IN DEGREE PROJECT ELECTRICAL ENGINEERING,SECOND CYCLE, 30 CREDITS

, STOCKHOLM SWEDEN 2020

Ethical Hacking Of An Industrial Control System

DANIEL CONDE ORTIZ

KTH ROYAL INSTITUTE OF TECHNOLOGYSCHOOL OF ELECTRICAL ENGINEERING AND COMPUTER SCIENCE

Abstract

Almost no software is exempt of vulnerabilities. Penetration testing or ethical

hacking can be used to identify them. This thesis conducts a series of tests

following the penetration testing method on a large scale industrial control

system. The goal is to discover which kind of vulnerabilities exist in these

systems, focusing on attacks from inside of their network. Several approaches

were taken in relation on how to attack the servers and services that form the

network, both from outside and inside the machines. Critical vulnerabilities

were found in relation to using services unauthenticated and disrupting

communication between servers, which should bemitigated correctly in order

to prevent further potential attacks.

ii

Sammanfattning

De flesta av programvaror har sårbarheter. Penetrationstest eller etisk

hacking kan användas för att identifiera dem. Denna avhandling utför tester

enligt penetrationstestmetoden i ett industriellt kontrollsystem i stor skala.

Målet är att upptäcka vilka sårbarheter som finns i dessa system, med fokus

på attacker från deras nätverk. Flera tillvägagångssätt användes för att

attackera servrar och tjänster på nätverket, både från in- och utsidan av

maskinera. Kritiska sårbarheter hittades i samband med autentisering och

störande kommunikation mellan servrar, som bör åtgärdas för att förhindra

ytterligare potentiella attacker.

iii

Acknowledgements

Firstly, I would like to thanks my thesis supervisor, Professor Pontus

Johnson. I found this thesis thanks to him and he has providedmewith quick

and really useful feedback and support whenever I needed it, which has been

essential for the development of this project.

I would also like to extendmy sincere thanks to all the peoplewho have helped

me carry out this project in the company, answering all of my numerous

questions, providing assistance and recommendations of where to continue

testing and guiding me to not get lost through their systems.

I can’t express enough my gratitude to my partner Virginia because, even

though we are in different countries, she has always been by my side and has

made this two-year crazy adventure much, much better. I can’t wait for our

next one.

Then, I want to thanks my parents for all of their support through all my

life, for introducing me in the telecommunications world and for always

encouraging me to never stop and to look for the best. All of this would have

not been possible without them.

Finally, I would like to thanksmy sister Yaiza for her courage and for showing

me to never give up, always wearing a smile. I wish you could have seen all of

this. I hope you are proud of me.

¡Gracias a todos! Thank you!

Daniel Conde Ortiz

June 2020

iv

AuthorDaniel Conde Ortiz <daco@kth.se>Information and Communication TechnologyKTH Royal Institute of Technology

