1. Acme Widgets Inc
Security Assessment Report
May 6, 2010
ACSG 570, Web Server Security (BYTE ME Project)
Date
05/06/2010
Prepared By:
Saurav Amatya
Anju Amatya
Larry Jennings
The information contained within this report is considered proprietary
and confidential to the ACME Widgets Inc. Inappropriate and
unauthorized disclosure of this report or portions of it could result in
significant damage or loss to the ACME Widgets Inc. This report
should be distributed to individuals on a Need-to-Know basis only.
Paper copies should be locked up when not in use. Electronic copies
should be stored offline and protected appropriately.
2. Acknowledgements
We, the group members – Saurav Amatya, Anju Amatya and Larry Jennings, would like to thank
Dr. Aman for providing all the necessary information regarding penetration testing. The external
links, tutorials and the lectures that he provided were very useful and full of knowledge for us.
We would also like to thank him for providing us the real practical knowledge with the help of
this BYTE ME project and introducing us to the great security professional - Mr. James E.
Conway.
We would also like to thank Mr. James E. Conway for coming all the way through from Ohio
and being involved in our project and helping us in every step to gain understanding of his
network. Also, his real life experiences and the lecture he provided for the BYTE ME exercise
were very useful. Besides that, we would also like to thank him for setting up the virtual
corporate environment where we could gain real field experience.
And at last, but not least, we would also like to thank our group members (each other) for being
so co-operative. The work done by each member has contributed significantly for the completion
of the exercise and thus the report.
Thank you everyone!
3. Table of Contents
Introduction .................................................................................................................................................. 4
1. Network Profile ........................................................................................................................................ 5
1.1 Network Layout Discovery ............................................................................................................... 5
1.2 Overview of open ports with security concerns .............................................................................. 6
2. Some sensitive information found over the ACME-Widget Network ............................................... 7
2.1 Password lists of the different hosts ................................................................................................ 7
2.2 List of Suspected Customer names ................................................................................................ 10
2.3 Some critical files in editable mode ............................................................................................... 11
2.3.1 Numbers of critical files could be edited with sudo –s command in 192.168.199.106 .......... 11
2.4 Accessible Security Policy on 192.168.199.99 ............................................................................... 13
Figure: Security Policy on 192.168.199.99 ............................................................................................. 13
Figure: Computer Management on 192.168.199.99 ............................................................................... 14
Figure: Accessing admin group on 192.168.199.99................................................................................ 15
3. Key Recommendations........................................................................................................................... 16
3.1 Technical .......................................................................................................................................... 16
3.2 Non - Technical ............................................................................................................................... 18
4. Methodology .......................................................................................................................................... 18
4.1 Research ........................................................................................................................................... 18
4.2 The beginning phase – Analyzing the network............................................................................. 19
4.3 Web Site Testing ............................................................................................................................. 20
5. Some pre-installed tools in the system ................................................................................................. 20
5.1 Wireshark ........................................................................................................................................ 20
5.2 Metasploit ........................................................................................................................................ 21
5.3 Cain n Abel ...................................................................................................................................... 21
1 | ACME-Widgets Inc. Penetration Testing Report
4. 5.4 Fast track Autopwn ........................................................................................................................ 21
5.5 Nessus .............................................................................................................................................. 22
5.6 Zenmap ........................................................................................................................................... 22
5.7 Open-VAS ....................................................................................................................................... 22
6. Scan results for each machine in network 192.168.199.0/24 .............................................................. 23
6.1 192.168.199.70................................................................................................................................. 23
Repartition of the level of security problems ..................................................................................... 24
Summary ............................................................................................................................................. 24
High Level Vulnerability Analysis for machine 192.168.199.70 .......................................................... 24
Mid Level Vulnerability Analysis for machine 192.168.199.70 ........................................................... 28
Low Level Vulnerability Analysis for machine 192.168.199.70........................................................... 29
6.2 192.168.199.99................................................................................................................................. 33
Repartition of the level of security problems ..................................................................................... 34
Summary ............................................................................................................................................. 34
High Level Vulnerability Analysis for machine 192.168.199.99 .......................................................... 34
Mid Level Vulnerability Analysis for machine 192.168.199.99 ........................................................... 35
Low Level Vulnerability Analysis for machine 192.168.199.99........................................................... 36
6.3 192.168.199.106............................................................................................................................... 38
Repartition of the level of security problems ..................................................................................... 38
Summary ............................................................................................................................................. 39
Critical Issues ....................................................................................................................................... 39
High Level Vulnerabilities Analysis for 192.168.199.106 .................................................................... 39
Mid-level Vulnerabilities Analysis for 192.168.199.106 ..................................................................... 40
Low Level Vulnerabilities Analysis for 192.168.199.106 ..................................................................... 40
6.4 192.168.199.222............................................................................................................................... 41
2 | ACME-Widgets Inc. Penetration Testing Report
5. Repartition of the level of security problems ..................................................................................... 42
Summary ............................................................................................................................................. 42
High Level Vulnerabilities Analysis for Machine 192.168.199.222 ..................................................... 42
Mid Level Vulnerabilities Analysis for Machine 192.168.199.222 ...................................................... 42
Low Level Vulnerabilities Analysis for Machine 192.168.199.222 ...................................................... 43
6.5 192.168.199.230............................................................................................................................... 44
Repartition of the level of security problems ..................................................................................... 45
Summary ............................................................................................................................................. 45
High Level Vulnerabilities Analysis of 192.168.199.230 ..................................................................... 45
Mid Level Vulnerabilities Analysis of Machine 192.168.199.230 ....................................................... 49
6.6 192.168.199.232............................................................................................................................... 54
Repartition of the level of security problems: .................................................................................... 54
Summary ............................................................................................................................................. 55
High Level Vulnerabilities Analysis of 192.168.199.232 ..................................................................... 55
Mid Level Vulnerabilities Analysis of Machine 192.168.199.232 ....................................................... 56
Low Level Vulnerabilities Analysis of Machine 192.168.199.232 ....................................................... 58
Conclusion .................................................................................................................................................. 59
References .................................................................................................................................................. 60
Penetration Testing Log ............................................................................................................................. 61
3 | ACME-Widgets Inc. Penetration Testing Report
6. Introduction
This report consists of the sensitive information related to penetration testing of ACME Widgets
Inc. performed by a group involving 3 members – Anju Amatya, Larry Jennings and Saurav
Amatya.
This report consist of research, finding and summary of a 3 week period of testing that was
begun on April 8th, 2010 and concluded on April 29th 2010. The main focus of this report is the
testing result of the request by ACME- Widgets Inc. to confirm the vulnerabilities of their
computer network.
This report covers every aspect of the client’s, ACME Widget, network – Technical and as well
as Non- Technical. The main focus of this report has been on pointing out the vulnerabilities of
the network and then the measures for that.
4 | ACME-Widgets Inc. Penetration Testing Report
7. 1. Network Profile
1.1 Network Layout Discovery
We have discovered the following topology of the network of ACME-Widgets.
Figure: Network Layout of ACME Widgets
5 | ACME-Widgets Inc. Penetration Testing Report
8. 1.2 Overview of open ports with security concerns
Note: these ports were open at one point in time during our testing however the nature of ports
means that some of these ports are being application driven to open said port because they were
not always consistently there.
Hosts
Figure: Open ports on different hosts of ACME Widgets
6 | ACME-Widgets Inc. Penetration Testing Report
9. 2. Some sensitive information found over the ACME-Widget Network
2.1 Password lists of the different hosts
Passwords for different machine could be cracked by using the hash value of the
password obtained by using the command ‘hashdump’. There are many online websites which
convert the provided hash into plain text like for example - http://www.objectif-
securite.ch/en/products.php
UserName Password
Administrator Empty
aman Acsg123
backtrack 123Chor420
barcelona Batoul06
Dumbledore Dumbledore
GORKHALI GORKHALI
Guest Empty
hack hacker
kechasolti GORKHALI
ksr 1234hack
Morpheus Neotheone
Nepali Nepal
ser alGhaD
Severus.Snape Slytherin
Smas GORKHALI
Figure: Username/password table for 192.168.199.230
7 | ACME-Widgets Inc. Penetration Testing Report
10. Username Password
admin admin
admn pLato
backtrack1 123Chor420
Daddy Hermione
everest1 123Chor321
Guest Empty passoword
HelpAssistant MJ!6SgvDADVIDm
Hpotter Empty Password
Services pLato
SQLExecutiveCmdExec SFNATNIE
SUPPORT_388945a0* LM hash empty, NT
hash cannot be
cracked by this table
Administrator LM hash empty, NT
hash cannot be
cracked by this table
Figure: Username/Password table for 192.168.199.232
8 | ACME-Widgets Inc. Penetration Testing Report
11. Username Password
admin nimdA2378
Administrator DarkArts
backtrack 123Chor420
computer pLato
everest 123Chor321
Guest active:no
Harry.J.Potter Gryffindor
IWAM_WORKMASTER 6ES3@1H3pC/^Ro
IUSR_WORKMASTER Fs&:q>0T5L7_`0
ksr hack1234
Ksr1 attack123
Support_388945a0? LM hash empty, NT hash
cannot be cracked by this
table
Figure: Username/Password table for 192.168.199.99
9 | ACME-Widgets Inc. Penetration Testing Report
12. 2.2 List of Suspected Customer names
Additionally we also found a list of suspected customer names in the host 192.168.199.70. While
this name was blank, the formatting suggests that it may have been used to create files; it is also
possible that there are potential passwords in this file.
