Professional Documents
Culture Documents
Dedication
Thanks
My thanks are addressed to the members of jury who had kindly agreed to evaluate this work.
I wish also to express my sincere gratitude to Ms. Imen SFAXI my supervisor for her
wisdom, guidance and especially her contribution in the success of this project without whom,
this work would not be presented.
Finally, I express my humble gratitude to everyone who contributed in my education,
especially teachers of the National School of Electronic and Telecommunication of Sfax.
Page 1
Security Audit
Summary
Foreword ................................................................................................................................................................ 8
Workbook I Functional specification.................................................................................................................. 9
I.
Introduction .................................................................................................................................................. 10
II.
Conclusion .................................................................................................................................................... 21
Introduction .................................................................................................................................................. 23
II.
III.
Page 2
Security Audit
Audit tools................................................................................................................................................ 27
Conclusion .................................................................................................................................................... 30
Foreword ...................................................................................................................................................... 32
II.
III.
VI.
VI.1. Basics....................................................................................................................................................... 40
VI.2. Comment ................................................................................................................................................. 40
Page 3
Security Audit
VII.
Conclusion ............................................................................................................................................... 41
INTRODUCTION ........................................................................................................................................ 43
II.
III.
IV.
V.
VI.
Exploits .................................................................................................................................................... 67
VIII.
Conclusion ............................................................................................................................................... 67
INTRODUCTION ........................................................................................................................................ 69
II.
III.
IV.
V.
Page 4
Security Audit
VI.
Exploits .................................................................................................................................................... 93
VIII.
Conclusion ............................................................................................................................................... 93
Introduction .................................................................................................................................................. 95
II.
III.
IV.
V.
Page 5
Security Audit
Figures List
Figure I.1.Site 1 architecture ................................................................................................................................ 16
Figure I.2.Site 2 architecture ................................................................................................................................ 16
Figure II.3.C-I-A triad ........................................................................................................................................... 26
Figure III.4.Classification of data ......................................................................................................................... 33
Figure III.5.Classification of services ................................................................................................................... 34
Figure III.6.Classification of the compliances ...................................................................................................... 34
Figure III.7.01 org ................................................................................................................................................. 35
Figure III.8.14 ISM................................................................................................................................................ 36
Figure III.9.Services .............................................................................................................................................. 36
Figure III.10.themes .............................................................................................................................................. 37
Figure III.11.ISO 27002 ........................................................................................................................................ 37
Figure III.12.Expo ................................................................................................................................................. 38
Figure III.13.Scenarios.......................................................................................................................................... 38
Figure III.14.Risk%asset ....................................................................................................................................... 39
Figure III.15.Risk%event....................................................................................................................................... 39
Figure III.16.Action plan ....................................................................................................................................... 40
Figure III.17.Seriousness ...................................................................................................................................... 41
Figure III.18.IP-Grids ........................................................................................................................................... 41
Figure IV.19.Multiple service instance frequency ................................................................................................ 44
Figure IV.20.Vulnerabilities by severity ............................................................................................................... 45
Figure IV.21.Common vulnerabilities ................................................................................................................... 46
Figure IV.22.Highest risk vulnerabilities .............................................................................................................. 46
Figure IV.23.Operating Systems ........................................................................................................................... 47
Figure IV.24.Common services ............................................................................................................................. 47
Figure IV.25.exploiting vulnerabilities ................................................................................................................. 67
Figure V.26.Operating Systems ............................................................................................................................ 69
Figure V.27.Vulnerabilities diagram .................................................................................................................... 70
Figure V.28.Service Frequency ............................................................................................................................. 71
Figure V.29.Vulnerabilities severity ..................................................................................................................... 72
Figure V.30.Common vulnerabilities .................................................................................................................... 73
Figure V.31.Risk vulnerabilities............................................................................................................................ 73
Figure V.32.Common services .............................................................................................................................. 74
Figure V.33.exploiting vulnerabilities .................................................................................................................. 93
Figure VI.34.MS10-054 patch installation steps................................................................................................... 97
Figure VI.35.Vulnerability scan ............................................................................................................................ 97
Figure VI.36.Firewall activation .......................................................................................................................... 98
Figure VI.37.icmp timestamp request disable ....................................................................................................... 98
Figure VI.38.icmp time stamp stream disable ....................................................................................................... 99
Figure VI.39.Solution check .................................................................................................................................. 99
Figure VI.40.FTP connection ............................................................................................................................. 100
Figure VI.41.FTP sniff ........................................................................................................................................ 101
Figure VI.42.TCP three-way handshake ............................................................................................................. 103
Figure VI.43.Telnet vulnerability ........................................................................................................................ 106
Figure VI.44.Secure Shell encryption ................................................................................................................. 107
Figure VI.45.Snort rules ..................................................................................................................................... 109
Figure VI.46.Fixing address network ................................................................................................................. 110
Figure VI.47.Snort Rules-path ............................................................................................................................ 110
Figure VI.48.Iptables rules ................................................................................................................................. 111
Figure VI.49.Snort log file .................................................................................................................................. 111
Page 6
Security Audit
Tables List
Table I.1.Definitions ............................................................................................................................................. 10
Table 2.Basic knowledge ....................................................................................................................................... 17
Table I.3.Site 1 Servers ......................................................................................................................................... 20
Table I.4.Site 1 Work stations ............................................................................................................................... 20
Table I.5.Site 1 network infrastructure ................................................................................................................. 20
Table I.6.Site 2 servers .......................................................................................................................................... 21
Table I.7.Site 2 workstations ................................................................................................................................. 21
Table I.8.Site 2 network infrastructure ................................................................................................................. 21
Table II.9.Safety principles ................................................................................................................................... 23
Table IV.10.Hosts ................................................................................................................................................. 43
Table IV.11.Web sites ........................................................................................................................................... 44
Table IV.12.Risk score .......................................................................................................................................... 48
Table IV.13.CVE-2010-0425 ................................................................................................................................ 49
Table IV.14.MS09-001 .......................................................................................................................................... 50
Table IV.15.MS10-012 .......................................................................................................................................... 51
Table IV.16.MS10-054 .......................................................................................................................................... 51
Table IV.17.MS11-020 .......................................................................................................................................... 52
Table IV.18.Cifs-nt-0001 ...................................................................................................................................... 53
Table IV.19.Cifs-invalid-logins-permitted ............................................................................................................ 55
Table IV.20.MS12-020 .......................................................................................................................................... 56
Table IV.21.CVE-2009-3245 ................................................................................................................................ 57
Table IV.22.CVE-2012-0883 ................................................................................................................................ 58
Table IV.23.CN-name-mismatch........................................................................................................................... 58
Table IV.24.FTP-generic-0007 ............................................................................................................................. 59
Table IV.25.ssl-weak-ciphers................................................................................................................................ 60
Table IV.26.sslv2-and-up-enabled ........................................................................................................................ 61
Table IV.27.Cifs-smb-signing-disabled ................................................................................................................ 62
Table IV.28.CVE-2012-0053 ................................................................................................................................ 63
Table IV.29.Telnet-open-port ............................................................................................................................... 64
Table IV.30.Generic-icmp-timestamp ................................................................................................................... 65
Table V.31.Operating systems .............................................................................................................................. 69
Table V.32.Hosts................................................................................................................................................... 70
Table V.33.Services .............................................................................................................................................. 71
Table V.34.Risk score ........................................................................................................................................... 74
Table V.35.CVE-2011-3268.................................................................................................................................. 75
Table V.36.CVE-2012-2376.................................................................................................................................. 76
Table V.37.CVE-2012-2688.................................................................................................................................. 76
Table V.38.MS08-067 ........................................................................................................................................... 77
Table V.39.MS09-001 ........................................................................................................................................... 78
Table V.40.MS09-050 ........................................................................................................................................... 79
Table V.41.MS10-012 ........................................................................................................................................... 80
Table V.42.MS10-054 ........................................................................................................................................... 81
Table V.43.MS11-020........................................................................................................................................... 82
Table V.44.MS12-020 ........................................................................................................................................... 84
Table V.45.Cifs-invalid-logins-permitted ............................................................................................................. 85
Table V.46.Cifs-nt-0001........................................................................................................................................ 86
Table V.47.Cifs-smb-signing-disabled/not-required............................................................................................. 87
Table V.48.http-trace-method-enabled ................................................................................................................. 89
Table V.49.CVE-2012-0053.................................................................................................................................. 90
Table V.50.Generic-icmp-timestamp .................................................................................................................... 91
Table VI.51.CVE-2008-2161 .............................................................................................................................. 108
Page 7
Security Audit
Foreword
Nowadays, computer network has become a necessity for everyone, especially for
organizations.
However, with the emergence of the advanced technologies this computer network has
become vulnerable to internal and external risks, namely attacks.
In fact, an unsecured network is an open door for intruders and viruses, malicious codes in
general to come into it. These attacks can have hazardous effects on the information system.
Thus, security measures need to be taken to protect the network from any residual danger.