Place for ProjectStockholm, Sweden

ExaminerMathias EkstedtStockholmKTH Royal Institute of Technology

SupervisorPontus JohnsonStockholmKTH Royal Institute of Technology

Contents

1 Introduction 1

1.1 Problem statement . . . . . . . . . . . . . . . . . . . . . . . . . 2

1.1.1 Research question . . . . . . . . . . . . . . . . . . . . . 2

1.1.2 Hypothesis . . . . . . . . . . . . . . . . . . . . . . . . . 2

1.2 Motivation and goal of the thesis . . . . . . . . . . . . . . . . . 3

1.3 Scope and delimitations . . . . . . . . . . . . . . . . . . . . . . 3

1.4 Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

2 Background 4

2.1 Cybersecurity . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

2.1.1 CIA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

2.2 Penetration Testing . . . . . . . . . . . . . . . . . . . . . . . . 5

2.2.1 Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

2.3 Network Communication . . . . . . . . . . . . . . . . . . . . . 6

2.3.1 Transmission Control Protocol . . . . . . . . . . . . . . 9

2.3.2 Address Resolution Protocol . . . . . . . . . . . . . . . 10

2.3.3 Remote Procedure Call . . . . . . . . . . . . . . . . . . 11

2.4 Windows Authentication . . . . . . . . . . . . . . . . . . . . . 12

2.4.1 Active Directory . . . . . . . . . . . . . . . . . . . . . . 12

2.4.2 Kerberos . . . . . . . . . . . . . . . . . . . . . . . . . . 13

2.4.3 SMB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

3 Penetration Testing Methods 16

3.1 Target System . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

3.1.1 Attacking Machine . . . . . . . . . . . . . . . . . . . . . 18

3.2 Threat modelling . . . . . . . . . . . . . . . . . . . . . . . . . . 18

vi

CONTENTS vii

3.3 Exploitation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

3.3.1 Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

3.4 Post Exploitation . . . . . . . . . . . . . . . . . . . . . . . . . . 20

3.5 Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

4 Exploitation 22

4.1 Threat model . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

4.2 Network attacks . . . . . . . . . . . . . . . . . . . . . . . . . . 23

4.3 Active Directory attacks . . . . . . . . . . . . . . . . . . . . . . 25

4.4 Attacks from inside of Windows machines . . . . . . . . . . . 26

5 Results 30

5.1 Threat Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

5.2 Network Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . 32

5.3 Active Directory Vulnerabilities . . . . . . . . . . . . . . . . . 33

5.4 Vulnerabilities inside of Windows machine . . . . . . . . . . . 34

5.5 Traceability Matrix . . . . . . . . . . . . . . . . . . . . . . . . . 36

6 Discussion 39

6.1 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

6.2 Attacks Mitigation . . . . . . . . . . . . . . . . . . . . . . . . . 41

6.3 Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

6.4 Sustainability and Ethical Considerations . . . . . . . . . . . . 43

6.5 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

7 Conclusions 46

References 47

List of Figures

2.3.1 The layers of the OSI model . . . . . . . . . . . . . . . . . . . . 7

2.3.2TCP three-way handshake . . . . . . . . . . . . . . . . . . . . . 9

2.3.3MITM attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

2.4.1 Kerberos authentication process . . . . . . . . . . . . . . . . . 14

3.1.1 Simplified view of the computer network . . . . . . . . . . . . 17

5.1.1 Threat model of the system . . . . . . . . . . . . . . . . . . . . 32

List of Tables

5.1.1 Vulnerability enumeration of the system using STRIDE . . . . 31

5.5.1 Traceability matrix for the attacks performed . . . . . . . . . . 38

viii

ACRONYMS

AD Active Directory

ARP Address Resolution Protocol

BIOS Basic Input/Output System

CIA Confidentiality Integrity Availability

CORBA Common Object Request Broker Architecture

CVE Common Vulnerabilities and Exposures

DOS Denial Of Service

HTTPHypertext Transfer Protocol

IBM International Business Machines

IP Internet Protocol

IPC Inter-Process Communication

IT Information Technology

KDC Key Distribution Center

KTH Kungliga Tekniska Högskolan

LAN Local Area Network

LAND Local Area Network Denial

LLMNR Link-Local Multicast Name Resolution

MITMMan In The Middle

ix

x ACRONYMS

MITMassachusetts Institute of Technology

NBT NetBIOS over TCP/IP

NDR Network Data Representation

NTLM New Technology LANManager

OSI Open Systems Interconnection

RDP Remote Desktop Protocol

RPC Remote Procedure Call

RTCP RTP Control Protocol

RTP Real-time Transport Protocol

SID Security ID

SMB Server Message Block

SSO Single Sign-On

SSSD System Security Services Daemon

STRIDE Spoofing, Tampering, Repudiation, Information disclosure,

Denial of service, Elevation of privilege

TCP Transport Control Protocol

TGT Ticket Granting Ticket

TGS Ticket Granting Service

UDP User Datagram Protocol

XDR External Data Representation

ZIP Zone Information Protocol

Chapter 1

Introduction

“There are only two types of companies—those that know they’ve been

compromised, and those that don’t know.” - Dmitri Alperovitch

It’s not uncommon to hear everyday in the news something related to

cybersecurity. For example, just recently there has been concerns about

hackers, malware and foreign surveillance in the platform Zoom [1]. Other

news also reported attacks towards many hospitals and facilities researching

vaccine against COVID-19 [2].

The Common Vulnerabilities and Exposures (CVE) list is a database of

publicly disclosed security flaws in software and machines [3]. Currently, it

has over 137000 vulnerabilities registered and it increases everyday.

Understanding that no system is free of vulnerabilities is key for designing and

building software that is secure. The consequences of overlooking this can be

devastating for companies or even life threatening for people. depending on

the importance of the software.

Usually, companies make a trade-off between security, usability and costs,

but, even though all possible attacks have to be prevented, it only takes one

flaw to make everything useless. Because of that, security should be the basis

of their project instead of being an inconvenience or an add-on.

Penetration testing, or ethical hacking, is the method used to test the security

1

2 CHAPTER 1. INTRODUCTION

in IT-systems and find potential vulnerabilities in them. Usually, it involves

access to the systems and their structure, threat modelling and authorised

attacks into the tested systems.

1.1 Problem statement

Software and systems inevitably have flaws. When these systems are

connected to the Internet, a network that everybody can access, they are

exposed to people that will exploit these flaws for many reasons (own gain,

fun, hate, etc.). This can cause harm to a company and the lose of trust and

customers.

Industrial control systems are usually big, complex and important for the

core development of companies. Their failure or mismanagement can lead

to economic damage in most of the cases. For these reasons, their security is

carefully revised and constantly improved.

An organisation with an industrial control system wants an assessment of

the security of their systems, thus, a penetration testing research will be

conducted to see what vulnerabilities can be exploited.

1.1.1 Research question

This thesis is done in collaboration with KTH and a company that will remain

anonymous. The research question on which this thesis will be focused

is:

What kind of vulnerabilities can be found in industrial control systems and

what can be done to prevent attacks?

1.1.2 Hypothesis

One or more vulnerabilities exist in the system and could be vectors for

possible intrusions.

CHAPTER 1. INTRODUCTION 3

1.2 Motivation and goal of the thesis

The motivation behind this thesis is to gain and provide a better

understanding about security threats to modern industrial control systems

and how the attacks can be mitigated. The goal of the thesis is to contribute

and improve the security of the system that will be analyzed.

1.3 Scope and delimitations

The focus of the thesis will be on discovering vulnerabilities in systems

and building exploits for them, to finally, hypothetically, be able to disrupt

services or cause damage. The perimeter of the systemwill not be tested as we

already suppose that the attacker is inside the network and social engineering

attacks will not be performed. No deliverables such as security patches will

be built and, when a vulnerability is found, it will be properly disclosed to the

company.

1.4 Outline

This chapter has introduced the problem and the goals of the thesis. The rest

of the thesis follows the phases of penetration testing. First with theoretic

explanation about concepts related to ethical hacking and security in chapter

2, then the methodology and methods are described in chapter 3, the exploit

development, in chapter 4 and the results in chapter 5. Finally, it concludes

with a discussion of the results in chapter 6 and conclusions from the whole

thesis in chapter 7

Chapter 2

Background

This chapter presents theoretical concepts about security and penetration

testing used, to fully understand the thesis.

2.1 Cybersecurity

Information security, computer security or cybersecurity can be defined as the

body of technologies, processes, and practices designed to protect networks,

devices, programs, and data from attack, damage, or unauthorized access, as

well as from the disruption or misdirection of the services they provide. [4,

5]

2.1.1 CIA

A very important term related to cybersecurity is the CIA triad

(Confidentiality Integrity Availability). According to Walkowski [6] they can

be defined in the following way:

• Confidentiality: Is is roughly equivalent to privacy. Involves ensuring

that only those who are authorized have access to specific assets and

that those who are unauthorized are actively prevented from obtaining

access.

4

CHAPTER 2. BACKGROUND 5

• Integrity: Consists in ensuring that data has not been tampered with

and, therefore, can be trusted. It is correct, authentic and reliable. This

means that data changes and system functions should only be done in

authorised manners.

• Availability: Means that authorized users have timely, reliable access

to resources when they are needed. Authenticationmechanisms, access

channels and systems all have to work properly for the information they

protect and ensure it’s available when it is needed.

There can be augmentations to this triad, such as [7]:

• Authenticity: The property of being genuine and being able to be

verified and trusted.

• Accountability: The requirement for every action or data to be able to

be traced back to its origin entity.