Please see contents of the file “users.txt” from the 192.168.199.70 NT machine.
dabsalon, Daniel Absalon, st_DarkArts,,,,,,
aadhikari, Ashok Adhikari, st_DarkArts,,,,,,
jaman,Jams,Aman,pr_DarkArts,,,,,,
aamatya, Anju Amatya, st_DarkArts,,,,,,
samatya, Saurav Amatya, st_DarkArts,,,,,,
caviles, Christina Aviles, st_DarkArts,,,,,,
ababani-maghirang,AshaBabani-Maghirang,st_DarkArts,,,,,,
bbarkowski,BrianBarkowski,st_DarkArts,,,,,,
aboston,AndrewBoston,st_DarkArts,,,,,,
jconway,JamesConway,co_DarkArts,,,,,,
ecrump, Eric Crump, st_DarkArts,,,,,,
sdrake, Stacey Drake, st_DarkArts,,,,,,
wevens,WilliamEvens,st_DarkArts,,,,,,
jjenkins,JohnnyJenkins,st_DarkArts,,,,,,
ljennings, Larry Jennings, st_DarkArts,,,,,,
sjogkaew, Somchai Jogkaew, st_DarkArts,,,,,,
mkowalski, Megan Kowalski, st_DarkArts,,,,,,
mnowak, Miles Nowak, st_DarkArts,,,,,,
oolympio, Olantunde Olympio, st_DarkArts,,,,,,
rsampathkumaran, Ramanujan Sampathkumaran, st_DarkArts,,,,,,
rschwien,RobertSchwien, st_DarkArts,,,,,,
10 | ACME-Widgets Inc. Penetration Testing Report
13. 2.3 Some critical files in editable mode
2.3.1 Numbers of critical files could be edited with sudo –s command in
192.168.199.106
User ID: ‘0’ Group ID: ‘0’ stands
stands for root & for root group & it
it could be edited could be edited
Figure: /etc/passwd screenshot
11 | ACME-Widgets Inc. Penetration Testing Report
14. This is the encrypted form of
password. It could be deleted.
Figure: /etc/shadow screenshot
12 | ACME-Widgets Inc. Penetration Testing Report
15. 2.4 Accessible Security Policy on 192.168.199.99
Figure: Security Policy on 192.168.199.99
13 | ACME-Widgets Inc. Penetration Testing Report
17. Figure: Accessing admin group on 192.168.199.99
15 | ACME-Widgets Inc. Penetration Testing Report
18. 3. Key Recommendations
3.1 Technical
What we would like to do here is point out a few of the high level precautions that the client
should take to try and address many of the security problems that were encountered. By
addressing a few of these it may greatly improve your networks security.
i) Password Strength and Settings:
a) While looking at the network, we were able to determine the passwords for
several users using dictionary and brute force attacks. So, you should chose long
passwords with combination of all kind of characters – for example - #,Numbers,
Capital letter, small letter etc.
b) You should increase the minimum password length from 5 up to 8. The more of
these that are required the chance to break a password using a dictionary or brute
force attack drops significantly.
c) Some hosts have minimum password length as set as ‘0’. Please change this to 8
or more.
d) Lockout threshold should be set to maximum 3. It is set to “never” on most of the
hosts.
ii) Open Ports:
Several open ports were detected during the course of this test. Many of these ports
are being used by possibly unneeded software. Blackjack was even present on 1 of
the machines. A port that is open on the machine can be an open invitation to hackers
and others that would want to get sensitive information. Filter block or close any open
port that is not being used.
Also open port combined with bad form of password can be of very bad consequence.
Netbios Ports 135 – 139/tcp netbios-ssn were found to be open on most of the
computers. These are some of the most scanned ports on remote computer. Ports 135
- 139 are typically used for file/printer sharing, including directory replication with
Active Directory, trusts, remote access of event logs, etc. Unless you want these
16 | ACME-Widgets Inc. Penetration Testing Report
19. services, you can block these ports.The best protection is to turn off File and Print
Sharing, or block ports 135-139 completely. If you must enable it, use the following
guidelines:
a) Use strong passwords, containing non-alphanumeric characters.
b) Attach "$" at the end of your share names (the casual snooper using net view
might not see them)
c) Unbind File and Print Sharing from TCP/IP and use NetBEUI instead (it's a non-
routable protocol).
d) Block ports 135-139 in your router/firewall (vs. locally on the machine) which
helps to stop outside users from seeing these ports.
iii) Pre-availability of harmful network tools
There are several hosts that have software that is questionable use in an environment
such as ACME Widgets. The excessive amount of exploitation software on Mr.
Harry Potter’s machine192.168.199.106 is a good example for example- metasploit,
zenmap, nessus, fasttrack autopwn etc.. Much of the software that is installed on that
machine can easily be used to do damage to a network if it is put in the wrong hands.
Additionally, we found a large stash of games from Disney and Ubisoft on the
machine 198.168.199.222. While these games are for entertainment purposes, online
play exposes the machine to unneeded risks.
iv) Users having the ability to install software introduce several risks including the
possibility of Viruses, Malware, as well as the use of system resources and time used
to remove the software.
v) Many hosts need to have their security patches updated. The latter portion of the
report discusses more about the security patches.
vi) The use of VNC software seems to be prevalent among the machines on the network.
While there is nothing wrong with that, we would like to ask you to monitor the use
of it.
vii) Continuous monitoring of the open ports in firewall and network is required.
17 | ACME-Widgets Inc. Penetration Testing Report
20. 3.2 Non - Technical
i) Physical Location of Computer Equipment
While inspecting Acme Widgets, we noticed that the servers were located in the
basement of the building. While this is not so much a penetration test security risk as
it is a possible interruption in the business itself. There is always the possibility of
flooding in a low lying location such as a basement. We would recommend that the
servers be moved to a higher location where flooding is not as much of a possibility.
ii) All the computers seem to have low processing capacity. We would like to suggest you
to increase the capacity so that programs can run smoothly on your computer.
iii) Back up your system in regular intervals
iv) Make sure the automatic updates of all the hosts are enabled so that your computer
installs the latest security patches itself.
v) Make your users aware of the consequence of simple passwords and confidentiality of
the information in your business.
vi) Make your users aware of the viruses around and their consequences. Also, tell them to
scan anything that is unknown and suspicious.
vii) Tell your users to not to download heavy files like movies which can significantly
increase the bandwidth traffic and almost most of the sites contain malwares.
4. Methodology
4.1 Research
Our Testing began with some basic research on the acme-widgets users. We were able to find out
that one of the people responsible for your network is Mr. Harry J. Potter. We tried SSH login on
public IP 98.28.11.223 with port number 22.
Guessing the username and password for the login was quite an easy task. With some research
and some username-password combination, we were able to determine the username as “hpotter”
(combination of the initial of first name and full last name of Harry Potter) and password as
“Hogwarts” (which is the school where he studied). Users typically choose passwords that have
18 | ACME-Widgets Inc. Penetration Testing Report
21. special significance because they are easy to remember. Unfortunately, they are also easy to
guess. This was how we got into the network.
4.2 The beginning phase – Analyzing the network
In the process of analyzing your network we got access to 192.168.199.106 and here is what we
found.
It is a general purpose linux machine running Linux bt 2.6.30.9 as an operating system and
00:08:02:8d:20:ce as its MAC address. Once we got into this machine, we discovered that it was
already loaded with the following network utilities:-
• Network scanning and vulnerability finding utilities like zenmap, Nessus and Open-VAS
which can be used to scan the open ports and vulnerability on the remote host.
• Network mapping tool like lanmap which can be used to get information about the
network structure.
• Password sniffing or network monitoring tool like Wireshark which can used to monitor
anything flowing through the network.
• Exploiting tools like Metasploit and Fast-track Autopwn which can be used to send
exploits to the remote vulnerable host and compromise it.
Because of the pre-availability of these tools in 192.168.199.106 machine made us very
easy to gather information about the rest of the network, the whole network itself and the
vulnerabilities on each machine.
The information discovered about the network structure at the first place from 192.168.199.106
host:-
• Besides this machine, there are 5 other hosts with IP addresses :-
o 192.168.199.70
o 192.168.199.99
o 192.168.199.222
o 192.168.199.230
o 192.168.199.232
19 | ACME-Widgets Inc. Penetration Testing Report
22. • Each of the hosts are on the same network of 192.168.199.0/24 with gateway as
192.168.199.1 (my.firewall)
• Besides acting as a gateway for network 192.168.199.0/24 with IP address
192.168.199.1, my.firewall(which has a public IP address of 98.28.11.223) also acts as a
gateway for other sub-network of 192.168.0.0/24 with IP address 192.168.0.4.