However, even secured networks are sometimes exposed to those risks through the
exploitation of the different networks loopholes. These latter are flaws in the system that can
give an outsider or even a legitimized person the opportunity to do unwanted things.
So in order to ensure the networks security, a bunch of network security specialists dedicated
themselves to make this security possible and make it hard for hackers or intruders to have
unauthorized access to the network.
This network security consists in making an internal audit for a specific organization that
wishes to secure its information system and this is what the authors have tried to explain all
along this humble memoire.
Page 8
Security Audit
Workbook I
Functional specification
Page 9
Security Audit
I. Introduction
This functional specification represents the Administrative clauses, and technical
clauses for the SYMPHONY enterprise that wishes to launch its internal audit for the
first time, along with an inventory of the organizations assets and the architecture of
its sites.
SYMPHONY is a communication and marketing agency of LA GAZETTE group. It
is specialized in creating a visual corporate identity, creation and management of press
campaigns. In addition, the agency is involved in the production and editing guides
and regional and sectorial economic directories.
II. Administrative specification clauses
II.1. Clause1: Consultations aim
The SYMPHONY enterprise intends to launch a consultation to fulfill an audit mission for the
information systems security as mentioned in the Decree N2004-1250 of May25th, 2004 and
the provisions of this functional specifications clauses.
Security Audit
Information
System
Page 10
Security Audit
to keep discreet about everything that concerns the facts, information, studies and decisions
that have been taken during the execution of his mission.
He is not allowed to make any written, electronic and verbal disclosure about his mission or to
deliver documents to any third party.
Page 11
Security Audit
During and to terms to his mission, the holder agrees not to disclose or to file any document in
unsecure places regardless its form (paper, CD, electronic or other) that contains
information about the audited structure. He will have to ensure at the end of his mission to
destroy the used documents or to store them in a highly secured format.
The client has the right to verify the security level of the storage location of the documents
relevant to the mission at any time, and even after the accomplishment of the mission.
III. Technical specification clauses
III.1. Clause 1: Consultations aim
The mission of this consultation concerns the security audit of the information system in the
structures described in appendix A.
The purpose of this Audit mission must comply, at least with the provisions set out in Decree
N2004-1250 of May 25 th, 2004.
This audit should take as basic reference the standard ISO/IEC 27002 and follow a
methodological approach to the mentioned standard as close as possible.
The Audit mission should concerns as well, the organizational, physical and technical aspects
relating to the information system included in the scope of this audit.
Page 12
Security Audit
The selection process of these controls must involve the management and the
operational personnel within the organization.
III.2.2 Launching audit
At triggering audit, the holder must seek any detail, information and document that are
necessary for his mission about the structures to audit.
A preparatory meeting of the mission will be organized at the beginning of the Audit
mission in order to finalize the details implementing the Audit mission, based on the
clients specifications and the documents prepared by the holder.
III.2.3 Preparation of the Audit mission
Documents review
This stage is to determine the conformity of the existing documents with ISO /
IEC 27002 standard, determine the list of the missing documents required by
this standard and to examine the problems that may occur when updating the
documentation.
The auditor must check specifically whether the provided information in the
documents are:
-
The documents under review cover the scope of the audit and provide sufficient
information to support the objectives of the audit.
Page 13
Security Audit
Intrusive audit.
Tools used in performing the tests in each stage of the technical audit.
Page 14
Security Audit
Page 15
Security Audit
Site 1
-
One main server and a software server, both with limited access control, only those
who have login/password can have access to the mentioned servers above.
NAS (Network Attached storage) only the users who have login/password can
access to it.
Site2
-
One main server with limited access control, only those who have login/password
can have access to it.
Page 16
Security Audit
2 sites
Yes
__
No
No
13
Yes
Yes
22
Yes
Yes
none
__
no
__
Yes
Yes
41 accounts
Yes
Yes
41 accounts
Yes
none
__
none
__
- External connection
Internet
Yes
Sites to visit
Number of persons in charge to be
interviewed
Other physical /organizational infrastructure
to audit
PC
Total number of PCs
Type of OS :
Page 17
Security Audit
2 ADSL modem
Yes
Switches number
Yes
__
__
Others:
No
__
Firewalls
Yes
__
__
__
__
__
__
__
__
Security tools
Authentication tools
Authentication internal network server
number and of its supported users
Login/password
41 accounts
Yes
__
__
__
__
__
__
deactivated
__
__
__
__
__
The table above represents a volumetric description of the organizations structures and it
helps the auditor to estimate the status of the enterprise.
Page 18
Security Audit
I Mr. Mohamed Yassine TRABELSI, intern at the SYMPHONY enterprise and assigned by
Mr. Anis BAKLOUTI, the Director of the company mentioned above, I promise to keep total
secrecy about any relevant information to the Audit mission, I will have access to during and
after the accomplishment of my mission.
Directors signature
Interns signature
I Mr. Omar MARZOUK, intern at the SYMPHONY enterprise and assigned by Mr. Anis
BAKLOUTI, the Director of the company mentioned above, I promise to keep total secrecy
about any relevant information to the Audit mission, I will have access to during and after the
accomplishment of my mission.
Directors signature
Interns signature
Page 19
Security Audit
IV.4. Inventory
Site 1: the three following tables contain some general information collected by the holder of
the audit mission.
Table I.3.Site 1 Servers
Servers
Name
Exploitation system
Functionality
Main-server
Domain controller
Application server
yes
Storage
yes
Application-server
Storage
Work stations
Ip address
Management
192.168.59.14
192.168.59.249
192.168.59.130
Development
192.168.59.231
192.168.59.233
Accountancy
192.168.59.101
192.168.59.22
192.168.59.105
Exploitation system
yes
yes
yes
yes
yes
yes
yes
yes
The second table illustrates general information about the different workstations.
Table I.5.Site 1 network infrastructure
Network infrastructure
Nature
Brand
Number
Modem
Switch
Switch board
1
2
1
Page 20
Security Audit
Site 2: these tables represent pretty much the same information as the one described in the
previous tables. Except that, it describes the assets of site 2.
Table I.6.Site 2 servers
Servers
Name
Exploitation system
Functionality
Main-server
Domain controller
Work stations
Ip address
Exploitation system
192.168.1.51
192.168.1.52
192.168.1.31
192.168.1.32
192.168.1.21
The second table illustrates general information about the different workstations.
Table I.8.Site 2 network infrastructure
Network infrastructure
Nature
Brand
Number
Modem
Switch
Switch board
Topnet
LB-link
LG-Nortel
1
1
1
V. Conclusion
During the audit mission, this functional specification will provide full guidance for
the auditor on how to run his audit mission to ensure the satisfaction of the clients
functional needs.
Page 21
Security Audit
Workbook II
Generality for audit of
computer security
Page 22
Security Audit
I. Introduction
Every organization with computer network needs to guarantee the confidentiality,
integrity and availability of its assets. To reach this aim, there are different approaches
to be followed, different standards and tools to work with.
Definitions
Depth defense
Least privilege
Grants
users
privileges
or
or
resources
permissions
the
least
required
to
perform a task.
Minimized attack surface
The table above illustrates the different principles of safety along with their
definitions.
Page 23
Security Audit
Page 24
Security Audit
III.2. Definitions
III.2.1. The ISO/IEC 27000 series [1]
The ISO/IEC 27000 series is also known as the ISMS family of standards.
The series provides best practice recommendations on information security
management, risks and controls within the context of an overall information
security management system (ISMS).
And it can be applied to organizations of all shapes and types.
Page 25
Security Audit
27002
is
an information
security standard
entitled
Information
27003 standard is
an information
security standard.
Its
title
Page 26
Security Audit
Security Audit
IV.3.2. NESSUS
NESSUS is a vulnerabilities scanner functions based on the client/server
architecture. It allows the user to detect the networks loopholes, code errors or
backdoors
IV.3.3. SATAN
SATAN (Security Administrator Tool for Analyzing Networks) is a testing and
reporting toolbox that collects a variety of information about networked hosts.
SATAN is written mostly in Perl (programming language) and utilizes a web
browser such as Netscape, Mosaic or Lynx to provide the user interface.
IV.3.4. Wireshark
Wireshark has become the worlds most popular sniffing application.
It allows the user to put network interface controllers that support promiscuous
mode into that mode, in order to see all traffic visible on that interface, not just
Page 28
Security Audit
i. Firewall Builder
Instead of having to type firewall commands, Firewall Builder allows you
to create firewall rules with user-defined objects.
Firewall Builder makes it easy to configure your firewalls; it is simple,
flexible and time saving.
IV.4.2. IDS (Intrusion Detection System)
i. Snort
Snort's open source network-based intrusion detection system (NIDS) has
the ability to perform real-time traffic analysis and packet logging on
Internet Protocol (IP) networks. Snort performs protocol analysis, content
searching, and content matching.
Page 29
Security Audit
ii. Prelude
Prelude is an agentless, universal, and hybrid security information & event
management (SIEM) system.
Prelude comes with a large set of sensors, each of them monitoring
different kind of events. Prelude permits alert collection to WAN scale,
whether its scope covers a city, a country, a continent or the world.