• Non-repudiation: Assurance that someone cannot deny the validity of

something. It involves providing proof of the origin of data and the

integrity of the data.

2.2 Penetration Testing

Apenetration test (also called ethical hacking) is an authorized cyberattack on

a computer system, performed in order to assess its security [8]. It is usually

done by establishing a certain goal and reviewing available information and

ways to reach that goal. The tested system can be a white box (all information

is available to us) or black box (little or no information is available).

The Penetration Testing Execution Standard [9] divides this process in 7

phases:

1. Pre-engagement. Preparation phase, tool gathering and agreeing on

the scope and goals of the test.

2. Intelligence Gathering. Obtaining all available information about the

6 CHAPTER 2. BACKGROUND

system and ways to attack.

3. Threat Modelling. Procedure to identify objectives and impact of

attacks.

4. Vulnerability analysis. Discovering vulnerabilities in the system.

5. Exploitation. Using those vulnerabilities to gain access to systems and

bypass security measures.

6. Post Exploitation. Maintaining control on the system and collecting

data.

7. Reporting. Documenting the entire process and handing the results to

the client.

2.2.1 Terms

Several terms have been and will be used throughout the whole thesis in

relation to ethical hacking.

• Threat: The possibility of harm, trouble of danger. The risk of security

violations.

• Vulnerability: Flaw in a system or software that can be used to

overcome security policies in place.

• Exploit: Software specifically designed to attack a vulnerability or the

act of attacking it.

• Disclosure: Act of communicating found vulnerabilities, either publicly

or privately.

2.3 Network Communication

All the communication between twoormoremachines is standardized, so that

if the communicating systems are different, they can still understand each

other. This standardization is based on the OSI Model [10].

CHAPTER 2. BACKGROUND 7

This model represents the communication in 7 layers, shown in Figure 2.3.1.

Each layer has a specific set of tasks and only transfers information to the

layer on top or below. Packets (information containers)move vertically in this

structure and each layer only communicates with a layer in the same level on

other devices. Many protocols exist for each layer, but the samemust be used

on both ends of the communication for it to succeed.

Figure 2.3.1: The layers of the OSI model

A brief explanation of each layer:

Application layer

The user interacts with this layer, it is the beginning and end of almost all

network communication. It is probably the layer with the most protocols,

some of them are: HTTP, RDP and SMB.

Presentation layer

It’s responsible for data formatting and delivery between different end-user

systems, for example, different text encodings. Some of the protocols in this

layer are: NDR and XDR.

8 CHAPTER 2. BACKGROUND

Session layer

Provides mechanisms for opening, managing and closing sessions (semi-

permanent dialogues). It also provides authentication and authorization

services. Some of its protocols are: NetBIOS, ZIP and RTCP.

Transport layer

This layer is responsible for delivering packets to the corresponding

application process once it reaches the destination machine. It provides

services such as connection-oriented communication, reliability, flow control

andmultiplexing. Themost used protocols in this layer are TCP (reliable) and

UDP (fast and simple).

Network layer

It is the layer in charge of transmitting packets between different networks,

that is, between two machines that are not directly connected. The most

known protocol from this layer is IP.

Link layer

This layer transmits information between two machines that are directly

connected. It also provides error correction. Some of its protocols are

Ethernet and Wi-Fi.

Physical layer

It is physically connected to another system (cable, fiber, air, etc.) and

transmits and detects the information in the form of electromagnetic waves.

It makes the transformation from and to this electromagnetic waves to

bits.

CHAPTER 2. BACKGROUND 9

2.3.1 Transmission Control Protocol

The Transmission Control Protocol or TCP [11] is one of the fundamental

protocols in Internet. It is a transport layer protocol and provides reliable,

error-free and ordered stream delivery between applications. Also, TCP

provides flow control, allowing both sides to control how much information

is sent in a given period if they are overwhelmed or the link in between is

congested.

The most important aspect about TCP is that it is connection-oriented,

meaning that a connectionmust be established before transmitting data. The

receiving endmust be listening for connection requests andwhen a new one is

received, the three-way handshake process is initiated, shown in Figure 2.3.2

and known as SYN, SYNACK and ACK.

Figure 2.3.2: TCP three-way handshake

Once this process is done, information can be transmitted. If any packet is

lost, the receiving end can request it or it is knownby the sending side, because

all received packets are acknowledged. This handshake can also be used to

scan open ports or exploited to perform some Denial of Service attacks.

TCP encapsulates the information adding a header for processing in the

10 CHAPTER 2. BACKGROUND

receiving end. This header has several parameters such as the origin and

destination ports. The order of the data is controlled by sequence numbers

and flow control by a parameter calledwindow size.

2.3.2 Address Resolution Protocol

The Address Resolution Protocol or ARP [12] is a protocol used for

discovering link layer addresses, most of the time MAC addresses, from a

given IP address and inside the same network.

The way it works is that each host keeps a mapping table with MAC and

corresponding IPs. If a host wants to know another host’s MAC, it sends a

broadcast ARP query message asking with the corresponding IP. If that host

exists in the same subnetwork, it will reply with its own MAC address.

Sometimes hosts can also send actively their MAC/IP relation to the network

and other hosts will register this in their tables. This can be exploited to

spoof other machines and receive packets and information that was destined

to them. This is called ARP spoofing and can be used to perform a man-in-

the-middle attack.

Man-In-The-Middle (MITM)

A man-in-the-middle attack [13] happens when the attacker is, secretly, in

the middle of the communication between two victims. The attacking agent

receives traffic from one or both sides and relays it to the other part. Because

of this, it can read the traffic, modify it, drop some packets or replay them

later.

Most cryptographic protocols include endpoint authentication to prevent the

attacker from reading the traffic if this kind of attack happens.

CHAPTER 2. BACKGROUND 11

Figure 2.3.3: MITM attack

2.3.3 Remote Procedure Call

A Remote Procedure Call or RPC [14] happens when a program provokes

that a subroutine starts executing in another machine (usually in the same

network), but this is coded in the software as a normal procedure call, where

the program does not specify the explicit details of the interaction; the code

is essentially the same as if the call was local.

RPCs are a form of inter-process communication (IPC) and are based on

client-server interaction, where the client always starts the procedure. During

the time that the server is processing the request, the client remains blocked,

unless it is an asynchronous request. Also, the communication can fail and

clients should account for these failures.

