................................................................... 69

Discovered Hosts ..................................................................................................................................... 70

Detailed Findings ..................................................................................................................................... 71

RISK SCORE ............................................................................................................................................... 74

Mohamed Yassine TRABELSI & Omar MARZOUK

Discovered and Potential Vulnerabilities ................................................................................................. 75

VI.1. Critical Vulnerabilities ............................................................................................................................ 75

Workbook VI Solutions implementation ........................................................................................................... 94

Solutions implementation ........................................................................................................................... 95

General security issues ........................................................................................................................... 100

General solutions ................................................................................................................................... 109

Conclusion .................................................................................................................................................. 111

Closure ............................................................................................................................................................... 112

Bibliography .......................................................................................................................................... 113

Mohamed Yassine TRABELSI & Omar MARZOUK

Mohamed Yassine TRABELSI & Omar MARZOUK

Mohamed Yassine TRABELSI & Omar MARZOUK

Mohamed Yassine TRABELSI & Omar MARZOUK

Mohamed Yassine TRABELSI & Omar MARZOUK

II.2. Clause2: Definitions and interpretations

SYMPHONY and the persons called to supervise this mission.

II.3. Clause 3: Participation conditions

Mohamed Yassine TRABELSI & Omar MARZOUK

II.4. Clause 4: Duration of the mission to be accomplished

Mohamed Yassine TRABELSI & Omar MARZOUK

III.2. Clause2: Conduct and execution of the Audit mission

Mohamed Yassine TRABELSI & Omar MARZOUK

complete (all the expected content in the documents is provided).