IV.4.3. IPS (Intrusion Prevention System)
i.
Snort
Snort is not only an IDS but also IPS, Combining the benefits of signature,
protocol, and anomaly-based inspection, Snort is the most widely deployed
IDS/IPS technology worldwide.
V. Conclusion
The security audit of an information system is necessary to any organization with
computer network.
Thus, to ensure the efficiency of this security, a standard must be chosen wisely, and a set
of tools as well, based on the organizations status and its security needs.
Page 30
Security Audit
Workbook III
Mehari methodology
Page 31
Security Audit
I. Foreword
Mehari 2010 is intended to assist the risk audit team in the information risk assessment
and management processes, which require thorough accompanying work, mainly for
the business stakes analysis and threat likelihood for the organization. Also, the risk
treatment phase shall be an opportunity to propose options and additional controls or
security measures to the stake holders in a way that corresponds to their demands in
the same terms they expressed during the stake analysis.
It is expected that the risk analysis instead of being a one shot activity, be a permanent
action possibly included into an ISMS process.
II. Methodology process
The worksheets contained in this workbook, distributed by CLUSIF are organized in
the following order:
Security Audit
The following figure illustrates the classification of data, in each business process.
Page 33
Security Audit
The following figure illustrates the classification of services, in each business process.
Page 34
Security Audit
The following figure represents a part of the first questionnaire which covers the organization
of security.
Page 35
Security Audit
This figure represents a part of the final questionnaire which covers the ISM domain.
Figure III.9.Services
Page 36
Security Audit
IV.3. Themes
Figure III.10.themes
Mehari security themes tables present the current level of the services also based on
the given answers in the questionnaires from 01 org to 14 ISM, along with the target
level.
And based on the given results we find that some of the services are on the required
level and some others are up and down, whether with a very low level or with an
average level.
Page 37
Security Audit
Figure III.12.Expo
V.2. Scenarios
The scenarios worksheet in mehari is the cornerstone of risk assessment and describes
all the risk scenarios of the knowledge base.
And based on the given scenarios the holder of the audit mission evaluates the level
value of the impact and likelihood, in order to determine the final seriousness level
and take it into account in the risk treatment phase.
Figure III.13.Scenarios
Page 38
Security Audit
Figure III.14.Risk%asset
V.4. Risk% event
Risk event table contains a summary statement for each type of event (threat) of
the
Figure III.15.Risk%event
Page 39
Security Audit
Page 40
Security Audit
Figure III.17.Seriousness
VII.2. IP-Grids
This figure illustrates the decision tables used by the method to evaluate the impact and
likelihood values based on their intrinsic values and their risk reduction factors in place or
anticipated.
Figure III.18.IP-Grids
VIII. Conclusion
To conclude, mehari is a complete methodology for risk analysis and treatment. It allows the
auditor to obtain a complete analysis and a view of the different organizations assets. Plus, it
determines what is at stake and what is not? Besides, mehari helps you to take the right
treatment procedure through showing the auditor the seriousness scale of each asset.
Page 41
Security Audit
Workbook IV
Vulnerability report site 1
Page 42
Security Audit
I. INTRODUCTION
This report represents a security audit. It contains confidential information about the
state of your network.
Access to this information by unauthorized personnel may allow them to compromise
your network.
During this test, 11 hosts with a total of 286 exposed services and 376 vulnerabilities
were discovered.
II.
Discovered Hosts
Table IV.10.Hosts
IP Address
Hostname
192.168.59.101
192.168.59.101
192.168.59.249
Mac Apple
192.168.59.105
Communication-s
192.168.59.22
Bibliotheque
192.168.59.14
pc6
192.168.59.231
dm1
192.168.59.130
192.168.59.130
192.168.59.233
pc10
192.168.59.111
Communication-s
192.168.59.100
Serveur-Application
192.168.59.150
NAS-SYMPHONY
OS
Services Vulns Status
Microsoft
6
113 success
Windows
Mac OS
6
14
success
X
Microsoft
16
11
success
Windows
Microsoft
12
5
success
Windows
Microsoft
6
1
success
Windows
Microsoft
6
6
success
Windows
Microsoft
3
2
success
Windows
Microsoft
6
6
success
Windows
Microsoft
192
1
success
Windows
Microsoft
33
173 success
Windows
Linux
_
44
success
2.6.38
The previous table represents the discovered hosts along with some general
information obtained during the vulnerability scan.
Page 43
Security Audit
Hostname
Serveur-Application
Serveur-Application
Serveur-Application
192.168.59.101
Communication-s
Communication-s
Communication-s
pc10
Port
443
8443
9090
8090
80
80
8080
80
Sites
1
1
1
1
1
1
1
1
The table above represents the discovered web sites during the vulnerability scan,
along with the used port and the host thats connected to these sites.
Page 44
Security Audit
The audit was performed on 11 systems, 11 of which were found to be active and were
scanned.
There were 376 vulnerabilities found during this scan. Of these, 70 were critical
vulnerabilities. Critical vulnerabilities require immediate attention. They are relatively easy
for attackers to exploit and may provide them with full control of the affected systems.
274 vulnerabilities were severe. Severe vulnerabilities are often harder to exploit and may not
provide the same access to affected systems.
There were 32 moderate vulnerabilities discovered. These often provide information to
attackers that may assist them in mounting subsequent attacks on your network. These should
also be fixed in a timely manner, but are not as urgent as the other vulnerabilities.
Critical vulnerabilities were found to exist on 10 of the systems, making them most
susceptible to attack.
8 systems were found to have severe vulnerabilities. Moderate vulnerabilities were found on 9
systems. No systems were free of vulnerabilities.
Page 45
Security Audit
There were 10 occurrences of the cifs-smb-signing-disabled and cifs-smb-signing-notrequired vulnerabilities, making them the most common vulnerabilities. There were 310
vulnerabilities in the HTTP category, making it the most common vulnerability category.
The cifs-smb-signing-disabled vulnerability poses the highest risk to the organization with a
risk score of 3,828. Risk scores are based on the types and numbers of vulnerabilities on
affected assets.
Page 46
Security Audit
There were 3 operating systems identified and 28 services found to be running during this
scan.
The Microsoft Windows operating system was found on 9 systems, making it the most
common operating system.
The CIFS Name Service was found on 9 systems, making it the most common service. The
HTTPS service was found to have the most vulnerabilities during this scan with 199
vulnerabilities.
Page 47
Security Audit
V. RISK SCORE
Table IV.12.Risk score
Node
Operating System
Risk
Aliases
192.168.59.100
Microsoft Windows
Server 2008
Standard Edition
63,546
Serveur-Application
39,600
14,961
NAS-SYMPHONY
9,214
Mac
192.168.59.101
192.168.59.150
192.168.59.249
192.168.59.105
192.168.59.233
192.168.59.231
192.168.59.22
192.168.59.14
192.168.59.130
192.168.59.111
Microsoft Windows
Linux 2.6.38
Apple Mac OS X
10.4.11
Microsoft Windows
Server 2003
SP2
Microsoft Windows
XP
Microsoft Windows
XP
Microsoft Windows 7
Professional
Edition
Microsoft Windows
XP
Microsoft Windows
Server 2003
Microsoft Windows
Server 2003
6,462
Communication-s
3,610
PC10
2,981
Dm1
2,036
Bibliotheque
859
PC6
520
0.0
Communication-s
The table above represents the risk score of each discovered node in the vulnerability
scan, however, the risk score generated in this report was calculated depending on the
number and types of the vulnerabilities of each asset.
Page 48
Security Audit
Description:
The affected asset is vulnerable to this vulnerability ONLY if it is running one of the
following modules: mod-isapi. Review your web server configuration for validation. A
flaw was found with within mod-isapi which would attempt to unload the ISAPI dll
when it encountered various error states. This could leave the callbacks in an
undefined state and result in a segfault. On Windows platforms using mod-isapi, a
remote attacker could send a malicious request to trigger this issue, and as win32
MPM runs only one process, this would result in a denial of service, and potentially
allow arbitrary code execution.
Affected Nodes:
Table IV.13.CVE-2010-0425
Affected Nodes
192.168.59.100:90
192.168.59.100:443
Additional Information
Vulnerable OS: Microsoft Windows Server 2008
Standard Edition
Running HTTP serviceProduct HTTPD exists -Apache HTTPD 2.2.14
Vulnerable version of product HTTPD found -Apache HTTPD 2.2.14
Vulnerable OS: Microsoft Windows Server 2008
Standard Edition
Running HTTPS serviceProduct HTTPD exists -Apache HTTPD 2.2.14
Vulnerable version of product HTTPD found -Apache HTTPD 2.2.14
Vulnerability Solution:
Apache HTTPD >= 2.2 and < 2.2.15
Upgrade to Apache HTTPD version 2.2.15
Page 49
Security Audit
192.168.59.100:445
Additional Information
Vulnerable OS: Microsoft Windows Server 2008
Standard Edition
\LSARPC: WriteAndX succeeded with offset 77
Vulnerable OS: Microsoft Windows Server 2008
Standard Edition
\LSARPC: WriteAndX succeeded with offset 77
Vulnerability Solution:
MS09-001: Security Update for Windows Server 2008 (KB958687)
Page 50
Security Audit
Table IV.15.MS10-012
Affected Nodes
192.168.59.100:139
192.168.59.100:445
Additional Information
Running CIFS serviceVulnerable OS: Microsoft
Windows Server 2008 Standard
Edition
Based on the result of the "MS09-001:
Vulnerabilities in SMB Could Allow
Remote Code Execution (958687)" test.