RPC can be an important security factor since its an entrance for request to

execute programs inside the machine. Because of this, it must be adequately

secured. A secure RPC requires: an encrypted communication path, the

authentication of identity of the requesting client, and the authorization

on the serving side that the client making the request is allowed to do so.

Usually, this is achieved by using Kerberos (or a similar system), which will

be explained later.

12 CHAPTER 2. BACKGROUND

2.4 Windows Authentication

Authentication is a process for verifying the identity of an object, service or

person and proving that they are genuine or authentic [15]. Usually, this is

done signing data with a cryptographic operation using a key that only the

user knows or a shared key.

The server in charge of authentication compares the signed data from the user

with known cryptographic keys. Storing the keys in a secure central location

makes the authentication process scalable and maintainable. Microsoft

provides a solution for this, called Active Directory.

In a business environment, services or users might want to access multiple

applications or resources on many types of servers from one or several

locations. For these reasons, authentication servers must support a wide

range of environments and operating systems.

2.4.1 Active Directory

Active Directory is a directory service included in most Windows Server

operating systems and stores information about objects (user accounts) on

the network and makes this information easy for administrators and users to

find and use.

This service also includes a set of rules that defines the constraints and limits

of these objects; a query and indexmechanism so objects and their properties

can be queried; a replication service that distributes directory data across a

network and a global catalog that contains information about every object in

the directory [16].

A server running Active Directory is called a domain controller and is in

charge of authenticating and authorizing all users and computers in the

network, assigning and enforcing security policies. In order to include Linux

servers into this authentication network, System Security Services Daemon

or SSSD [17] is used.

CHAPTER 2. BACKGROUND 13

2.4.2 Kerberos

Kerberos is a network authentication protocol developed by MIT and

designed to provide strong authentication to client/server applications,

replacing password-based authentication methods [18]. It reduces the risk of

MITM attacks since all communication is encrypted and it is widely used as

Single Sign-On (SSO) service, meaning that an user only has to authenticate

once to use as many services as they want.

Kerberos is the default authenticationmethod inWindows, but usuallyNTLM

is used as a fallback when a service does not implement Kerberos. Apart from

that, every service needs to be registered to the AD for Kerberos to work.

Kerberos uses tickets instead of passwords and its basic architecture consists

in a client, the service that the client wants to authenticate to and a

authentication server, that in this case is called Key Distribution Center or

KDC.

An overview of the steps in the authentication process can be seen in Figure

2.4.1 and they are:

1. The client presents itself to the KDC and asks for a ticket for the Ticket

Granting Service (inside the KDC).

2. The Authentication Service (also inside the KDC) sends back the

requested ticked encrypted with the client’s password as well as a

session key that can’t be decrypted.

3. The client uses this ticket and session key to request a service ticket to

the TGS.

4. The TGS answers with the corresponding ticket and a service session

key.

5. Using this, the client authenticates to the service.

6. If everything is correct, the servicewill answerwith some authentication

information back and now the client can use the service.

14 CHAPTER 2. BACKGROUND

Figure 2.4.1: Kerberos authentication process

CHAPTER 2. BACKGROUND 15

2.4.3 SMB

SMB or Server Message Block [19] is a protocol used for providing shared

access to files, serial ports and printers and authenticated inter-process

communication (IPC), all within a network. It was originally designed by

IBM but Microsoft made substantial modifications to it, creating the most

commonly used version and including it in most Windows versions.

SMB servers allow clients on the network to access their file systems and

other resources, provided that they authenticate first, for example, by being a

domain user.

Samba [20] is a free-software implementation of the SMB protocol for

Unix-like systems. It allows systems that are not Windows to access and

communicate with SMB servers. On a more general scope, it integrates Unix

systems into Active Directory environments.

Chapter 3

Penetration Testing Methods

Themain focus of this project degree is to perform a security assessment on a

system, i.e. penetration testing. This chapter explains how this investigation

was conducted and in the next chapter the results will be presented. The

methodology used is based on the phases explained in section 2.2.

3.1 Target System

This thesis was performed in a provided simulated system. This system was

a virtualized identical representation of the real-world systems used in this

company. It has been tried to set up the systems in the same way a client

would do andwith the same securitymeasures, firewalls included. The system

is shown in Figure 5.1.1.

The system is composed by several Windows and Linux servers, connected to

the same network and in the same domain. We could say that the control

system (back-end) is in the middle of everything, with clients on one side

and the actuating components on the other side. This system also includes

databases and load balancers (middle tier servers) and can be configured to

have redundancy in various degrees.

16

CHAPTER 3. PENETRATION TESTING METHODS 17

Figure 3.1.1: Simplified view of the computer network. The systems in theblue zone will be the target for the security assessment in this thesis.

A Microsoft Active Directory system for authentication and authorization is

also part of the complete system. The operating systems used are: Windows

Server 2012, Windows 10, and Red Hat Linux v7.

For this thesis, we suppose that an attacker has reached inside the network,

is connected somehow and could attack from there. Of course, this part of

the network is segmented from other parts, depending on their importance

for the whole system. Before accessing it, the attacker has had to go through

several layers of firewalls, finding flaws or exploits in them, but that is not in

the scope of this thesis.

The security of this network and systems is a crucial element and it is

continuously revised and improved. It already has strong and advanced

security measures so we cannot expect to find common vulnerabilities or

security issues at first glance. Also, the operating systems and services

used are part of a testing environment and could not be updated with the

latest versions, so specific vulnerability attacks could not be feasible in real

18 CHAPTER 3. PENETRATION TESTING METHODS

life.

Previous research was focused in the security between the control system and

the actuators. It was decided that the focus of this thesis would be on the part

concerning the clients and control system.

3.1.1 Attacking Machine

In order to perform a better analysis and have a wider selection of tools

available, a (virtualized) Kali 2020 Linux machine was directly connected to

the network. This provides a huge toolset for pentesting and a environment

in which experiments can be made without security constraints from the

operating system.

3.2 Threat modelling

Previous security assessments on this system developed extensive threat

models following the STRIDE modelling technique [21]. These models have

been the basis on which this project started and was developed from. Because

of this, no threat modelling was done. An extract of the threat modelling

report can be read in section 4.1.