4.3 Web Site Testing
Attempts were made to investigate the website at acme-widgets. However, several attempts to
locate a website within the network were fruitless. Even looking on the server we were unable to
establish a website. We put this in the report with the understanding that while a website may not
exist, attempts to locate it were attempted.
5. Some pre-installed tools in the system
5.1 Wireshark
Wireshark is used to capture network traffic. There are a number of reasons to use this data. One
reason is that often data is transmitted from computer to computer unencrypted and sensitive data
such as passwords can be captured. Additionally, this software capture can also be used to
identify other subnetworks or wireless networks.
Test Results
Based on 2 captures of data, we were unable to identify any passwords being transmitted to or
from the network. Most of the traffic that we did see was basic traffic of a normal nature going
between the systems. Additionally, we were not able to determine any wireless traffic or
additional routers.
20 | ACME-Widgets Inc. Penetration Testing Report
23. 5.2 Metasploit
Metasploit is a program designed to run tests against the open ports of a computer. For example,
If a machine has a port open that has a known vulnerability (or weakness), metasploit can be
used to streamline the testing process and attempt to gain access the machine. From there,
whoever is running the exploit can have access to everything on the computer.
Test Results
Based on our port scan results, were were successfully able to penetrate every machine on the
network using several different methods. More of this information will be located in the section
on vulnerabilities.
5.3 Cain n Abel
Cain is a utility that is used to run attacks on encrypted passwords. Once we were able to access
the SAM files on some of the PCs we were able to use CAN to decrypt the passwords using a
variety of dictionary and brute force attacks.
Test Results
Once we had gained access to the machines, we were able to successfully download the SAM
file. The SAM file is essentially the password and login file. We were able to identify several
users such as Sevarus Snape, DADDY, Barcelona, Aman, and GORKHALI. When we ran these
passwords against a dictionary attack we were able to find a few passwords. For Example - user
‘GORKHALI’ has a password that mirrored his username)
5.4 Fast track Autopwn
Fast-Track is a python based open-source project aimed at helping Penetration Testers in an
effort to identify, exploit, and further penetrate a network.
21 | ACME-Widgets Inc. Penetration Testing Report
24. Fast-Track utilizes large portions of the Metasploit Framework in order to complete successful
attacks. Fast-Track has a wide variety of unique attacks that allows utilizing the Metasploit
Framework to its maximum potential.
This is the syntax of the command that we used throughout our testing process:-
./fast-track.py –c 2 <IP> -r
Where, c = command line and r = reverse
5.5 Nessus
Nessus is vulnerability scanner tool which is used to scan a machine and detect the open ports, security
hole in it. Besides this, it also offers solution for this with probable consequence.
5.6 Zenmap
Zenmap is the official Nmap security scanner Zenmap is another vulnerability scanner tool which is used
to perform different level of scans in a machine. It helps to find the open ports in the machine, operating
system and many more things.
5.7 Open-VAS
Open-VAS stands for Open Vulnerability Assessment System and is a network security scanner with
associated tools like a graphical user front-end. The core component is a server with a set of network
vulnerability tests (NVTs) to detect security problems in remote systems and applications.
22 | ACME-Widgets Inc. Penetration Testing Report
25. 6. Scan results for each machine in network 192.168.199.0/24
** Vulnerability information based on information provided by Nessus
6.1 192.168.199.70
Port Scan
Machine:192.168.199.70
Operating System: Windows NT
Machine Security Status: Poor
Protocol Port Program Status
High Level Vulnerabilities
Tcp 21 ftp Open
Http 80 Open
Tcp 135 Epmap Open
Tcp 139 Netbios-ssn Open
Tcp General
Mid Level Vulnerabilities
Udp 137 Netbios-ns Open
Low Level Vulnerabilities
Tcp 70 Gopher Open
Tcp 1028 Unknown Open
Tcp 1030 Iad1 Open
Figure: Open ports in the host 192.168.199.70
23 | ACME-Widgets Inc. Penetration Testing Report
26. Repartition of the level of security problems
Summary
The .70 NT machine is full of things that a hacker could use to gain access to the machine.
There is an open FTP port that allows anonymous access. The administrator account does
not have a password. Additionally there are a few ways for a non administrator to elevate
his access on this machine. These are noted below. Please update your service patches on
this machine if not move it to a more secure operating system otherwise.
High Level Vulnerability Analysis for machine 192.168.199.70
Vulnerability found on port ftp (21/tcp)
• It was possible to make the remote FTP server crash by creating a huge directory
structure. This is usually called the 'wu-ftpd buffer overflow' even though it affects
other FTP servers. It is very likely that an attacker can use this flaw to execute
arbitrary code on the remote server. This will give him a shell on your system, which
is not a good thing.
• Solution: Upgrade your FTP server.
Consider removing directories writable by 'anonymous'.
• Risk factor : High
CVE : CVE-1999-0368, CVE-1999-0878, CVE-1999-0879, CVE-1999-0950
24 | ACME-Widgets Inc. Penetration Testing Report
27. Vulnerability found on port ftp (21/tcp)
• The remote FTP server closes the connection when a command is too long or is given
a too long argument. This probably due to a buffer overflow, this allows anyone to
execute arbitrary code on the remote host. This problem is threatening, because the
attackers don't need an account to exploit this flaw.
• Solution : Upgrade your FTP server or change it
• Risk factor : High
CVE : CAN-2000-0133, CVE-2000-0943, CAN-2002-0126, CVE-2000-0870, CAN-
2000-1035, CAN-2000-1194, CAN-2000-1035
Vulnerability found on port http (80/tcp)
• When IIS receives a user request to run a script, it renders the request in a decoded
canonical form which performs security checks on the decoded request. A
vulnerability results because a second, superfluous decoding pass is performed after
the initial security checks are completed. Thus, a specially crafted request could allow
an attacker to execute arbitrary commands on the IIS Server.
• Solution: See MS advisory MS01-026(Superseded by ms01-044)
Please see the details on http://www.microsoft.com/technet/security/bulletin/ms01-
044.mspx
• Risk factor : High
CVE : CVE-2001-0507, CVE-2001-0333
Vulnerability found on port netbios-ssn (139/tcp)
• The following registry keys are writeable by users who are not in the admin group :
HKLMSoftwareMicrosoftWindows NTCurrentVersionAeDebug
These keys contain the name of the program that shall be started when the computer
starts. The users who have the right to modify them can easily make the admin run a
trojan program which will give them admin privileges.
• Solution: Use regedt32 and set the permissions of this key to :
- Admin group : Full Control
25 | ACME-Widgets Inc. Penetration Testing Report
28. - System : Full Control
- Everyone : Read
Make sure that 'Power Users' do not have any special privilege for this key.
• Risk factor : High
CVE : CAN-1999-0589
Vulnerability found on port netbios-ssn (139/tcp)
• The following shares can be accessed as hpotter :
.nessus_test_2 IE 5.5 SP1 Full Q244599i.EXE
41414141 ie401sp1.exe Q246009i.EXE
CVGRKQNGJI ie55sp1.exe Q831167.exe
DTDJMCEKJZ ie5setup sp4rk_i386.Exe
FISNOBUAOF ie6setup.exe XXXXXXXXXX
GUVPBZPJCR nessus_test
• Solution : To restrict their access under WindowsNT, open the explorer, do a right
click on each, go to the 'sharing' tab, and click on 'permissions'
• Risk factor : High
CVE : CAN-1999-0519, CAN-1999-0520
•
Vulnerability found on port netbios-ssn (139/tcp)
• The registry key HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogon
is writeable by users who are not in the admin group. This key contains a value which
defines which program should be run when a user logs on. As this program runs in
the SYSTEM context, the users who have the right to change the value of this key can
gain more privileges on this host.
• Solution : use regedt32 and set the permissions of this key to :
- admin group : Full Control
- system : Full Control
- everyone : Read
26 | ACME-Widgets Inc. Penetration Testing Report
29. • Risk factor : High
CVE : CAN-1999-0589
Vulnerability found on port netbios-ssn (139/tcp)
• The registry key
HKLMSYSTEMCurrentControlSetControlSecurePipeServersWinreg
is missing. This key allows you to define what can be viewed in the registry by non
administrators.
• Solution : install service pack 3 if not done already, and create and create
SYSTEMCurrentControlSetControlSecurePipeServersWinregAllowedPaths
Under this key, create the value 'Machine' as a REG_MULTI_SZ and put in it what
you allow to be browsed remotely.
• Reference :
http://www.microsoft.com/technet/prodtechnol/winntas/maintain/mngntreg/admreg.as
p
• Risk factor : Medium
Vulnerability found on port netbios-ssn (139/tcp)
• It seems that is was possible to crash the remote windows remotely by sending a
specially crafted packet. An attacker may use this flaw to prevent this host from
working properly. This attack is known as SMBDie
• Solution : http://www.microsoft.com/technet/security/bulletin/ms02-045.mspx ( It is
the link to the patch solution)
• Risk factor : High
• CVE : CAN-2002-0724
27 | ACME-Widgets Inc. Penetration Testing Report
30. Mid Level Vulnerability Analysis for machine 192.168.199.70
Warning found on port netbios-ssn (139/tcp)
• The domain SID could be used to enumerate the names of the users of this domain.