445 Running CIFS serviceVulnerable OS:
Microsoft Windows Server 2008 Standard
Edition
Based on the result of the "MS09-001:
Vulnerabilities in SMB Could Allow
Remote Code Execution (958687)" test.
Vulnerability Solution:
MS10-012: Security Update for Windows Server 2008 (KB971468).
192.168.59.100:139
192.168.59.100:445
Additional Information
Running CIFS serviceVulnerable OS: Microsoft
Windows Server 2008 Standard
Edition. Based on the result of the "MS09-050:
Vulnerabilities in SMBv2 Could Allow
Remote Code Execution (975517)" test.
Running CIFS serviceVulnerable OS: Microsoft
Windows Server 2008 Standard Edition
Based on the result of the "MS09-001:
Vulnerabilities in SMB Could Allow
Remote Code Execution (958687)" test.
Running CIFS serviceVulnerable OS: Microsoft
Windows Server 2008 Standard
Edition. Based on the result of the "MS09-050:
Vulnerabilities in SMBv2 Could Allow
Page 51
Security Audit
192.168.59.100:445
192.168.59.100:139
192.168.59.100:445
192.168.59.100:445
Additional Information
Running CIFS serviceVulnerable OS: Microsoft
Windows Server 2008 Standard
Edition. Based on the result of the "MS09-050:
Vulnerabilities in SMBv2 Could Allow
Remote Code Execution (975517)" test.
Running CIFS serviceVulnerable OS: Microsoft
Windows Server 2008 Standard
Edition. Based on the result of the "MS09-001:
Vulnerabilities in SMB Could Allow
Remote Code Execution (958687)" test.
Running CIFS serviceVulnerable OS: Microsoft
Windows Server 2008 Standard
Edition. Based on the result of the "MS09-001:
Vulnerabilities in SMB Could Allow
Remote Code Execution (958687)" test.
Running CIFS serviceVulnerable OS: Microsoft
Windows Server 2008 Standard
Edition. Based on the result of the "MS09-050:
Vulnerabilities in SMBv2 Could Allow
Remote Code Execution (975517)" test.
Page 52
Security Audit
Vulnerability Solution:
MS11-020: Security Update for Windows Server 2008 (KB2508429)
Additional Information
192.168.59.150
192.168.59.231
192.168.59.233
192.168.59.249
Vulnerability Solution:
Microsoft Windows XP Professional
Disable NULL sessions for Windows XP
- Modify the registry key:
HKEY_LOCAL_MACHINE\SYSTEM\Current Control Set\Control\Lsa\
with the following values:
Value Name: Restrict Anonymous
Data Type: REG_DWORD
Data Value: 1
Value Name: Restrict Anonymous SAM
Page 53
Security Audit
Page 54
Security Audit
Description:
Windows XP (and possibly Vista) includes a "ForceGuest" operating mode whereby
the CIFS service allows unauthenticated users to connect to the service with limited
access.
The "ForceGuest" mode is enabled by default on Windows XP installations which
aren't joined to a domain and have Simple File Sharing enabled.
This operating mode accepts any set of login credentials, but forces the logged on user
to operate under the access restrictions of a guest user on the system.
Affected Nodes:
Table IV.19.Cifs-invalid-logins-permitted
Affected Nodes
192.168.59.150
192.168.59.233
Additional Information
Established CIFS connection with randomly
generated credentials:
A2D2E24C720C00C0
Established CIFS connection with randomly
generated credentials:
6849FC89B734821F
Vulnerability Solution:
In the 'Local Security Settings' feature of the Windows Control Panel, modify the
following settings:
Set the 'Local Policies->User Rights Assignment->Deny access to this computer
from the network' to include the guest account
Set the 'Local Policies->Security Options->Accounts: Guest account status to
'Disabled'.
Page 55
Security Audit
Description:
This security update resolves two privately reported vulnerabilities in the Remote
Desktop Protocol. The more severe of these vulnerabilities could allow remote code
execution if an attacker sends a sequence of specially crafted RDP packets to an
affected system. By default, the Remote Desktop Protocol (RDP) is not enabled on
any Windows operating system. Systems that do not have RDP enabled are not at risk.
Affected Nodes:
Table IV.20.MS12-020
Affected Nodes
192.168.59.100:3389
192.168.59.105:3389
192.168.59.130:3389
192.168.59.22:3389
192.168.59.231:3389
Additional Information
Running Microsoft Remote Display Protocol
serviceUser 1 was able to connect to the channel
assigned to User 2.
Running Microsoft Remote Display Protocol
serviceUser 1 was able to connect to the channel
assigned to User 2
Running Microsoft Remote Display Protocol
serviceUser 1 was able to connect to the channel
assigned to User 2.
Running Microsoft Remote Display Protocol
serviceUser 1 was able to connect to the channel
assigned to User 2.
Running Microsoft Remote Display Protocol
serviceUser 1 was able to connect to the channel
assigned to User 2.
Vulnerability Solution:
MS12-020: Security Update for Windows Server 2008 (KB2621440)
MS12-020: Security Update for Windows Server 2003 (KB2621440)
MS12-020: Security Update for Windows XP (KB2621440)
Page 56
Security Audit
VI.1.9. Http-openssl-cve-2009-3245
Description:
OpenSSL before 0.9.8m does not check for a NULL return value from bn_wexpand
function calls in (1) crypto/bn/bn_div.c, (2)
crypto/bn/bn_gf2m.c, (3) crypto/ec/ec2_smpl.c, and (4) engines/e_ubsec.c, which has
unspecified impact and context-dependent attack vectors.
Affected Nodes:
Table IV.21.CVE-2009-3245
Affected Nodes
192.168.59.100:80
192.168.59.100:443
192.168.59.150:80
192.168.59.150:443
Additional Information
90 Running HTTP serviceProduct HTTPD exists
-- Apache HTTPD 2.2.14
Vulnerable version of component OpenSSL
found -- OpenSSL 0.9.8l
Running HTTPS serviceProduct HTTPD exists -Apache HTTPD 2.2.14
Vulnerable version of component OpenSSL
found -- OpenSSL 0.9.8l
Running HTTP serviceProduct HTTPD exists -Apache HTTPD 1.3.42
Vulnerable version of component OpenSSL
found -- OpenSSL 0.9.8g
Running HTTPS serviceProduct HTTPD exists -Apache HTTPD 1.3.42
Vulnerable version of component OpenSSL
found -- OpenSSL 0.9.8g
Vulnerability Solution:
Upgrade to version 0.9.8m of OpenSSL.
Page 57
Security Audit
Affected Nodes:
Table IV.22.CVE-2012-0883
Affected Nodes
192.168.59.100:90
192.168.59.100:443
Additional Information
Running HTTP serviceProduct HTTPD exists -Apache HTTPD 2.2.14
Vulnerable version of product HTTPD found -Apache HTTPD 2.2.14
Running HTTPS serviceProduct HTTPD exists -Apache HTTPD 2.2.14
Vulnerable version of product HTTPD found -Apache HTTPD 2.2.14
Vulnerability Solution:
Apache HTTPD >= 2.2 and < 2.2.23
Upgrade to Apache HTTPD version 2.2.23
VI.2.2. X.509 Certificate Subject CN Does Not Match the Entity Name
Description:
The subject common name (CN) field in the X.509 certificate does not match the name of
the entity presenting the certificate.
Before issuing a certificate, a Certification Authority (CA) must check the identity of the
entity requesting the certificate, as specified in the CA's Certification Practice Statement
(CPS). Thus, standard certificate validation procedures require the subject CN field of a
certificate to match the actual name of the entity presenting the certificate.
A CN mismatch most often occurs due to a configuration error, though it can also indicate
that a man-in-the-middle attack is being conducted.
Affected Nodes:
Table IV.23.CN-name-mismatch
Affected Nodes
192.168.59.100:443
Additional Information
The subject common name found in the X.509
certificate ('CN=localhost') does
not seem to match the scan target
Page 58
Security Audit
192.168.59.105:500
192.168.59.150:443
Vulnerability Solution:
The subject's common name (CN) field in the X.509 certificate should be fixed to
reflect the name of the entity presenting the certificate (e.g., the hostname). This is
done by generating a new certificate usually signed by a Certification Authority
(CA) trusted by both the client and server.
VI.2.3. FTP server does not support AUTH command (ftp-generic-0007)
Description:
FTP clients send credentials (user ID and password) in clear text to the FTP server by
default. This allows malicious users to intercept the credentials if they can eavesdrop
on the connection.