3.3 Exploitation

The exploitation phase was conducted from the Kali Linux machine, as

previously mentioned. The main focus of this phase was on network traffic,

SMB and RPC ports.

CHAPTER 3. PENETRATION TESTING METHODS 19

3.3.1 Tools

Some of the main tools used for finding and exploiting vulnerabilities are the

following ones. They have been chosen by a combination of their capabilities,

how much they are used on the ethical hacking world and their availability

(for example, they already are installed in the OS used or can be easily

downloaded).

Metasploit

Metasploit [22] is an open-source vulnerability validation and exploitation

tool. It is mainly developed by Rapid7 but any user can create and add

their own modules, written in Ruby. It provides many tools but its main

use is remote code execution and getting a connection to the exploited

machine.

Nmap

Nmap [23] is an open-source network scanner and security auditor. With this

tool we can survey a network, discover live hosts and open ports and finding

what software they are using. It works by sending different kind of packets

and analyzing the responses.

PowerShell Empire

PowerShell Empire [24] is a post-exploitation tool that implements the ability

to run PowerShell agents without needing to execute powershell.exe. It also

allows to run tools such as Mimikatz and keyloggers.

Wireshark

Wireshark [25] is a packet sniffing tool and protocol analyzer. It is usually

used for network and communications analysis. It allows the user to see every

packet that the computer receives, with all the possible information that it can

extract from it.

20 CHAPTER 3. PENETRATION TESTING METHODS

SMB discovery

Several tools were used for discovering SMB shares, users within the

system and more information. Some of these tools were: smbclient

[26], enum4linux [27], CrackMapExec [28], and rpcclient [29], along with

Metasploit, previously mentioned. Most of these tools work similarly, by

sending specific SMB requests (authenticated or not) to the servers and

figuring out how much information they can get from the answer.

Own Programs

Some other programs were developed to complement the already available

tools. Some of these programs are:

1. MITMpacket sniffer, replayer andmodifier. Wireshark is a great

tool for sniffing traffic, but some specific conditions were tested, such

as becoming a Man In The Middle machine (as explained in 2.3.2) and

replaying past traffic or modifying current traffic passing through. For

this, a specific script in Python was created.

2. Basic clients to the servers to test specific commands and situations.

These were done by looking at the original source code and having

meetings with the corresponding engineers to get a better glance of the

way that the system works.

3. Blaster Developed by past penetration testing researches.

Complimentary tool to Nmap which takes as input a list of TCP ports

and tries to read and write random data for 5 seconds. This is used to

discover processes which allow unauthorised data reading or writing.

3.4 Post Exploitation

In general, the goal of penetration testing is to acquire root or administrator

privileges on the exploited system. This can be done, for example, by running

unprotected programs that act as higher privileged users. Another method

CHAPTER 3. PENETRATION TESTING METHODS 21

is to get and use credentials from other users in the same machine to move

horizontally in the network, for example, Kerberos tickets, if one can find a

way to get them.

In the case of this thesis, the goal is to affect the network or, if not, exfiltrate

information about it. Since most machines in the system are connected

in sequence, once reached inside of one, little horizontal movement is

needed.

Even though 2 users in the same machine can have different privileges, they

sharemany things, for example, the IP address. Also, a process can be started

by an user or the machine, and another user without privileges can access its

information, if unprotected, and use it to spoof that process.

All of this was used to create scripts so that, from one of the server

machines, commands could be sent to another servers from an unprivileged

account.

3.5 Reporting

While this project was conducted, all vulnerabilities found were reported

to the company using responsible disclosure [30]. This means that the

vulnerability is first disclosed to the company to give a grace period for it to

be fixed before publishing about it, as it’s the case with this report.

To protect the company and its systems, the results are anonymized in this

report. At the end of the project, a presentation was given to coworkers and

project managers about the vulnerabilities found in their systems.

Chapter 4

Exploitation

In this chapter, it is explained how the exploitation process was conducted

and how each attack lead to the next ones.

4.1 Threat model

As mentioned in the previous chapter, threat modelling of the system was

already done by past security assessments using the STRIDE modelling

technique. The results can be seen in the next chapter with a picture of the

threat model and how servers communicate on Figure 5.1.1 and an extract of

the STRIDE enumeration of vulnerabilities on Table 5.1.1.

Most of the exploitation phase and attacks are based or inspired by this

information, which helps to understand better the system and how it can be

attacked.

Many of the threats come from spoofing any of the servers, having a MITM

attack or some sort of server crash or denial of service, so that’s where most

effort was put in this security assessment.

22

CHAPTER 4. EXPLOITATION 23

4.2 Network attacks

Both superficial and deep port scans were conducted with Nmap to detect

possible vulnerable ports. The control system is protected by reliable

and stateful firewalls, with rules generated automatically depending on the

system and its configuration. The ruleset were examined but no flaw was

found. Apart from this, some information could be extracted from the other

systems.

Using the Blaster tool mentioned in 3.3.1, some ports were found to be

vulnerable to raw reading and writing and could be attack vectors, but other

information gathering methods should be executed before preparing specific

attacks.

To get a better grasp of how the processes and services communicate, the

traffic from their normal behaviour as well as their startup and stopping was

analyzed with Wireshark.

All the traffic is encrypted (as a result of using Kerberos) so no specific

messages could be seen, but the order in which processes started and the

amount of messages sent could be observed. This helped to decide what

processes to attack or try to spoof. For example, the more messages a process

exchanges, the more important it is, probably.

After this and talking with the engineers who developed the system, it was

decided that the following attacks and the thesis in general should focus on

the process in charge of sending commands, since it was the most capable of

causing damage.

A MITM script was created (as mentioned in 3.3.1) to intercept and replay

or modify the traffic between servers. This could be done since the attacking

machine is connected to the same network as the servers.

For this program towork, first the arpspoof commandneeded to be executed,

in order to trick the 2 desired servers that the attacking machine is the real

one. Then, this script used the pyshark library to capture packets, filtering

24 CHAPTER 4. EXPLOITATION

them by IP and MAC. These packets were stored in cache for replaying them

later, depending on the attack. This replaying was done by using the scapy

library. The anonymized script has been uploaded to GitHub and can be

found in [31].