This gives extra knowledge to an attacker, which is not a good thing :
- Administrator account name : Administrator (id 500)
- Guest account name : hpotter (id 501)
- ACMEDC$ (id 1000)
- IUSR_ACMEDC (id 1001)
- backtrack (id 1002)
• Risk factor : Medium
• Solution : filter incoming connections this port
CVE : CVE-2000-1200
Warning found on port netbios-ssn (139/tcp)
• Here is the list of the SMB shares of this host:
NETLOGON - Logon server share
ftproot -
ADMIN$ - Remote Admin
IPC$ - Remote IPC
C$ - Default share
This is potentially dangerous as this may help the attack
of a potential hacker.
• Solution : filter incoming traffic to this port
• Risk factor : Medium
Warning found on port netbios-ns (137/udp)
• The following 11 NetBIOS names have been gathered:
ACMEDC = This is the computer name
ACMEDC
28 | ACME-Widgets Inc. Penetration Testing Report
31. ACME = Workgroup / Domain name
ACME = Workgroup / Domain name (Domain Controller)
ACME
ACMEDC = This is the current logged in user or registered workstation name.
INet~Services = Workgroup / Domain name (Domain Controller)
IS~ACMEDC
ACME = Workgroup / Domain name (part of the Browser elections)
ACME __MSBROWSE__
The remote host has the following MAC address on its adapter :
00:0c:29:c7:26:b9
• If you do not want to allow everyone to find the NetBios name
of your computer, you should filter incoming traffic to this port.
• Risk factor : Medium
CVE : CAN-1999-0621
Low Level Vulnerability Analysis for machine 192.168.199.70
Warning found on port ftp (21/tcp)
• This FTP service allows anonymous logins. If you do not want to share data with
anyone you do not know, then you should deactivate the anonymous account, since it
may only cause troubles.
• Risk factor : Low
CVE : CAN-1999-0497
Warning found on port epmap (135/tcp)
• Distributed Computing Environment (DCE) services running on the remote host
can be enumerated by connecting on port 135 and doing the appropriate queries.
An attacker may use this fact to gain more knowledge about the remote host.
• Solution: filter incoming traffic to this port.
• Risk factor : Low
29 | ACME-Widgets Inc. Penetration Testing Report
32. Warning found on port netbios-ssn (139/tcp)
• The alerter service is running. This service allows NT users to send pop-ups messages
to each others. This service can be abused by an attacker who can trick valid users
into doing some actions that may harm their accounts or your network (social
engineering attack)
• Solution : Disable this service.
• Risk factor : Low
How to disable this service under NT 4 :
- open the 'Services' control panel
- select the 'Alerter' service, and click 'Stop'
- click osn 'Startup...' and change to radio button of the
field 'Startup Type' from 'Automatic' to 'Disabled'
CVE : CAN-1999-0630
Warning found on port netbios-ssn (139/tcp)
• The remote registry can be accessed remotely using the login / password combination
used for the SMB tests. Having the registry accessible to the world is not a good thing
as it gives
extra knowledge to a hacker.
• Solution: Apply service pack 3 if not done already, and set the key
HKLMSYSTEMCurrentControlSetControlSecurePipeServersWinreg
to restrict what can be browsed by non administrators.
In addition to this, you should consider filtering incoming packets to this port.
• Risk factor : Low
CVE : CAN-1999-0562
Warning found on port netbios-ssn (139/tcp)
• The domain SID can be obtained remotely. Its value is :
ACME : 5-21-1730571904-1379865857-4547331
An attacker can use it to obtain the list of the local users of this host Solution : filter
30 | ACME-Widgets Inc. Penetration Testing Report
33. the ports 137 to 139 and 445
• Risk factor : Low
CVE : CVE-2000-1200
Warning found on port netbios-ssn (139/tcp)
• Here is the browse list of the remote host :
ACME-W2K-01 -
ACMEDC -
This is potentially dangerous as this may help the attack of a potential hacker by
giving him extra targets to check for
• Solution : filter incoming traffic to this port
• Risk factor : Low
Warning found on port netbios-ssn (139/tcp)
• The following accounts have passwords which never expire :
Administrator
Password should have a limited lifetime
• Solution : disable password non-expiry
• Risk factor : Medium
Warning found on port netbios-ssn (139/tcp)
• The remote host seems to be a Primary Domain Controller or a Backup Domain
Controller.
This can be told by the value of the registry key ProductType under
HKLMSYSTEMCurrentControlSetControlProductOptions
This knowledge may be of some use to an attacker and helphim to focus his attack on
this host.
• Solution : filter the traffic going to this port
• Risk factor : Low
CVE : CAN-1999-0659
31 | ACME-Widgets Inc. Penetration Testing Report
34. Information found on port netbios-ssn (139/tcp)
• It was possible to log into the remote host using the following login/password
combinations
'guest'/''
It was possible to log into the remote host using a NULL session. The concept of a
NULL session is to provide a null username and a null password, which grants the
user the 'guest' access To prevent null sessions, see MS KB Article Q143474 (NT 4.0)
and Q246261 (Windows 2000). Note that this won't completely disable null sessions,
but will prevent them from connecting to IPC$
Please see http://msgs.securepoint.com/cgi-bin/get/nessus-0204/50/1.html
The remote host defaults to guest when a user logs in using an invalid
login
• CVE : CAN-1999-0504, CAN-1999-0506, CVE-2000-0222, CAN-1999-0505, CAN-
2002-1117
Information found on port netbios-ssn (139/tcp)
• The following users are in the domain administrator group :
. Administrator
You should make sure that only the proper users are member of this group
• Risk factor : Low
Information found on port unknown (1028/tcp) and (1030/tcp)
• Distributed Computing Environment (DCE) services running on the remote host
can be enumerated by connecting on port 135 and doing the appropriate queries.
• Solution: filter incoming traffic to this port.
• Risk factor : Low
Warning found on port general/tcp
• The remote host accepts loose source routed IP packets. The feature was designed for
testing purpose. An attacker may use it to circumvent poorly designed IP filtering and
32 | ACME-Widgets Inc. Penetration Testing Report
35. exploit another flaw. However, it is not dangerous by itself.
• Solution: drop source routed packets on this host or on other ingress
routers or firewalls.
• Risk factor : Low
6.2 192.168.199.99
Port Scan
Machine:192.168.199.99
Operating System: Windows 2003 server/windows.NET
Security Status: Good
Protocol Port Program Status
High Level Vulnerabilities
Tcp 135 Epmap Open
Mid Level Vulnerabilities
Udp 137 Netbios-ns Open
Tcp 139 netbios-ssn Open
Tcp 3389 Ms-wbt-server Open
Tcp 5800 Vnc-http Open
Icmp General
Low Level Vulnerabilities
Tcp 80 Http Open
Tcp 1024 Kdm Open
Tcp 1026 Cap Open
Tcp 1029 Ms-lsa Open
Tcp 4757 Unknown Open
Tcp 5900 Vnc Open
Figure: Open ports on host 192.168.199.99
33 | ACME-Widgets Inc. Penetration Testing Report
36. Repartition of the level of security problems
Summary
The Machine with the IP address of 192.168.199.99 appears to be a standard Windows Server.
While we were able to find an existing exploit to gain access into the machine, We were unable
to do anything other than gain a user list and a copy of the passwords file. Looking for sensitive
information on this machine we were unable to locate any. Additionally, while this does appear
to be a web server machine, we were unable to find a corresponding website tied to it. In the
future, the client will probably want to apply the appropriate solutions to rectify the situation.
Additionally there is remote access into the server from VNC software. This needs to be
addressed.
High Level Vulnerability Analysis for machine 192.168.199.99
Vulnerability found on port epmap (135/tcp)
• Description of Vulnerability: The remote host is running a version of Windows which
has a flaw in its RPC interface which may allow an attacker to execute arbitrary code
and gain SYSTEM privileges. There is at least one Worm which is currently
exploiting this vulnerability. Namely, the MsBlaster worm.
• Solution: Please download a patch from
http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx
• Risk factor : High
34 | ACME-Widgets Inc. Penetration Testing Report
37. CVE : CAN-2003-0352
• We could get shell access into this machine using exploit -
windows/dcerpc/ms03_026_dcom and that was via 192.168.199.106:40065 ->
192.168.199.99:1101
• Description of Vulnerability: Microsoft Windows platforms contain a flaw that may
allow a remote attacker to execute arbitrary code. The issue is due to a flaw in the
Remote Procedure Call (RPC) Distributed Component Object Model (DCOM)
interface that does not properly sanitize remote requests.
• Solution: Please download a patch from
http://www.microsoft.com/downloads/details.aspx?FamilyId=F8E0FF3A-9F4C-
4061-9009-3A212458E92E&displaylang=en&displaylang=en
Mid Level Vulnerability Analysis for machine 192.168.199.99
Vulnerabilities found on port netbios-ns (137/udp)
• Description of Vulnerability: The following 3 NetBIOS names have been gathered :
WORKMASTER = This is the computer name registered for workstation services by
a WINS client.