Newer FTP servers support the AUTH command, which provides enhanced
authentication options such as TLS, Kerberos, GSSAPI, etc. This should be used to
prevent eavesdropping on FTP connections.
Affected Nodes:
Table IV.24.FTP-generic-0007
Affected Nodes
192.168.59.100:21
192.168.59.150:21
Additional Information
Server supports none of the following AUTH
mechanisms: TLS TLS-C
KERBEROS_V4 GSSAPI SSL
Server supports none of the following AUTH
Page 59
Security Audit
192.168.59.233:21
Vulnerability Solution:
Upgrade/migrate to a FTP server that supports the AUTH command.
192.168.59.100:443
192.168.59.100:8443
192.168.59.105:500
Additional Information
Negotiated with the following insecure cipher suites. SSLv2 ciphers:
SSL_CK_RC4_128_WITH_MD5SSL_CK_RC4_128_EXPORT40_WITH
_MD5
SSL_CK_RC2_128_CBC_WITH_MD5
SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5
SSL_CK_IDEA_128_CBC_WITH_MD5SSL_CK_DES_64_CBC_WITH_
MD5
SSL_CK_DES_192_EDE3_CBC_WITH_MD5SSLv3 ciphers:
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_RSA_WITH_DES_CBC_SHASSL_RSA_WITH_DES_CBC_
SHA
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5
Negotiated with the following insecure cipher suites. SSLv3 ciphers:
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_RSA_WITH_DES_CBC_SHASSL_RSA_WITH_DES_CBC_
SHA
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5
Negotiated with the following insecure cipher suites. SSLv2 ciphers:
SSL_CK_RC4_128_WITH_MD5SSL_CK_DES_192_EDE3_CBC_WITH
_MD5
SSL_CK_RC2_128_CBC_WITH_MD5SSL_CK_DES_64_CBC_WITH_
MD5
SSL_CK_RC4_128_EXPORT40_WITH_MD5
SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5SSLv3 ciphers:
SSL_RSA_WITH_DES_CBC_SHASSL_RSA_EXPORT_WITH_RC4_40
_MD5
Page 60
Security Audit
Vulnerability Solution:
Configure the server to disable support for weak ciphers.
For Microsoft IIS web servers, see Microsoft Knowledgebase article 245030 for
instructions on disabling weak ciphers.
For Apache web servers with mod_ssl, edit the Apache configuration file and
change the SSLCipherSuite line to read: SSLCipherSuite
ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
VI.2.5. TLS/SSL Server Supports SSLv2 (sslv2-and-up-enabled)
Description:
Although the server accepts clients using TLS or SSLv3, it also accepts clients using
SSLv2. SSLv2 is an older implementation of the Secure Sockets Layer protocol. It
suffers from a number of security flaws allowing attackers to capture and alter
information passed between a client and the server, including the following
weaknesses:
No protection from against man-in-the-middle attacks during the handshake.
Weak MAC construction and MAC relying solely on the MD5 hash function.
Exportable cipher suites unnecessarily weaken the MACs Same cryptographic keys
used for message authentication and encryption.
Vulnerable to truncation attacks by forged TCP FIN packets SSLv2 has been
deprecated and is no longer recommended. Note that neither SSLv2 nor SSLv3 meet
the U.S. FIPS 140-2 standard, which governs cryptographic modules for use in federal
information systems. Only the newer TLS (Transport Layer Security) protocol meets
FIPS 140-2 requirements. In addition, the presence of an SSLv2-only service on a host
is deemed a failure by the PCI (Payment Card Industry) Data Security Standard.
Affected Nodes:
Table IV.26.sslv2-and-up-enabled
Affected Nodes
Additional Information
192.168.59.100:443
192.168.59.105:500
SSLv2 is supported
SSLv2 is supported
Page 61
Security Audit
Vulnerability Solution:
Apache HTTPD
Disable SSLv2 protocol support in Apache HTTPD
For Apache web servers with mod_ssl, edit the Apache configuration file and
change the SSLCipherSuite line to read: SSLCipherSuite
ALL:!ADH:RC4+RSA:+HIGH:!SSLv2
The ! (Exclamation point) before SSLv2 is what disables this protocol.
Windows
Disable SSLv2 protocol support in Microsoft Windows
Configure the server to require clients to use at least SSLv3 or TLS.
VI.2.6. SMB signing disabled (cifs-smb-signing-disabled)
Description:
This system does not allow SMB signing. SMB signing allows the recipient of SMB
packets to confirm their authenticity and helps prevent man in the middle attacks against
SMB. SMB signing can be configured in one of three ways: disabled entirely (least
secure), enabled, and required (most secure).
Affected Nodes:
Table IV.27.Cifs-smb-signing-disabled
Affected Nodes
192.168.59.150:139
192.168.59.150:445
192.168.59.22:139
192.168.59.22:445
192.168.59.231:139
192.168.59.231:445
192.168.59.233:139
192.168.59.233:445
192.168.59.249:139
192.168.59.249:445
Additional Information
Negotiate protocol response's security mode 3
indicates that SMB signing is disabled
Negotiate protocol response's security mode 3
indicates that SMB signing is disabled
Negotiate protocol response's security mode 3
indicates that SMB signing is disabled
Negotiate protocol response's security mode 3
indicates that SMB signing is disabled
Negotiate protocol response's security mode 3
indicates that SMB signing is disabled
Negotiate protocol response's security mode 3
indicates that SMB signing is disabled
Negotiate protocol response's security mode 3
indicates that SMB signing is disabled
Negotiate protocol response's security mode 3
indicates that SMB signing is disabled
Negotiate protocol response's security mode 3
indicates that SMB signing is disabled
Negotiate protocol response's security mode 3
indicates that SMB signing is disabled
Page 62
Security Audit
Vulnerability Solution:
Microsoft Windows
Configure the system to enable or require SMB signing as appropriate
Make sure that SMB signing configuration is done for incoming connections (Server).
Samba
Configure Samba to enable or require SMB signing as appropriate. To enable SMB
signing, put the following in the Samba configuration file, typically smb.conf, in the
global section:
server signing = auto
To require SMB signing, put the following in the Samba configuration file, typically
smb.conf, in the global section:
server signing = mandatory
VI.2.7. Apache HTTPD: error responses can expose cookies (CVE-2012-0053)
Description:
A flaw was found in the default error response for status code 400. This flaw could be
used by an attacker to expose "httpOnly" cookies when no custom ErrorDocument is
specified.
Affected Nodes:
Table IV.28.CVE-2012-0053
Affected Nodes
Additional Information
192.168.59.100:90
192.168.59.100:90
192.168.59.100:443
192.168.59.100:443
Page 63
Security Audit
192.168.59.150:80
192.168.59.150:443
10: <p>Your browser sent a request that this server could not understand.
11: Request header field is missing ':' separator.<br />
12: <pre>
9:R7TESTR7TESTR7TESTR7TESTR7TESTR7TESTR7TESTR7TESTR7T
ESTR7TESTR7TESTR7TE...
Running HTTP serviceHTTP GET request to http://192.168.59.150/
HTTP response code was an expected 400
9: <H1>Bad Request</H1>
10: Your browser sent a request that this server could not understand.<P>
11: Request header field is missing colon separator.<P>
12: <PRE>
9:R7TESTR7TESTR7TESTR7TESTR7TESTR7TESTR7TESTR7TESTR7T
ESTR7TESTR7TESTR7TE...
Running HTTPS serviceHTTP GET request to https://192.168.59.150/
HTTP response code was an expected 400
9: <H1>Bad Request</H1>
10: Your browser sent a request that this server could not understand.<P>
11: Request header field is missing colon separator.<P>
12: <PRE>
9:R7TESTR7TESTR7TESTR7TESTR7TESTR7TESTR7TESTR7TESTR7T
ESTR7TESTR7TESTR7TE...
Vulnerability Solution:
Apache HTTPD >= 2.2 and < 2.2.22
Upgrade to Apache HTTPD version 2.2.22
Additional Information
192.168.59.100:23
Page 64
Security Audit
Vulnerability Solution:
Disable the telnet service. Replace it with technologies such as SSH, VPN, or TLS.
Additional Information
Remote system time: 13:28:28.000 CEST
Remote system time: 11:32:39.718 CEST
Remote system time: 13:32:22.093 CEST
Remote system time: 13:30:03.614 CEST
Remote system time: 12:33:14.481 CEST
Remote system time: 12:49:21.026 CEST
Remote system time: 12:37:35.000 CEST
Remote system time: 12:40:10.359 CEST
Remote system time: 12:29:11.100 CEST
Page 65
Security Audit
The easiest and most effective solution is to configure your firewall to block incoming and
outgoing ICMP packets with ICMP types 13 (timestamp request) and 14 (timestamp
response).
Page 66
Security Audit
VII. Exploits
In the following figure we were able to exploit some of the loopholes that we detected
in order to gain remote access to the assets connected to the network.
This figure illustrates four attacks that were launched on four different machines each.