With this program, several kind of attacks were performed, both to try to

affect the network and to see how it reacted in different situations:

• Packet storage and replay:

– Forwarding only packets which had payload (i.e. no Keep-Alive

packets).

– Including the payload of one packet into another one.

– Adding payloads to Keep-Alive packets, including very big ones.

– Modifying TCP window size.

– Modifying random bits in packets.

– Actively delaying packets in a range of times (e.g. from 0.1s to 1s).

• DoS attacks:

– SYN Flood: Not sending the last ACK in TCP handshake, causing

the target server to wait for it and consume resources.

– Banana attack: Redirecting outgoingmessages froma client to that

same client, flooding it.

– LANDAttack: Sending a spoofed TCP SYN packet with the target’s

IP address as both source and destination to an open port in the

same target, causing it to reply to itself continuously.

– Smurf attack: Spoofing an ICMP Echo request broadcasted to all

members in the network.

– Ping of death: Sending several malformed ICMP packets with a

resulting payload bigger than 65535 bytes (the commonmaximum

limit).

CHAPTER 4. EXPLOITATION 25

– And many more similar.

The complete results are explained in Chapter 5 but the main takeaway was

that, since Kerberos provides both encryption and protection against packet

replay, this was a dead end. Because of this, the next step was to infiltrate

inside any machine and attack from there.

4.3 Active Directory attacks

In this part the focus is not to attack directly any of the control services but to

get access to any of the machines connected to the network and then perform

the attack from the inside. All of the access and authentication in the network

is controlled by a Windows Active Directory server and the authentication to

services works by using Kerberos.

Most of the Kerberos attacks, such as Pass the ticket, Golden Ticket or Silver

Ticket, allow to act as another user and use services. The problem is that first

it is needed to have administrator access on the systems. Since the attacks are

performed from the outside and no access is had yet, they won’t work.

Brute forcing passwords inmachines that use Kerberos is not really an option

because the KDC is usually configured to lock the account after a number of

intents and has to be manually unlocked.

Another attack could be looking for users without Kerberos

pre-authentication required and send a request to the KDC on their behalf.

This was unsuccessful because the network’s security rules force that these

users don’t exist. Similar attacks to the SSSD protocol in Linux servers were

considered, but the limitations were the same.

A different way to access a computer is by using the SMB protocol, which is

usually open in most Windows servers. The tools mentioned in 3.3.1 could

be used with or without authentication. Obviously, more information can be

obtained if it is done with authentication than if not and the more privileges

the user has, the more information can be retrieved too. All of the results can

26 CHAPTER 4. EXPLOITATION

be seen in the next chapter.

More tools than the specified were used, such as NBTScan [32], SMBmap

[33] and impacket [34], but the results were mostly the same or no useful

results were found. Similarly, other attacks related to AD and SMB, such as

Kerberoasting, psexec and wmiexec, were carried out but no useful results

were obtained.

In relation to this, there are plenty of tools which allow for similar attacks but

using a Windows machine instead of a Kali one as the attacker. These tools

were considered at first but disregarded because of the similarity with the

Linux ones and the unavailability of an outsider Windows machine. Finally,

other attacks try to exploit SMB to increase privileges starting inside one of

the domain machines. Such attacks were also disregarded because of the

necessity being able to get inside a machine first.

Apart from these kind of attacks, it is known that computers and servers in

industrial control networks need to be used and managed by different people

in different locations. The most common way to solve this is by using Remote

Desktop Protocol, which is an easy way to access a machine given its IP and

some user in the same domain. It can be accessed using Remote Desktop

Connection in Windows and FreeRDP [35] in Linux.

Other attacks related to this topic, such as LLMNR Poisoning or SMB Relay,

were not performed because they were already tested on previous security

assessments.

4.4 Attacks from inside of Windows

machines

Once access (in anyway) inside amachine is available, there aremultipleways

to attack the processes and other machines. The accounts in this network are

divided in a number of levels, depending the privileges they have. The higher

the level, the more difficult the access is to that account.

CHAPTER 4. EXPLOITATION 27

The goal of this project is to affect the control system but the only processes

that can do this are run by high level accounts. Because of this, there are three

options:

a) Get access to a Administrator account and use tools such asMimikatz to

get the passwords of other users or forgeKerberos tickets to use services.

This is very unlikely to happen as these accounts are incredibly well

protected by various methods, such as constantly changing passwords

or can’t even bemanually accessed and the administration of the system

is done externally.

b) Get access to an account that can run the processes. Also very unlikely

and, if this was the case, there is no much left to do as the attacker can

manipulate the system freely.

c) Get access to an account with no privileges. This is the only scenario in

which some investigation can be done, as this kind of accounts should

not be able to interact with the system.

Because of this, the focus was on scenario c). As the user doesn’t have

permission to run the programs, the goal is to fool the other end as if it was

an authorized user. Test client programs were created with basic functions

to spoof the selected services. This was done by having code reviews and

meeting with the engineers who wrote the programs but without exceeding

the limit which would mean doing code testing instead of actual penetration

testing.

These clients used the system services APIs, which are not public and should

normally only be used by the own system. The two most important services

(or the two that could cause the most damage if manipulated) were selected

to be tested. Theoretically, if an unauthorized user sends a request, the

destination server must discard it right away.

Through manual testing it was discovered which methods and parameters

could be exploited. Testing these methods could vary from just using them to

including malicious parameters, such as extensive strings or illegal settings.

28 CHAPTER 4. EXPLOITATION

Also, if the language used for the APIs is object-oriented, which in this case it

is, objects’ properties can also provide useful information.

These clients were programmed in C#, which needs to be compiled for

execution. Servers don’t usually have the tools needed for compiling code,

so this compilation is done in the attacker machine. Because of this, the

compiled code along with the used libraries would have to be copied to the

attacked machine, which usually is a considerable amount of data, not so big

to affect most machines’ memory but the file transfer could take some time

depending on the network.

The libraries used are already in the machine, as they belong to the whole

system and the servers use them. In addition to this, Powershell allows to

execute C# code without compiling it, by using the following command and,

later, creating an object of that type:

Add-Type -ReferencedAssemblies $assemblies

-TypeDefinition $code -Language CSharp

Where $assemblies is the location of the libraries that the code uses and

$code is the code in plain text, previously introduced. The code can even be

obfuscated in base64 encoding to prevent some early detection.