ACME = Workgroup / Domain name
ACME = Workgroup / Domain name (part of the Browser elections)
The remote host has the following MAC address on its adapter :
00:02:a5:97:ce:02
• Solution: If you do not want to allow everyone to find the NetBios name
of your computer, you should filter incoming traffic to this port.
• Risk factor : Medium
CVE : CAN-1999-0621
Warning found on port ms-wbt-server (3389/tcp)
• Description of Vulnerability: The Terminal Services are enabled on the remote host.
Terminal Services allow a Windows user to remotely obtain a graphical login (and
therefore act as a local user on the remote host). If an attacker gains a valid login and
35 | ACME-Widgets Inc. Penetration Testing Report
38. password, he may be able to use this service to gain further access on the remote
host. An attacker may also use this service to mount a dictionary attack against the
remote host to try to log in remotely. Note that RDP (the Remote Desktop Protocol)
is vulnerable to Man-in-the-middle attacks, making it easy for attackers to steal the
credentials of legitimates users by impersonating the Windows server.
• Solution : Disable the Terminal Services if you do not use them, and do not allow
this service to run across the internet or patch could be downloaded from
http://www.microsoft.com/downloads/details.aspx?FamilyId=EFD642EF-95E2-
4A99-8FFD-6032D86282A2
• Risk factor : Medium
CVE : CVE-2001-0540
Warning found on port vnc-http (5800/tcp)
• Description of Vulnerability: The remote server is running VNC. VNC permits a
console to be displayed remotely.
• Solution: Disable VNC access from the network by using a firewall, or stop VNC
service if not needed.
• Risk factor : Medium
Low Level Vulnerability Analysis for machine 192.168.199.99
Warning found on port epmap (135/tcp)
• Description of Vulnerability: Distributed Computing Environment (DCE) services
running on the remote host can be enumerated by connecting on port 135 and doing
the appropriate queries. An attacker may use this fact to gain more knowledge about
the remote host.
• Solution: filter incoming traffic to this port.
• Risk factor : Low
Warning found on port netbios-ssn (139/tcp)
36 | ACME-Widgets Inc. Penetration Testing Report
39. • Description of Vulnerability: A 'rfpoison' packet has been sent to the remote host.
This packet is supposed to crash the 'services.exe' process, rendering the system
instable. If you see that this attack was successful, have a look at this page
http://support.microsoft.com/support/kb/articles/Q231/4/57.ASP
• CVE: CVE-1999-0980
Information found on port cap (1026/tcp) (1029/tcp) and (4757/tcp)
• Description of Vulnerability: Distributed Computing Environment (DCE) services
running on the remote host can be enumerated by connecting on port 135 and doing
the appropriate queries. An attacker may use this fact to gain more knowledge about
the remote host.
• Solution: filter incoming traffic to this port.
• Risk factor : Low
Information found on port vnc (5900/tcp)
• Description: The remote server is running VNC, software which permits a console to
be displayed remotely. This allows users to control the host
remotely.
• Solution: Make sure the use of this software is done in accordance with your
corporate security policy and filter incoming traffic to this port.
Vulnerability found on MS-LSA
• The Windows Local Security Authority Service Server (LSASS) contains a
vulnerability that may permit an attacker to completely compromise the system.
More information at http://www.kb.cert.org/vuls/id/753212. Microsoft notes that
while the vulnerability exists in Window Server 2003, it could only be expoited by a
local administrator.
• Solution: Patch can be downloaded from
http://www.microsoft.com/downloads/details.aspx?FamilyId=EAB176D0-01CF-
453E-AE7E-7495864E8D8C&displaylang=en
37 | ACME-Widgets Inc. Penetration Testing Report
40. 6.3 192.168.199.106
Port Scan
Machine:192.168.199.106
Operating System: Linux 2.6.30.9
Protocol Port Program Status
High Level Vulnerabilities
Tcp 445 Microsoft-ds Open
Tcp General Open
Mid Level Vulnerabilities
Tcp 1241 Nessus Open
Tcp 139 Netbios-ssn Open
Udp 137 Netbios-ns Open
Low Level Vulnerabilities
Tcp 22 Ssh Open
Figure: Open ports on host 192.168.199.106
Repartition of the level of security problems
38 | ACME-Widgets Inc. Penetration Testing Report
41. Summary
Many of the problems with the .106 machine are listed above. However this linux box is primed with a
large array of penetration testing tools. Again we would question the need to have these kinds of software
on the computer. The machine itself, suffers from weak passwords and open shares.
Critical Issues
• Easy login username and password
Upon knowledge of Harry Potter as one of the administrators, it was quite easy to
guess the username like “hpotter” and password as “Hogwarts” with simple
research.
• Improper configuration of the file “sudoers” which gives any user access equal to the
root user
With the sudo -s command, it is possible for the “hpotter” user to access the files
like:
/etc/security/access.conf, where the login access for any user can be
modified.
/etc/shadow and /etc/passwd, where the password and details of any user
could be accessed and modified. For example, changing the user id and
group id to ‘0’ could modify any user into super power user or password
for any user could be deleted.
Any kind of software program could be installed on the system.
High Level Vulnerabilities Analysis for 192.168.199.106
Vulnerability found on port microsoft-ds (445/tcp)
• The attacker can use this port to list all the users and for sharing files and folder over the network.
It was possible to log into the remote host using a NULL session. The concept of a NULL session
is to provide a null username and a null password, which grants the user the 'guest' access.
• It was possible to log into the remote host using the following
login/password combinations :
'administrator'/''
'administrator'/'administrator'
'guest'/''
'guest'/'guest'
39 | ACME-Widgets Inc. Penetration Testing Report
42. • CVE : CAN-1999-0504, CAN-1999-0506, CVE-2000-0222, CAN-1999-0505, CAN-2002-1117
• Solution: This port should be turned off or filtered if needed.
Mid-level Vulnerabilities Analysis for 192.168.199.106
Warning found on port netbios-ns (137/udp)
• The following 7 NetBIOS names have been gathered :
BT = This is the computer name registered for workstation services by a WINS client.
BT = This is the current logged in user registered for this workstation.
BT = Computer name
__MSBROWSE__
WORKGROUP
WORKGROUP = Workgroup / Domain name (part of the Browser elections)
WORKGROUP = Workgroup / Domain name
• This SMB server seems to be a SAMBA server (this is not a security risk; this is just for
information). This can be told because this server claims to have a null MAC address
• If you do not want to allow everyone to find the NetBios name
of your computer, you should filter incoming traffic to this port.
• Risk factor : Medium
CVE : CAN-1999-0621
Low Level Vulnerabilities Analysis for 192.168.199.106
Warning found on port microsoft-ds (445/tcp)
• Here is the browse list of the remote host :
BT -
This is potentially dangerous as this may help the attack
of a potential hacker by giving him extra targets to check for
• Solution: filter incoming traffic to this port
• Risk factor : Low
• Warning found on port microsoft-ds (445/tcp)
40 | ACME-Widgets Inc. Penetration Testing Report
43. • The host Security Identifier (SID) can be obtained remotely. Its value is :
• BT : 5-21-417406534--924645799--698956383
• An attacker can use it to obtain the list of the local users of this host
• Solution : filter the ports 137-139 and 445
• Risk factor : Low
• CVE : CVE-2000-1200
6.4 192.168.199.222
Port Scan
Machine:192.168.199.222
Operating System: Windows 2003 Server / Windows .NET
Security Status: Good
Protocol Port Program Open
High Level Vulnerabilities
Tcp 912 Apex-mesh Status
Tcp General
Mid Level Vulnerabilities
Tcp 3389 Ms-wbt-server Open
Low Level Vulnerabilities
Tcp 902 Ideafarm-chat Open
Tcp 8222 Unknown Open
Tcp 8333 Unknown Open
Udp 0 General
Figure: Open ports on host 192.168.199.222
41 | ACME-Widgets Inc. Penetration Testing Report
44. Repartition of the level of security problems
Summary
This machine was for the most part hard to get any information out of. As a matter of fact, we
were only able to gain access to this machine on 1 night. This machine appears to be running a
Mail server as well as VM ware. When we did have access we did notice that there were large
amounts of entertainment software installed. These should be removed due to the unintended
side effects that having them can have with both malware and viruses
High Level Vulnerabilities Analysis for Machine 192.168.199.222
Vulnerability found on port apex-mesh (912/tcp)
• Description of Vulnerability: It was possible to perform a denial of service against the
remote Interscan SMTP server by sending it a special long HELO command. This
problem allows an attacker to prevent your Interscan SMTP server from handling
requests.
• Solution: contact your vendor for a patch.
o Risk factor : High
o CVE : CAN-1999-1529
Mid Level Vulnerabilities Analysis for Machine 192.168.199.222
Warning found on port ms-wbt-server (3389/tcp)
• Description of Vulnerability: The Terminal Services are enabled on the remote
42 | ACME-Widgets Inc. Penetration Testing Report
45. host. Terminal Services allow a Windows user to remotely obtain a graphical login (and
therefore act as a local user on the remote host). If an attacker gains a valid login and
password, he may be able to use this service to gain further access on the remote host. An
attacker may also use this service to mount a dictionary attack against the remote host to
try to log in remotely. Note that RDP (the Remote Desktop Protocol) is vulnerable to
Man-in-the-middle attacks, making it easy for attackers to steal the credentials of
legitimates users by impersonating the Windows server.