VIII. Conclusion
The scanned site was found to be vulnerable, and the vulnerabilities represented in this
report were found to be the most common ones with the highest risk rate regardless of
its type (critical, severe and moderate).
We were therefore able to successfully trigger some of the mentioned loopholes by
hacking into the network and launching passive attacks.
Page 67
Security Audit
Workbook V
Vulnerability report site 2
Page 68
Security Audit
I. INTRODUCTION
This report represents a security audit. It contains confidential information about the
state of your network. Access to this information by unauthorized personnel may
allow them to compromise your network.
During this test, 6 hosts with a total of 58 exposed services and 139 vulnerabilities
were discovered.
Hosts
Services
Vulnerabilities
Microsoft Windows
58
139
The table above represents the operating systems of the different hosts on which the
vulnerability scan was run on.
The following figure illustrates the percentage of the hosts operating systems.
Page 69
Security Audit
Hostname
OS
Services
Vulns
Status
192.168.1.51
sonia-pc
Microsoft
Windows
12
14
success
192.168.1.52
sana-pc
Microsoft
Windows
91
success
192.168.1.31
pc1-41933e504a3
Microsoft
Windows
10
success
192.168.1.32
manel-pc
Microsoft
Windows
10
success
192.168.1.21
LENOVO-PC
Microsoft
Windows
success
192.168.1.253
WINE3OMF312OOT
Microsoft
Windows
21
12
success
The table above represents the discovered hosts along with some general information
obtained during the vulnerability scan.
This figure illustrates the number of the discovered loopholes of each node.
Page 70
Security Audit
Protocol
Port
Instances
smb
Tcp
445
http
tcp
80
https
tcp
443
telnet
Tcp
23
dns
Udp
53
ftp
tcp
21
The following table presents some protocols that we discovered while scanning the
network.
This figure illustrates a global view of all discovered services with multiple running
instances and some of these services are mentioned in the table above.
Page 71
Security Audit
The audit was performed on 6 systems, 6 of which were found to be active and were scanned.
There were 138 vulnerabilities found during this scan. Of these, 38 were critical
vulnerabilities. Critical vulnerabilities require immediate attention.
They are relatively easy for attackers to exploit and may provide them with full control of the
affected systems.
84 vulnerabilities were severe. Severe vulnerabilities are often harder to exploit and may not
provide the same access to affected systems.
There were 16 moderate vulnerabilities discovered. These often provide information to
attackers that may assist them in mounting subsequent attacks on your network.
These should also be fixed in a timely manner, but are not as urgent as the other
vulnerabilities.
Critical vulnerabilities were found to exist on 5 of the systems, making them most susceptible
to attack. 6 systems were found to have severe vulnerabilities. Moderate vulnerabilities were
found on 6 systems. No systems were free of vulnerabilities.
Page 72
Security Audit
There were 10 occurrences of the cifs-smb-signing-disabled and cifs-smb-signing-notrequired vulnerabilities, making them the most common vulnerabilities. There were 135
vulnerabilities in the HTTP category, making it the most common vulnerability category.
Page 73
Security Audit
The CIFS, CIFS Name Service and DCE Endpoint Resolution services were found on 6
systems, making them the most common services.
The HTTP service was found to have the most vulnerabilities during this scan with 88
vulnerabilities.
Operating System
Risk
Aliases
192.168.1.52
Microsoft Windows
XP
30,467
SANA-PC
192.168.1.51
Microsoft Windows
XP
9,060
SONIA-PC
192.168.1.31
Microsoft Windows
XP
6,844
PC1-41933E504A3
Microsoft Windows
Server 2008
6,339
192.168.1.253
WIN-E3OMF312OOT
Enterprise Edition
192.168.1.32
Microsoft Windows
XP SP3
4,084
MANEL-PC
192.168.1.21
Microsoft Windows 7
Professional SP1
1,516
LENOVO-PC
The table above represents the risk score of each discovered node in the vulnerability
scan, however, the risk score generated in this report was calculated depending on the
number and types of the vulnerabilities of each asset.
Page 74
Security Audit
Additional Information
Running HTTP serviceProduct HTTPD exists -Apache HTTPD 2.2.17
Vulnerable version of component PHP found -PHP 5.3.5
192.168.1.52:443
Vulnerability Solution:
An upgrade for the installed version must be applied.
VI.1.2. PHP Vulnerability: CVE-2012-2376 (php-cve-2012-2376)
Description:
Buffer overflow in the com_print_typeinfo function in PHP 5.4.3 and earlier on
Windows allows remote attackers to execute arbitrary code via crafted arguments
that trigger incorrect handling of COM object VARIANT types, as exploited in the
wild in May 2012.
Affected Nodes:
Page 75
Security Audit
Table V.36.CVE-2012-2376
Affected Nodes
Additional Information
Vulnerable OS: Microsoft Windows XP
192.168.1.52:80
Running HTTP serviceProduct HTTPD exists -Apache HTTPD 2.2.17 Vulnerable version of
component PHP found -- PHP 5.3.5
Vulnerable OS: Microsoft Windows XP
192.168.1.52:443
Vulnerability Solution:
An upgrade for the installed version must be applied.
Additional Information
Running HTTP serviceProduct HTTPD exists -Apache HTTPD 2.2.17
192.168.1.52:80
Vulnerable version of component PHP found -PHP 5.3.5
Running HTTPS serviceProduct HTTPD exists -Apache HTTPD 2.2.17
192.168.1.52:443
Vulnerable version of component PHP found -PHP 5.3.5
Page 76
Security Audit
Vulnerability Solution:
Upgrade to PHP version 5.4.5
Additional Information
Running CIFS serviceVulnerable OS: Microsoft
Windows XP
Received vulnerable status reply
192.168.1.31:445
Vulnerability Solution:
MS08-067: Security Update for Windows XP (KB958644).
Page 77
Security Audit
Additional Information
192.168.1.253:139
192.168.1.253:445
192.168.1.31:139
192.168.1.31:445
192.168.1.51:139
192.168.1.51:445
Page 78
Security Audit
Vulnerability Solution:
MS09-001: Security Update for Windows XP (KB958687)
Additional Information
192.168.1.253:445
Vulnerability Solution:
MS09-050: Security Update for Windows Server 2008 x64 Edition
(KB975517).
Page 79
Security Audit
Table V.41.MS10-012
Affected Nodes
192.168.1.253:139
192.168.1.253:445
192.168.1.31:139
192.168.1.31:445
192.168.1.51:139
192.168.1.51:445
Additional Information
Running CIFS serviceVulnerable OS: Microsoft
Windows Server 2008 Enterprise Edition. Based
on the result of the "MS09-001: Vulnerabilities in
SMB Could Allow Remote Code Execution
(958687)" test.
Running CIFS serviceVulnerable OS: Microsoft
Windows Server 2008 Enterprise Edition. Based
on the result of the "MS09-001: Vulnerabilities in
SMB Could Allow Remote Code Execution
(958687)" test.
Running CIFS serviceVulnerable OS: Microsoft
Windows XP. Based on the result of the "MS09001: Vulnerabilities in SMB Could Allow
Remote Code Execution (958687)" test.
Running CIFS serviceVulnerable OS: Microsoft
Windows XP. Based on the result of the "MS09001: Vulnerabilities in SMB Could Allow
Remote Code Execution (958687)" test.
Running CIFS serviceVulnerable OS: Microsoft
Windows XP. Based on the result of the "MS09001: Vulnerabilities in SMB Could Allow
Remote Code Execution (958687)" test.
Running CIFS serviceVulnerable OS: Microsoft
Windows XP. Based on the result of the "MS09001: Vulnerabilities in SMB Could Allow
Remote Code Execution (958687)" test.
Vulnerability Solution:
MS10-012: Security Update for Windows XP (KB971468).
Page 80
Security Audit
192.168.1.253:139
192.168.1.253:
192.168.1.253:445
192.168.1.253:445
192.168.1.31:139
192.168.1.31:445
Additional Information
Page 81
Security Audit
192.168.1.51:445
192.168.1.253:139
192.168.1.253:139
192.168.1.253:445
Additional Information
Running CIFS serviceVulnerable OS: Microsoft
Windows Server 2008 Enterprise Edition. Based
on the result of the "MS09-050: Vulnerabilities in
SMBv2 Could Allow Remote Code Execution
(975517)" test.
Running CIFS serviceVulnerable OS: Microsoft
Windows Server 2008 Enterprise Edition. Based
on the result of the "MS09-001: Vulnerabilities in
SMB Could Allow Remote Code Execution
(958687)" test.