Furthermore, the company provides an easy process in which actual clients

can program their own tools and integrate them into the servers, for example

for specific repetitive tasks. This could be a threat since injecting malicious

code into these programs or even getting own programs to execute in the

server with this method can lead to the same catastrophic failures as previous

attacks.

This process was investigated with the idea of, for example, using it by

creating some program which could be placed in some folder in the server

machine and it would be executed by the main server regularly and without

user interaction. Another idea is that it could be included in the operator’s

interface and they would execute it not knowing that it is a malicious

software.

CHAPTER 4. EXPLOITATION 29

It was also checked if there were any traces of passwords or other information

in the files installed and used by the software and if they could be accessed

without proper authorization.

Finally, the tool Powershell empire was tried, as it provides a extensive array

of tools to execute within Powershell and could allow to move vertically or

horizontally within the network. This tool couldn’t have been used previously

as it needs to be executed on aWindows machine and the only (theoretically)

accessible computer was the Kali machine.

While developing and executing all the exploitation tests mentioned in this

chapter, several vulnerabilities were found and the results will be reported in

the next chapter.

Chapter 5

Results

In this chapter, the results from the threat modelling and exploitation phases

are presented. As in the previous chapter, the exploitation results are divided

into Network Vulnerabilities, Active Directory Vulnerabilities and Windows

Vulnerabilities.

All of the results in this chapter and more information about them were

reported to the software engineers so they could be fixed as soon as

possible.

5.1 Threat Model

As explained before, the threat model for this system was already available

to continue with the other phases of penetration testing. A picture of the

threatmodel and how servers communicate can be seen on Figure 5.1.1 and an

extract of the STRIDE enumeration of vulnerabilities is on Table 5.1.1.

30

CHAPTER 5. RESULTS 31

STRIDE Threats

Spoofing• Spoofing servers.• Spoofing clients.

Tampering• Modify packet traffic between servers.

Repudiation• Removing logs from servers.

Information Disclosure• Information in communication leakagethrough MITM attack.

• Leakage of credentials or encryptionkeys.

Denial of Service• Crashing servers or services.• Unable to authenticate due to AD beingunavailable.

Elevation of Privilege• Sniffing and cracking hashes.• Overprivileged users.

Table 5.1.1: Vulnerability enumeration of the system using STRIDE

32 CHAPTER 5. RESULTS

Figure 5.1.1: Threat model of the system

5.2 Network Vulnerabilities

During the first rounds of research, one vulnerability discovered was that the

control server (or servers) could be forced into a blocking state by disrupting

the communication.

Due to how control systems work in general, there is one control server which

is in charge and the others that could be in the network act as backup servers,

keeping in touch with themain one periodically. If the communication is lost,

one of the backup servers assumes control of the network.

If there is only one network interface in eachmachine, the communication can

be disrupted and many would assume the control of the network. When the

communication is restored, they would observe that there are other servers

controlling the systems and enter a blocking state, in order to not send

contradictory orders.

Another vulnerability discovered, and more critical than the previous one, is

that you can perform ARP spoofing between 2 machines for a MITM attack,

and disrupt the connection very easily or even capture and try to modify and

resend packets.

CHAPTER 5. RESULTS 33

With the MITM script created, the traffic could be delayed by modifying the

TCP window size up until not ending the connection but delaying common

tasks for more than 40 seconds, which was achieved with a window size of 10

bytes. Decreasing the TCP window below this size made the connection reset,

probably because of some TCP or software timer. If the traffic was delayed

manually (capturing the packets and waiting some time before forwarding),

the largest delay achieved was about 1.5 seconds.

DoS attacks were attempted but no disruption or crash was achieved and

repeating packets or modifying their content caused the connection to reset.

There is also some intrinsic protection in the protocols used against this kind

of attacks, for example TCP and Kerberos provide sequence numbers against

replaying and the latter provides encryption against reading and modifying

packets.

Somemachine’s ports were not protected and open and it was possible to scan

them for protocol information and more. This could lead to further specific

attacks, depending on the data available. Also, it was possible to raw write

and read to some ports, which could lead to, for example, excessive CPU and

RAM consumption or data corruption.

5.3 Active Directory Vulnerabilities

The most critical vulnerability in this stage of research was that you could

access critical servers with low level (no special permissions) domain users.

The worst outcome from this is that attackers could able to access servers

through Remote Desktop having some valid credentials, without the need for

being in the same domain. The next section focuses on attacks after accessing

machines using this method.

Apart from using Remote Desktop, SMB could also be used to get information

from servers in some way or another. Using the software enum4linux

[27] and authenticating as a low privileged user, a substantial amount of

information could be acquired, such as domain names, OS information, share

34 CHAPTER 5. RESULTS

enumeration and attempts to map them, users and their SID (number which

identifies each user) and group names.

The most common attack is to find an open share and upload some file

through there that allows to continue infiltrating, for example, initiating a

remote connection. In this case, all the shares were closed to low level domain

users.

With certain Metasploit modules, information such as IPC pipes’ names, a

complete list of users and all of the information before could also be found.

Using RPCClient the IPC pipes of the system could be accessed but with a

low level user authentication, no substantially useful information could be

extracted. Continuing investigating with this tool (there are lots of available

commands for each of the pipes) was out of reach of the scope of the

thesis.

Finally, it was found that user access could be locked after several failed login

attempts due to restrictive Kerberos policies, needingmanual unlocking. This

does not provide access into the machines but is of great disturbance if done

to critical users and their settings are misconfigured.

5.4 Vulnerabilities inside of Windows

machine

After creating the client for the servers, it was found that an unauthorized

user was able to access services through interfaces. Some of the commands

sent were accepted and some were rejected. Theoretically, all the commands

should have been rejected and it is unclear in which stage they were rejected,

whether right at the arrival of after a processing chain. If it were the latter,

this processing chain could also be exploited.

With these commands, information such as servers’ statuses, names and

information about the control system could be requested. Also, some of the

objects from the interfaces had important or useful information in a similar

CHAPTER 5. RESULTS 35

way.