• Solution : Disable the Terminal Services if you do not use them, and do not allow this
service to run across the internet
• Risk factor : Medium
• CVE : CVE-2001-0540
Warning found on port apex-mesh (912/tcp)
• Description of Vulnerability: This SMTP server is running on a non standard port. This
might be a backdoor set up by crackers to send spam or even control your machine.
• Solution: Check and clean your configuration
• Risk factor : Medium
Low Level Vulnerabilities Analysis for Machine 192.168.199.222
Information found on port ideafarm-chat (902/tcp)
• A VMWare authentication daemon is running on this port:
220 VMware Authentication Daemon Version 1.10: SSL Required,
ServerDaemonProtocol:SOAP, MKSDisplayProtocol:VNC ,
Information found on port ideafarm-chat (902/tcp)
• A SMTP server is running on this port
Nessus ID : 14773
Information found on port ideafarm-chat (902/tcp)
• Description of Vulnerability: According to its banner, the remote host appears to be
43 | ACME-Widgets Inc. Penetration Testing Report
46. running a VMWare server authentication daemon, which likely indicates the remote host
is running VMware ESX or GSX Server. See also : http://www.vmware.com/
• Risk factor : None
Information found on port apex-mesh (912/tcp)
• Description of Vulnerability: A VMWare authentication daemon is running on this
port: 220 VMware Authentication Daemon Version 1.0, ServerDaemonProtocol:SOAP,
MKSDisplayProtocol:VNC ,
Information found on port apex-mesh (912/tcp)
• The SMTP server on this port answered with a 530 code to HELO requests. This means
that it is unavailable because the OpenVAS server IP is not authorized or blacklisted, or
that the hostname is not consistent with the IP.
6.5 192.168.199.230
Port Scan
Machine: 192.168.199.230
Operating System: Windows 2003 Server /Windows .NET
Security Status : Good
Protocol Port Program Status
High Level Vulnerabilities
Tcp 135 Epmap Open
Tcp 139 Netbios-ssn Open
Tcp 445 Microsoft-ds Open
Mid Level Vulnerabilities
Icmp general Open
Tcp general Open
Udp 137 netbios-ns Open
44 | ACME-Widgets Inc. Penetration Testing Report
47. Low Level Vulnerabilities
Tcp 1030 Iad1 Open
Udp 1031 Iad2 Open
Udp General Open
Repartition of the level of security problems
Summary
The 192.168.199.230 machine seems to be fairly secure. When we were able to access the
machine, we did not find much other than the typical weak user passwords.
High Level Vulnerabilities Analysis of 192.168.199.230
Vulnerability found on port epmap (135/tcp)
• The remote host is running a version of Windows which has a flaw in its RPC interface
which may allow an attacker to execute arbitrary code and gain SYSTEM privileges.
• Solution: Please check this link
http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx
• Risk factor : High
• CVE : CAN-2003-0352
Vulnerability found on port netbios-ssn (139/tcp)
• It was possible to crash the remote host using the 'rfparalyze' denial of service attack.
45 | ACME-Widgets Inc. Penetration Testing Report
48. • Solution: contact Microsoft for a patch. Meanwhile, filter incoming tcp connections to
this port
• Risk factor : High
Vulnerability found on port microsoft-ds (445/tcp)
• The remote Windows 2000 does not have the Service Pack 4 applied. It uses Service
Pack 1 instead.
• Risk factor : High
• Solution: Please update the service pack and check this link
http://www.microsoft.com/windows2000/downloads/
CVE : CAN-1999-0662
Vulnerability found on port microsoft-ds (445/tcp)
• The following registry keys are writeable by users who are not in
the admin group :
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
These keys contain the name of the program that shall be started when the
computer starts. The users who have the right to modify them can easily
make the admin run a trojan program which will give them admin privileges.
• Solution: use regedt32 and set the permissions of this key to :
- Admin group : Full Control
- System : Full Control
- Everyone : Read
• Make sure that 'Power Users' do not have any special privilege for this key.
• Risk factor : High
CVE : CAN-1999-0589
Vulnerability found on port microsoft-ds (445/tcp)
• Incorrect VBScript Handling in IE can Allow Web Pages to Read Local Files.
Impact of vulnerability: Information Disclosure
46 | ACME-Widgets Inc. Penetration Testing Report
49. Affected Software:
Microsoft Internet Explorer 5.01
Microsoft Internet Explorer 5.5
Microsoft Internet Explorer 6.0
• Reference: http://www.microsoft.com/technet/security/bulletin/ms02-009.mspx
and: Microsoft Article Q319847 MS02-009 May Cause Incompatibility Problems
Between VBScript and Third-Party Applications
o Risk factor : High
CVE : CVE-2002-0052
Vulnerability found on port microsoft-ds (445/tcp)
• The remote Windows host has a ASN.1 library which is vulnerable to a flaw which
could allow an attacker to execute arbitrary code on this host. To exploit this flaw, an
attacker would need to send a specially crafted ASN.1 encoded packet with improperly
advertised lengths. This particular check sent a malformed NTLM packet and determined
that the remote host is not patched.
• Solution : http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx
• Risk factor : High
CVE : CAN-2003-0818
Vulnerability found on port microsoft-ds (445/tcp)
• User 'administrator' has NO password !
• The password of 'Dumbledore' is 'Dumbledore' !
• CVE : CAN-1999-0504, CAN-1999-0506
Vulnerability found on port microsoft-ds (445/tcp)
• The following shares can be accessed as Dumbledore:
- system32 - (readable?)
• Solution : To restrict their access under WindowsNT, open the explorer, do a right click
on each, go to the 'sharing' tab, and click on 'permissions'
47 | ACME-Widgets Inc. Penetration Testing Report
50. • Risk factor : High
CVE : CAN-1999-0519, CAN-1999-0520
Vulnerability found on port microsoft-ds (445/tcp)
• The remote host is vulnerable to a flaw in the Windows Script Engine, which provides
Windows with the ability to execute script code. To exploit this flaw, an attacker would
need to lure one user on this host to visit a rogue website or to send him an HTML e-mail
with a malicious code in it.
• Solution : Please download the patch from
http://www.microsoft.com/technet/security/bulletin/ms03-008.mspx
• Risk factor : Medium
CVE : CAN-2003-0010
Vulnerability found on port microsoft-ds (445/tcp)
• The account 'administrator'/'' is valid. The worm W32/Deloder may use it to break into
the remote host and upload infected data in the remote shares See also : CERT advisory
CA-2003-08
• Solution : Change your administrator password to a stronger one
• Risk factor : High
Vulnerability found on port microsoft-ds (445/tcp)
• It seems that is was possible to crash the remote windows remotely by sending a specially
crafted packet. An attacker may use this flaw to prevent this host from working properly.
This attack is known as SMBDie.
• Solution : http://www.microsoft.com/technet/security/bulletin/ms02-045.mspx
• Risk factor : High
CVE : CAN-2002-0724
48 | ACME-Widgets Inc. Penetration Testing Report
51. Mid Level Vulnerabilities Analysis of Machine 192.168.199.230
Warning found on port microsoft-ds (445/tcp)
• The host SID could be used to enumerate the names of the local users of this host this
gives extra knowledge to an attacker, which is not a good thing :
Administrator account name : Guest account name : Guest
administrator (id 500) (id 501)
smas (id 1001) GORKHALI (id 1002)
kechasolti (id 1004) ser (id 1005)
aman (id 1007) barcelona (id 1008)
Severus.Snape (id 1009) Dumbledore (id 1011)
Morpheus (id 1013) hack (id 1017)
Nepali (id 1018 ksr (id 1019)
• Risk factor : Medium
• Solution : filter incoming connections this port
CVE : CVE-2000-1200
Warning found on port microsoft-ds (445/tcp)
• The list of the SMB shares of this host could be obtained :
system32 -
IPC$ - Remote IPC
ADMIN$ - Remote Admin
C$ - Default share
This is potentially dangerous as this may help the attack of a potential hacker.
• Solution : filter incoming traffic to this port
• Risk factor : Medium
Warning found on port microsoft-ds (445/tcp)
• The following local accounts have passwords which never expire :
administrator, aman, and Severus.Snape. Password should have a limited lifetime
• Solution : disable password non-expiry
49 | ACME-Widgets Inc. Penetration Testing Report
52. • Risk factor : Medium
Warning found on port netbios-ns (137/udp)
• The following 6 NetBIOS names have been gathered :
ACME-W2K-01 = This is the computer name registered for workstation services by a
WINS client.
ACME = Workgroup / Domain name
ACME-W2K-01 = This is the current logged in user registered for this workstation.
ACME-W2K-01 = Computer name
ACME-W2K-01$ = This is the current logged in user registered for this workstation.
ACME = Workgroup / Domain name (part of the Browser elections)
The remote host has the following MAC address on its adapter :
00:03:ff:96:ce:02.