Running CIFS serviceVulnerable OS: Microsoft
Windows Server 2008 Enterprise Edition. Based
on the result of the "MS09-001: Vulnerabilities in
Page 82
Security Audit
192.168.1.253:445
192.168.1.31:139
192.168.1.31:445
192.168.1.51:139
192.168.1.51:445
Vulnerability Solution:
MS11-020: Security Update for Windows Server 2008 (KB2508429)
MS11-020: Security Update for Windows XP (KB2508429)
Page 83
Security Audit
Affected Nodes:
Table V.44.MS12-020
Affected Nodes
Additional Information
192.168.1.253:3389
192.168.1.31:3389
192.168.1.51:3389
Vulnerability Solution:
MS12-020: Security Update for Windows Server 2008 x64 Edition
(KB2621440)
MS12-020: Security Update for Windows XP (KB2621440)
Page 84
Security Audit
Table V.45.Cifs-invalid-logins-permitted
Affected Nodes
Additional Information
192.168.1.32
192.168.1.51
192.168.1.52
Vulnerability Solution:
In the 'Local Security Settings' feature of the Windows Control Panel, modify the
following settings:
Set the 'Local Policies->User Rights Assignment->Deny access to this computer from
the network' to include the guest account
Set the 'Local Policies->Security Options->Accounts: Guest account status' to
'Disabled'.
Page 85
Security Audit
Table V.46.Cifs-nt-0001
Affected Nodes
Additional Information
192.168.1.31
192.168.1.32
192.168.1.52
Vulnerability Solution:
Disable NULL sessions for Windows XP
-
Page 86
Security Audit
Additional Information
192.168.1.21:139
192.168.1.21:445
Page 87
Security Audit
192.168.1.31:139
192.168.1.31:445
192.168.1.32:139
192.168.1.32:445
192.168.1.51:139
192.168.1.51:445
192.168.1.52:139
192.168.1.52:445
Vulnerability Solution:
Microsoft Windows
Configure the system to enable or require SMB signing as appropriate.
Make sure that SMB signing configuration is done for incoming connections (Server).
Page 88
Security Audit
Additional Information
Running HTTP serviceHTTP TRACE request to
http://192.168.1.51/
192.168.1.51:80
3: TRACE / HTTP/1.1
4: Host: 192.168.1.51
3: Cookie: vulnerable=yes
Running HTTP serviceHTTP TRACE request to
http://192.168.1.52/
192.168.1.52:80
3: TRACE / HTTP/1.1
4: Host: 192.168.1.52
3: Cookie: vulnerable=yes
Running HTTPS serviceHTTP TRACE request
to https://192.168.1.52/
192.168.1.52:443
3: TRACE / HTTP/1.1
4: Host: 192.168.1.52:443
3: Cookie: vulnerable=yes
Page 89
Security Audit
Vulnerability Solution:
Apache HTTPD
Disable HTTP TRACE Method for Apache
-
Newer versions of Apache (1.3.34 and 2.0.55 and later) provide a configuration
directive called TraceEnable. To deny TRACE requests, add the following line to the
server configuration:
TraceEnable off
VI.2.3. Apache HTTPD: error responses can expose cookies (CVE-2012-0053)
Description:
A flaw was found in the default error response for status code 400. This flaw could
be used by an attacker to expose "httpOnly" cookies when no custom
ErrorDocument is specified.
Affected Nodes:
Table V.49.CVE-2012-0053
Affected Nodes
192.168.1.52:80
Additional Information
Running HTTP serviceProduct HTTPD exists -- Apache HTTPD 2.2.17
Vulnerable version of product HTTPD found -- Apache HTTPD 2.2.17
Running HTTP serviceHTTP GET request to http://192.168.1.52/
HTTP response code was an expected 400
9: <h1>Bad Request</h1>
192.168.1.52:80
10: <p>Your browser sent a request that this server could not understan...
11: Request header field is missing ':' separator.<br />
12: <pre>
9:R7TESTR7TESTR7TESTR7TESTR7TESTR7TESTR7TESTR7TESTR7TES
TR7TESTR7TESTR7TE...
Running HTTPS serviceHTTP GET request to https://192.168.1.52/
192.168.1.52:443
HTTP response code was an expected 400
9: <h1>Bad Request</h1>
Page 90
Security Audit
10: <p>Your browser sent a request that this server could not understan...
11: Request header field is missing ':' separator.<br />
12: <pre>
9:R7TESTR7TESTR7TESTR7TESTR7TESTR7TESTR7TESTR7TESTR7TES
TR7TESTR7TESTR7TE...
192.168.1.52:443
Vulnerability Solution:
Apache HTTPD >= 2.2 and < 2.2.22
Upgrade to Apache HTTPD version 2.2.22
Additional Information
192.168.1.21
192.168.1.253
192.168.1.31
192.168.1.32
192.168.1.51
192.168.1.52
Page 91
Security Audit
Page 92
Security Audit
VII. Exploits
The following figure represents three different types of attacks that were successfully
launched on three different machines by exploiting their vulnerabilities.
The first attack consists in sniffing the entered data by the legitimate user and the
second one gives the hacker a remote access to the exploited asset. The third one
however exploits the machines webcam.
VIII. Conclusion
The scanned site was found to be vulnerable, and the vulnerabilities represented in this
report were found to be the most common ones with the highest risk rate regardless of
its type (critical, severe and moderate).
We were therefore able to successfully trigger some of the mentioned loopholes by
hacking into the network and launching passive attacks.
Page 93
Security Audit
Workbook VI
Solutions implementation
Page 94
Security Audit
I.
Introduction
As we have seen, an unsecured computer network is always vulnerable and exposed to
many risks, external and internal ones.
Therefore, we need to take certain procedures to secure the network and to ensure the
business efficiency and continuity as well.
II.
Solutions implementation
One of the first solutions that needs to be implemented is an appropriate security
policy for the organization running its internal audit as it is stated in the ISO/IEC
27001 standard.
Then, the right solutions for the contextual vulnerabilities will be implemented.
Security Audit
Easy to remember.
Not based on anything someone else could easily guess or obtain using personal
information; e.g. names, telephones, date of birth
Page 96
Security Audit
This figure shows the existing vulnerabilities on the 192.168.1.32 pc as its shown in
the Workbook V vulnerability report site 2 before implementing the appropriate
solutions.
Page 97
Security Audit
Page 98
Security Audit
A simple command that fixes the reply and response for icmp timestamp
vulnerability at the same time.
During this procedure, other loopholes got fixed along with the original one.
Page 99
Security Audit
III.
DNS
DNS, the Domain Name System, provides naming services on the Internet. DNS is primarily
used to convert names, such as www.google.com to their corresponding IP address for use by
network programs, such as a browser.
Vulnerability
DNS cache poisoning is a computer hacking attack, whereby data is introduced into
a Domain Name System (DNS) name server's cache database, causing the name server to
return an incorrect IP address, diverting traffic to another computer (often the attacker's).
FTP
FTP, the File Transfer Protocol, is used to transfer files between systems. On the Internet, it is
often used on web pages to download files from a web site using a browser. FTP uses two
connections, one for control connections used to authenticate, navigate the FTP server and
initiate file transfers. The other connection is used to transfer data, such as files or directory
listings.
Page 100
Security Audit
Page 101
Security Audit
HTTPS
HTTPS, the Hyper Text Transfer Protocol over TLS/SSL, is used to exchange multimedia
content on the World Wide Web using encrypted (TLS/SSL) connections. Once the TLS/SSL
connection is established, the standard HTTP protocol is used. The multimedia files
commonly used with HTTP include text, sound, images and video.
Vulnerability
Https is vulnerable to heartbleed OpenSSL, since Secure-Socket Layer (SSL) and Transport
Layer Security (TLS) are at the heart of Internet security, this security hole is serious.
The flaw can potentially be used to reveal not just the contents of a secured-message, such as
a credit-card transaction over HTTPS, but the primary and secondary SSL keys themselves.
This data could then, in theory, be used as skeleton keys to bypass secure servers without
leaving a trace that a site had been hacked.
Kerberos [10]
Kerberos is a network authentication and encryption protocol. A client will first authenticate
itself to a Kerberos server, in other words, using some shared secret information, the client
first proves to the server that he is actually who he says he is and that he is allowed access to
the specified systems he is asking to use. A Kerberos server has domain over a specific set of
servers and services, and if the client can be authenticated the server provides the client with a
ticket, allowing him to access the requested services. Kerberos provides support for renewing
and extending the scope of that ticket. In addition, once the client has obtained a ticket, all
data sent between the client and other Kerberos protected services are strongly encrypted.
This prevents malicious eavesdropping or non authenticated clients from hijacking established
sessions. Kerberos also has a secure password administration protocol that operates on a
different port that the main Kerberos authentication protocol.
Page 102
Security Audit
Vulnerabilities
LDAP [11]
LDAP, the Lightweight Directory Access Protocol, is used to access and manipulate X.500
directories. X.500 directories are often used to store user information for an organization,
including full name, e-mail address, phone numbers, etc.
Vulnerability
-
The TCP three-way handshake for user authentication can be exploited by a Dos
attack
Page 103
Security Audit
LDAPS
LDAPS, the Lightweight Directory Access Protocol over TLS/SSL, is used to access and
manipulate X.500 directories using encrypted (TLS/SSL) connections. X.500 directories are
often used to store user information for an organization, including full name, email address,
phone numbers, etc.
Vulnerability
Active Directory Application Mode (ADAM), and Active Directory Lightweight Directory
Service (AD LDS). The vulnerability could allow elevation of privilege if Active Directory is
configured to use LDAP over SSL (LDAPS) and an attacker acquires a revoked certificate
that is associated with a valid domain account and then uses that revoked certificate to
authenticate to the Active Directory domain.
LPD
The Line Printer Daemon Protocol (LPD) specifies a method by which clients can send
documents to a printer or print daemon over TCP/IP.
Vulnerability
There is a buffer overflow in several implementations of in.lpd, a BSD line printer daemon.
An intruder can send a specially crafted print job to the target and then request a display of the
print queue to trigger the buffer overflow. The intruder may be able use this overflow to
execute arbitrary commands on the system with super-user privileges.
NTP
The Network Time Protocol (NTP) is used to keep the clocks of machines on a network
synchronized. Provisions are made in the protocol to account for network disruption and
packet latency.
Vulnerability
Vulnerability in the "monlist" feature of ntpd can allow remote attackers to cause distributed
denial of service attack (DDoS) via forged requests. US-CERT and the Canadian Cyber
Page 104
Security Audit
Incident Response Center (CCIRC) have both observed active use of this attack vector in
recent DDoS attacks.
Oracle
Oracle Database is a database server providing Structured Query Language (SQL) access to
its data. TNS, the Transparent Network Substrate, is the native data access protocol.
Vulnerability
The CVE-2012-1675 is in the TNS listener which has been recently disclosed as TNS
Listener Poison Attack affecting the Oracle Database Server. This vulnerability may be
remotely exploitable without authentication, i.e. it may be exploited over a network without
the need for a username and password. A remote user can exploit this vulnerability to impact
the confidentiality, integrity and availability of systems that do not have recommended
solution applied.
SMTP
SMTP, the Simple Mail Transfer Protocol, is the Internet standard way to send e-mail
messages between hosts. Clients typically submit outgoing e-mail to their SMTP server,
which then forwards the message on through other SMTP servers until it reaches its final
destination.
Vulnerability
Installed by default
By default, most UNIX workstations come installed with the sendmail (or equivalent) SMTP
server to handle mail for the local host (e.g.the output of some cron jobs is sent to the root
account via email). Check your workstations to see if sendmail is running, by telnetting to
port 25/tcp. If sendmail is running, you will see something like this: $ telnet mybox 25 Trying
192.168.0.1... Connected to mybox.
Escape character is '^]'. 220 mybox.
ESMTP Sendmail 8.12.2/8.12.2; Thu, 9 May 2002 03:16:26 -0700 (PDT)
If sendmail is running and you don't need it, then disable it via /etc/rc.conf or your operating
system's equivalent startup configuration file. If you do need SMTP for the localhost, make
Page 105
Security Audit
sure that the server is only listening on the loopback interface (127.0.0.1) and is not reachable
by other hosts. Also be sure to check port 587/tcp, which some versions of sendmail use for
outgoing mail submissions.
Promiscuous relay
Perhaps the most common security issue with SMTP servers is servers which act as a
"promiscuous relay", or "open relay". This describes servers which accept and relay mail from
anywhere to anywhere. This setup allows unauthenticated 3rd parties (spammers) to use your
mail server to send their spam to unwitting recipients. Promiscuous relay checks are
performed on all discovered SMTP servers.
Telnet
The telnet service provides console access to a machine remotely.
Page 106
Security Audit
Vulnerability
No Support for Encryption
All data, including usernames and passwords, is sent in cleartext over TCP.
The number one vulnerability that the telnet service faces is its inherent lack of support for
encryption. This is an artifact from the time period in which it was invented, 1971. There
existed little knowledge of cryptography outside of military environments, and computer
technology was not yet advanced enough to handle its real-time use.
SSH should be used instead of telnet.
System Architecture Information Leakage
Most telnet servers will broadcast a banner which details the exact system type (i.e. hardware
and operating system versions) to any connecting client, without requiring authentication.
This information is crucial for carrying out serious attacks on the system.
SSH
SSH, or Secure SHell, is designed to be a replacement for the aging Telnet protocol.
It primarily adds encryption and data integrity to Telnet, but can also provide superior
authentication mechanisms such as public key authentication.
Page 107
Security Audit
Vulnerability
The ssh package includes a program called the ssh-agent. The ssh-agent manages the RSA
keys for the ssh program, and is used primarily to help users avoid having to type in their pass
phrase every time they wish to use ssh, slogin or scp. When invoked, the ssh-agent program
creates a mode 700 directory in the /tmp directory, and then creates an AF_UNIX socket in
that directory. Later, the user will run a program namedssh-add, which adds his or her private
key to the set of keys managed by the ssh-agent program. When a user wishes to utilize a
program
which
requires
RSA
key
authentication,
connects
to
theAF_UNIX socket and asks the ssh-agent program for the appropriate key.
The vulnerability lies in the fact that when the ssh client connects to the AF_UNIX socket, it
is running as super-user, or root, and performs insufficient permissions checking. This makes
it possible for users to trick their tt>ssh clients into using credentials belonging to other users.
In other words, any users who utilize RSA authentication and use the ssh-agent program may
have their credentials improperly used by a malicious user, who then may improperly access
services or programs on a host machine.
TFTP
TFTP, or Trivial File Transfer Protocol, is a simplified version of FTP. It is designed to work
over UDP, and supports only file reading and file writing, but not directory listing.
No authentication mechanism exists.
Vulnerability
Table VI.51.CVE-2008-2161
Confidentiality
Impact
revealed.
Integrity Impact
Availability Impact
There is a total shutdown of the affected resource. The attacker can render
the resource completely unavailable.
Authentication
Not required
Security Audit
IV.
General solutions
In the following figure the illustrated rules allow generating an alert for a certain
action respectively. The first rule allows detecting a root log on attempt using the
telnet service.
The second rule allows detecting the establishment of an ssh connection from an
external machine.
Page 109
Security Audit
This figure illustrates the set-up of the network address using the command ipvar.
Page 110
Security Audit
In this figure we see the list of iptables rules set to control the data stream by setting a
certain security policy. Through these rules we can choose whether to accept or refuse
certain data stream.
Conclusion
It is only through identifying the risks and the networks loopholes that we managed to
take the right procedures to secure the information system.
With the implemented solutions, illustrated in this chapter, we managed to secure the
network from any residual risk whether it is internal or external.
Page 111
Security Audit
Closure
As a roundup, this memoire contains the different stages of a security audit, presented in the
six previous workbooks.
At the outset, the functional specification defines the relationship between the holder of the
audit mission and the client. Added to that, it provides full guidance for the auditor in order to
fulfill his part of the bargain.
As for the second workbook, it contains general information concerning the knowledge every
auditor or security specialist needs to have.
As far as the last four workbooks are concerned, they represent the real beginning of audit
mission. According to workbook III, a security methodology needs to be chosen for the risk
analysis as it is stated in the international ISO/IEC 27001 Identify a risk assessment
methodology that is suited to the ISMS, and the identified business information security, legal
and regulatory requirements.
After the risk analysis phase is completed, the auditor has to identify the networks loopholes
and generate a vulnerability report as shown in workbook IV and workbook V.
Last but not least, the auditor is held to take corrective measures for the identified
vulnerabilities along with other general corrective procedures, to ensure the security and the
stability of the information system as the ones, taken in workbook VI.
To conclude, in order to build the security of an information system on solid foundations, an
international standard needs to be chosen. This latter has to be based on the status of the
organization, along with a security methodology, to help guiding the auditor through the
different stages of his audit mission, and to take the right procedures for the fulfillment of his
task.
Page 112
Security Audit
VI.
Bibliography
[1] ISO/IEC 27000:2012-Technologies de linformation-Techniques de scuritsystmes de management de la scurit de linformation- Vue densemble et de
vocabulaire.
[2] ISO/IEC 27001:2005- INB secteur interdisciplinaire de normalisation.
[3] ISO/IEC 27002:2005 Technologies de l'information Techniques de scurit
Code de bonne pratique pour la gestion de la scurit de l'information.
[4] ISO/IEC 27003:2010- Technologies de linformation - Techniques de scurit
Lignes directrices pour la mise en uvre du systme de management de la scurit de
linformation.
[5] ISO/IEC 27004:2009- Technologies de linformation - Techniques de scurit
Management de la scurit de linformation- Mesurage.
[6] ISO/IEC 27005 :2011- Technologies de linformation - Techniques de scurit
Gestion des risques lis la scurit de linformation.
[7] Mehari 2010- Stakes-analysis-and-classification-guide.
[8] Mehari 2010-Evaluation-guide.
[9] Mehari 2010-Risk-analysis-and-Treatment-guide.
[10] Jay Holcomb-Kerberos Network authentication security protocol recent security
vulnerabilities-GIAC level one security-Essential practical assignment for
certification.
[11] C. Obimbo and B. Ferriman, "Vulnerabilities of LDAP As An Authentication
Service," Journal of Information Security, Vol. 2 No. 4, 2011, pp. 151-157.
Page 113