• Solution: If you do not want to allow everyone to find the NetBios name
of your computer, you should filter incoming traffic to this port.
• Risk factor : Medium
CVE : CAN-1999-0621
Low Level Vulnerabilities Analysis of Machine 192.168.199.230
Information found on port netbios-ssn (139/tcp)
• An SMB server is running on this port
Information found on port microsoft-ds (445/tcp)
• A CIFS server is running on this port
Information found on port microsoft-ds (445/tcp)
• The following shares can be accessed as administrator :
- C$
- arcldr.exe - arcsetup.exe - ASmith
- - boot.ini - cd
AUTOEXEC.BAT
- CONFIG.SYS - Documents and - IO.SYS
50 | ACME-Widgets Inc. Penetration Testing Report
53. Settings
- MSDOS.SYS - net -
NTDETECT.COM
- ntldr - pagefile.sys - Program Files
- RECYCLER - System Volume - WINNT
Information
- ADMIN$ - system32
Information found on port iad1 (1030/tcp)
• Distributed Computing Environment (DCE) services running on the remote host
can be enumerated by connecting on port 135 and doing the appropriate queries.
An attacker may use this fact to gain more knowledge about the remote host.
Here is the list of DCE services running on this port:
UUID: 1ff70682-0a51-30e8-076d-740be8cee98b, version 1
Endpoint: ncacn_ip_tcp:192.168.199.230[1030]
Named pipe : atsvc
Win32 service or process : mstask.exe
Description : Scheduler service
UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1
Endpoint: ncacn_ip_tcp:192.168.199.230[1030]
• Solution: filter incoming traffic to this port.
• Risk factor: Low
Information found on port iad2 (1031/udp)
• Distributed Computing Environment (DCE) services running on the remote host
can be enumerated by connecting on port 135 and doing the appropriate queries.
An attacker may use this fact to gain more knowledge about the remote host.
Here is the list of DCE services running on this port:
UUID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1
51 | ACME-Widgets Inc. Penetration Testing Report
54. Endpoint: ncadg_ip_udp:192.168.199.230[1031]
Annotation: Messenger Service
Named pipe : ntsvcs
Win32 service or process : messenger
• Description : Messenger service
• Solution: filter incoming traffic to this port.
• Risk factor : Low
Warning found on port microsoft-ds (445/tcp)
• The following local accounts have never changed their password :
administrator Guest
Smas GORKHALI
Kechasolti ser
Aman Barcelona
Severus.Snape Dumbledore
Morpheus hack
Nepali ksr
• To minimize the risk of break-in, users should change their password regularly
Warning found on port microsoft-ds (445/tcp)
• The remote host is running a version of the shlwapi.dll which crashes when processing a
malformed HTML form. An attacker may use this flaw to prevent the users of this host
from working properly. To exploit this flaw, an attacker would need to send a malformed
HTML file to the remote user, either by e-mail or by making him visit a rogue web site.
• Solution : None
• Risk factor : Low
Warning found on port general/icmp
• The remote host answers to an ICMP timestamp request. This allows an attacker
to know the date which is set on your machine. This may help him to defeat all your time
52 | ACME-Widgets Inc. Penetration Testing Report
55. based authentication protocols.
• Solution: Filter out the ICMP timestamp requests (13), and the outgoing ICMP
timestamp replies (14).
• Risk factor : Low
Warning found on port microsoft-ds (445/tcp)
• The registry key
HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogonCachedLogonsCoun
t is non-null. It means that the remote host locally caches the passwords of the users when
they log in, in order to continue to allow the users to log in in the case of the failure of the
PDC.
• Solution : use regedt32 and set the value of this key to 0
• Risk factor : Low
Warning found on port microsoft-ds (445/tcp)
• The remote registry can be accessed remotely using the login / password
combination used for the SMB tests. Having the registry accessible to the world is not a
good thing as it gives extra knowledge to a hacker.
• Solution: Apply service pack 3 if not done already, and set the key
HKLMSYSTEMCurrentControlSetControlSecurePipeServersWinreg
to restrict what can be browsed by non administrators. In addition to this, you should
consider filtering incoming packets to this port.
• Risk factor : Low
CVE : CAN-1999-0562
Warning found on port microsoft-ds (445/tcp)
• The domain SID can be obtained remotely. Its value is :
ACME : 5-21--1552363205--155084131--731358600
An attacker can use it to obtain the list of the local users of this host
• Solution : filter the ports 137 to 139 and 445
53 | ACME-Widgets Inc. Penetration Testing Report
56. • Risk factor : Low
CVE : CVE-2000-1200
6.6 192.168.199.232
Port Scan
Machine: 192.168.199.232
Operating System: Windows 2003 Server /Windows .NET
Security Status : Good
Protocol Port Program Status
High Level Vulnerabilities
Tcp 445 Microsoft-ds Open
Mid Level Vulnerabilities
Udp 137 Netbios-ns Open
Icmp general Open
Tcp 139 netbios-ssn Open
Low Level Vulnerabilities
Tcp 5000 Complex-main Open
Repartition of the level of security problems:
54 | ACME-Widgets Inc. Penetration Testing Report
57. Summary
This machine was easily exploitable. One of the lager concerns was that there is a copy of CAIN,
a password cracking software” on this machine. Complete with a list of user ID that we were
able to gain access to.
High Level Vulnerabilities Analysis of 192.168.199.232
Vulnerability found on port microsoft-ds (445/tcp)
• Description of Vulnerability: It was possible to log into the remote host using the
following login/password combinations :
'administrator'/''
'administrator'/'administrator'
'guest'/''
'guest'/'guest'
It was possible to log into the remote host using a NULL session.
The concept of a NULL session is to provide a null username and
a null password, which grants the user the 'guest' access
o To prevent null sessions, see MS KB Article Q143474 (NT 4.0) and
Q246261 (Windows 2000). Note that this won't completely disable null sessions,
but will prevent them from connecting to IPC$
Please see http://msgs.securepoint.com/cgi-bin/get/nessus-0204/50/1.html
The remote host defaults to guest when a user logs in using an invalid
login. All the smb tests will be done as 'hpotter'/'****' in domain HOME
CVE : CAN-1999-0504, CAN-1999-0506, CVE-2000-0222, CAN-1999-
0505, CAN-2002-1117
Vulnerability found on port microsoft-ds (445/tcp)
• Description of Vulnerability: The remote Windows host has a ASN.1 library which is
vulnerable to a flaw which could allow an attacker to execute arbitrary code on this host.
To exploit this flaw, an attacker would need to send a specially crafted
ASN.1 encoded packet with improperly advertised lengths.
This particular check sent a malformed NTLM packet and determined that
55 | ACME-Widgets Inc. Penetration Testing Report
58. the remote host is not patched.
• Solution : http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx
• Risk factor : High
Mid Level Vulnerabilities Analysis of Machine 192.168.199.232
Warning found on port netbios-ssn (139/tcp)
• Description of Vulnerability: A 'rfpoison' packet has been sent to the remote host. This
packet is supposed to crash the 'services.exe' process, rendering the system instable. If
you see that this attack was successful, have a look at this page :
http://support.microsoft.com/support/kb/articles/Q231/4/57.ASP
CVE : CVE-1999-0980
Warning found on port netbios-ns (137/udp)
• Description of Vulnerability: The following 8 NetBIOS names have been gathered :
HERMIONE = This is the computer name registered for workstation services by a WINS
client.
HOME = Workgroup / Domain name
HERMIONE = This is the current logged in user registered for this workstation.
HERMIONE = Computer name
HOME = Workgroup / Domain name (part of the Browser elections)
DADDY = This is the current logged in user registered for this workstation.
HOME __MSBROWSE__
• The remote host has the following MAC address on its adapter: 00:02:b3:27:8e:ff
If you do not want to allow everyone to find the NetBios name
of your computer, you should filter incoming traffic to this port.
• Risk factor : Medium
CVE : CAN-1999-0621
Warning found on port microsoft-ds (445/tcp)
• Description of Vulnerability: The remote registry can be accessed remotely using the
56 | ACME-Widgets Inc. Penetration Testing Report
59. login / password combination used for the SMB tests. Having the registry accessible to
the world is not a good thing as it gives extra knowledge to a hacker.
• Solution: Apply service pack 3 if not done already, and set the key
HKLMSYSTEMCurrentControlSetControlSecurePipeServersWinreg
to restrict what can be browsed by non administrators.
• In addition to this, you should consider filtering incoming packets to this
port.
• Risk factor : Low
CVE : CAN-1999-0562
Warning found on port microsoft-ds (445/tcp)
• Description of Vulnerability: The host Security Identifier (SID) can be obtained remotely.
Its value is :HERMIONE : 5-21-57989841-152049171-854245398
An attacker can use it to obtain the list of the local users of this host
• Solution : filter the ports 137-139 and 445
• Risk factor : Low
CVE : CVE-2000-1200
Warning found on port microsoft-ds (445/tcp)
• Description of Vulnerability: The host SID could be used to enumerate the names of the
local usersof this host. We only enumerated users name whose ID is between 1000 and
1200 for performance reasons. This gives extra knowledge to an attacker, which
is not a good thing :
Administrator (id 500) Guest account HelpAssistant HelpServicesGroup (id 1001)
name : Guest (id 1000)
(id 501)
SUPPORT_388945a0 (id Daddy (id 1003) hpotter (id SQLExecutiveCmdExec (id
1002) 1006) 1007)
everest1 (id 1008) backtrack1 (id services (id admn (id 1011)
1009) 1010)
57 | ACME-Widgets Inc. Penetration Testing Report
60. admin (id 1012) ksr (id 1013)
• Risk factor : Medium
• Solution : filter incoming connections this port
CVE : CVE-2000-1200
Warning found on port general/icmp
• Description of Vulnerability: The remote host answers to an ICMP timestamp request.
This allows an attacker to know the date which is set on your machine.
This may help him to defeat all your time based authentication protocols.
• Solution: filter out the ICMP timestamp requests (13), and the outgoing ICMP
timestamp replies (14).
• Risk factor : Low
CVE : CAN-1999-0524
Warning found on port general/tcp
• Description of Vulnerability: The remote host accepts loose source routed IP packets.
The feature was designed for testing purpose. An attacker may use it to circumvent
poorly designed IP filtering and exploit another flaw. However, it is not dangerous by
itself.
• Solution: drop source routed packets on this host or on other ingress
routers or firewalls.
• Risk factor : Low
Low Level Vulnerabilities Analysis of Machine 192.168.199.232
Information found on port netbios-ssn (139/tcp)
• An SMB server is running on this port
58 | ACME-Widgets Inc. Penetration Testing Report
61. Conclusion
After reviewing all of the information that we were able to gather, we have determined that a
good deal of work needs to be done to protect this system. While doing some of the more basic
thing is like implementing a password security policy and closing some ports, we feel the bigger
risk would be to follow the activities of some of the users on the network to be sure that they are
not trying to use some of these same vulnerabilities to do damage to your network and your
information from the inside. With some simple follow-up and monitoring, we are confident that
you will have the network locked to meet the specifications of your security policy.
59 | ACME-Widgets Inc. Penetration Testing Report
62. References
These links were found to be very useful during our reconnaissance and documentation phase:
http://www.offensive-security.com/metasploit-unleashed/Fast-Track-Updates
http://svn.secmaniac.com/fasttrack/fast-track.py
http://support.microsoft.com/?kbid=823980#Win2003
http://support.microsoft.com/?kbid=823980#Win2003
http://www.microsoft.com/technet/security/bulletin/ms05-041.mspx
http://www.kb.cert.org/vuls/id/753212
http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx
http://www.kb.cert.org/vuls/id/568148
http://www.microsoft.com/downloads/details.aspx?FamilyId=F8E0FF3A-9F4C-4061-9009-
3A212458E92E&displaylang=en
http://www.cert.org/current/services_ports.html
http://searchenterprisedesktop.techtarget.com/sDefinition/0,,sid192_gci212632,00.html
http://www.speedguide.net/port.php?port=139
http://www.linuxquestions.org/questions/linux-security-4/what-is-microsoft-ds-176826/
http://www.petri.co.il/whats_port_445_in_w2k_xp_2003.htm
http://www.cert.org/current/services_ports.html
60 | ACME-Widgets Inc. Penetration Testing Report
63. Penetration Testing Log
These are the unedited logs of testing times and some of the items that were tested. These are
provided as a reference against your internal logs to see what on your end may be being detected.
hpotter@bt:~$ sudo –s
[sudo] password for hpotter:
root@bt:~# nano /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:102::/home/syslog:/bin/false
klog:x:102:103::/home/klog:/bin/false
sshd:x:103:65534::/var/run/sshd:/usr/sbin/nologin
messagebus:x:104:113::/var/run/dbus:/bin/false
avahi:x:105:114:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
61 | ACME-Widgets Inc. Penetration Testing Report
66. lLct4nArWt5IcQmgPENd0G6qkwaUjM1:14718:0:99999:7:::
backtrack:$6$Sp2wiv.C$GQoVFJ/W/Rmeon.QFpSTqpH1aIm8zjT/Az2CXBgpOVYTmPgCdSE
pJNYf395UuuLXvcdCrwCyY2JDBRdzOQnuV/:14712:0:99999:7:::
root@bt:~# nano /etc/security/access.conf
# Login access control table.
#
# Comment line must start with "#", no space at front.
# Order of lines is important.
#
# When someone logs in, the table is scanned for the first entry that
# matches the (user, host) combination, or, in case of non-networked
# logins, the first entry that matches the (user, tty) combination. The
# permissions field of that table entry determines whether the login will
# be accepted or refused.
#
# Format of the login access control table is three fields separated by a
# ":" character:
#
# [Note, if you supply a 'fieldsep=|' argument to the pam_access.so
# module, you can change the field separation character to be
# '|'. This is useful for configurations where you are trying to use
# pam_access with X applications that provide PAM_TTY values that are
# the display variable like "host:0".]
#
# permission : users : origins
#
# The first field should be a "+" (access granted) or "-" (access denied)
# character.
#
64 | ACME-Widgets Inc. Penetration Testing Report
67. # The second field should be a list of one or more login names, group
# names, or ALL (always matches). A pattern of the form user@host is
# matched when the login name matches the "user" part, and when the
# "host" part matches the local machine name.
#
# The third field should be a list of one or more tty names (for
# non-networked logins), host names, domain names (begin with "."), host
# addresses, internet network numbers (end with "."), ALL (always
# matches), NONE (matches no tty on non-networked logins) or
# LOCAL (matches any string that does not contain a "." character).
#
# You can use @netgroupname in host or user patterns; this even works
# for @usergroup@@hostgroup patterns.
#
# The EXCEPT operator makes it possible to write very compact rules.
root@bt:~# nmap -O 192.168.199.1-254
Starting Nmap 5.21 ( http://nmap.org ) at 2010-04-21 18:34 EDT
Nmap scan report for my.firewall (192.168.199.1)
Host is up (0.0088s latency).
Not shown: 994 closed ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp filtered domain
80/tcp open http
264/tcp open bgmp
443/tcp open https
981/tcp open unknown
MAC Address: 00:08:DA:70:AB:75 (SofaWare Technologies)
65 | ACME-Widgets Inc. Penetration Testing Report
68. Device type: firewall
Running: Check Point Linux 2.4.X
OS details: Check Point VPN-1 UTM appliance
Network Distance: 1 hop
Nmap scan report for 192.168.199.24
Host is up (0.27s latency).
All 1000 scanned ports on 192.168.199.24 are closed
MAC Address: 00:0C:29:B9:69:E2 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1
closed port
Device type: general purpose
Running: Minix 3.X
OS details: Minix 3.1.2a
Network Distance: 1 hop
Nmap scan report for 192.168.199.70
Host is up (0.00046s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
MAC Address: 00:0C:29:C7:26:B9 (VMware)
Device type: general purpose
Running: Microsoft Windows NT
OS details: Microsoft Windows NT 4.0 SP5 - SP6a
Network Distance: 1 hop
Nmap scan report for 192.168.199.99
Host is up (0.00016s latency).
66 | ACME-Widgets Inc. Penetration Testing Report
69. Not shown: 992 closed ports
PORT STATE SERVICE
80/tcp open http
139/tcp open netbios-ssn
1024/tcp open kdm
1025/tcp open NFS-or-IIS
1030/tcp open iad1
3389/tcp open ms-term-serv
5800/tcp open vnc-http
5900/tcp open vnc
MAC Address: 00:02:A5:97:CE:02 (Hewlett Packard)
Device type: general purpose
Running: Microsoft Windows 2000|XP|2003
OS details: Microsoft Windows 2000 SP2 - SP4, Windows XP SP2 - SP3, or Windows Server
2003 SP0 - SP2
Network Distance: 1 hop
Nmap scan report for 192.168.199.106
Host is up (0.000015s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
22/tcp open ssh
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.17 - 2.6.30
Network Distance: 0 hops
Nmap scan report for 192.168.199.222
Host is up (0.00022s latency).
Not shown: 995 filtered ports
67 | ACME-Widgets Inc. Penetration Testing Report
70. PORT STATE SERVICE
902/tcp open iss-realsecure
912/tcp open unknown
3389/tcp open ms-term-serv
8222/tcp open unknown
8333/tcp open unknown
MAC Address: 00:08:02:90:D2:95 (Hewlett Packard)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1
closed port
Device type: general purpose
Running: Microsoft Windows 2003
OS details: Microsoft Windows Server 2003 SP1 or SP2, Microsoft Windows Server 2003 SP2
Network Distance: 1 hop
Nmap scan report for 192.168.199.232
Host is up (0.00018s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
139/tcp open netbios-ssn
5000/tcp open upnp
MAC Address: 00:02:B3:27:8E:FF (Intel)
Device type: general purpose
Running: Microsoft Windows 2000|XP
OS details: Microsoft Windows 2000 SP0/SP1/SP2 or Windows XP SP0/SP1, Microsoft
Windows XP SP1
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 254 IP addresses (7 hosts up) scanned in 28.77 seconds
68 | ACME-Widgets Inc. Penetration Testing Report