The most critical result found in this section is that a server could be crashed

(paralyzing the whole network) by sending a request with a 1000 characters

string as a parameter. Also, fake messages could be inserted in the users’

interface by similarmethods. Thesemessages would appear as critical alarms

in the software used by users that control the systems and their content could

be any text message and sent as many times as wanted. This could disturb

or annoy their tasks. Other specific information about this vulnerability is

unmentioned to avoid confidentiality concerns.

The same attacks to the servers’ interfaces explained before can be performed

by running the client code in Powershell and using the libraries already

installed in the system, instead of compiling the C# code in another machine

and transferring the files. The exact same vulnerabilities and results are

obtained.

Looking at the process described in section 4.4 in which companies could

write their own modules for the servers, it was concluded that there are

security measures strong enough (such as authentication measures, the code

being interpreted on the fly and not being stored in the server machine). The

only way of attacking this would be to create similar clients as before that

used this process’s API. Because of the scope range and similarity to previous

attacks, this was discontinued and left for future investigations. Some other

information is not mentioned to maintain confidentiality.

The servers had a implementation of CORBA so other servers or clients

could request ports for specific services and it was discovered that it could

be accessed by any user if the address and port of this CORBA service

were found. It was also noticed that this information could be located in

unprotected files in some systems. This could be used, for example, to

intercept communication for only one service knowing its ports or to attack

one specific port.

While scanning themachines’ files, no passwords were found in, for example,

36 CHAPTER 5. RESULTS

configuration scripts. Additionally, all of the files had the correct permissions

and could not be accessed with the low-level account used.

The use of PowershellEmpire was ineffective because of two issues. On one

side, this tool ismore of a post-exploitation tool which creates files that should

reach inside of the desired machine somehow and then executed, creating a

reverse connection to the attacker machine (stagers). It doesn’t provide tools

to help this file transfer happen as far as it has been researched.

But the second one, and most important, is that, even if these stagers could

reach inside of the servers, the machines had a strong antivirus installed

which thwarted every attempt to create a connection or execute anymalicious

file.

5.5 Traceability Matrix

A traceability matrix has been created as a significant amount of attacks have

been performed and it is useful to summarize the results.

Exploitation

GroupTest Result

Network

Attacks

Nmap port scanningSuccess: Open ports for getting

information

Blaster port scanningSuccess: Open ports for raw

reading and writing

Firewall inspection Failed: No flaws

Wireshark traffic inspection

Success: Can see which ports are

used more

Failed: Cannot read information

from packets

ARP Spoofing Success

Communication disruption Success

DoS AttacksFailed to crash.

Success to reset connections

CHAPTER 5. RESULTS 37

Packet replaying and forging Failed

Traffic delaying

(TCP Window)Success: Up to 40s per task

Forcing server blocking state Success: If only one interface

Active

Directory

Attacks

Remote Desktop AccessSuccess: If in possession of

some credentials

SMB scan with enum4linux,

smbclient, rpcclient, etc.

Success: If in possession of some

credentials. Can even get user

names and OS information

Kerberos attacks: Pass the

ticket, Golden ticket, etc.

Failed: Need previous

administrator access

Brute forcing passwords Success: If goal is to block account

Kerberos pre-authenticated

accountFailed

Kerberoasting Failed

Psexec, wmiexec, etc. Failed

Attacks from

inside of

Windows

machines (no

authorization

for using

systems)

API Clients:

Getting informationSuccess

API Clients:

Sending commandsFailed but some get interpreted.

API Clients:

Sending messages to users’

interfaces

Success

API Clients: Crashing control

serverSuccess

Executing C# code in

PowershellSuccess

Tool for writing own

programs

Not continued because of

similarity

Password lookup Failed

Unauthorized file access Failed

38 CHAPTER 5. RESULTS

Powershell Empire Failed

Use of CORBA interfaceSuccess: Also its information was

stored in plain text

Table 5.5.1: Traceability matrix for the attacks performed

Chapter 6

Discussion

This chapter presents a discussion of the results, their mitigation, ethical

considerations about the penetration testing process, a review of the

methodology and ideas on future work.

6.1 Results

Several flaws were found in the system, some of them critical, so

the hypothesis was proven true. Proofs of concepts were created for

most vulnerabilities so they could be tested and fixed. These results

will help increase the security of the system by fixing them and also

taking into consideration, in the future, practices that weren’t thought of

previously.

With the network attacks, it has been proven that communication between

servers can be easily intercepted and disrupted. Numerous tools exist for this

purpose and one can even create them easily. This is one of the first lines of

defense, which means that it will receive most of the attacks andmust endure

them.

Regarding SMB and Active Directory attacks, not many have been successful

in this project but some of them have reported a significant amount

of information which can lead to more specific attacks or give clues of

39

40 CHAPTER 6. DISCUSSION

confidential information, such as user names.

Also, it has be seen that the strength of a system resides its weakest point, in

this case it could be the remote desktop access. If some credentials are gotten

through anymethod, for example social engineering, almost no other security

method could stop the access to the servers.

Finally, reaching inside of a machine is not the end of the penetration testing,

since there are many different ways to access and each gives more or less

power on other elements. Starting with the least power possible inside of

the system, it is achievable to affect other systems in critical ways and use

processes without being unauthorized. One example of this could be APIs

which have not been properly secured.

It has also been proven the ability to execute not-compiled code inside of the

machine using the system’s own libraries and Powershell, which could be

limited by applying stricter security measures such as disabling Powershell

entirely.

It should be noted that some of the results of this project are consciously

implemented on the system but are considered vulnerabilities regardless of

that because they can be exploited to affect the control system.

All of the testing has been done in a virtual scenario and, if it had been done

in real life systems, attackers would had to go through several security layers,

such as firewalls. Because of this, even though the results can be seen as

critical, they are always relative to the situation in which the testing was

started.

Apart from that, it has been verified that the system is not vulnerable against

most of the popular penetration tools and it is well protected from common

attacks.

As a final note, due to the size and complexity of the system, a considerable

amount of time was spent throughout the thesis trying to understand it and

figuring out how to attack it. Even having all the help needed from its

engineers, probably having more experience with this kind of systems would

CHAPTER 6. DISCUSSION 41

have surfaced other vulnerabilities. But, anyway, the scope of the thesis is to

attack this control system as an outsider with no specific knowledge of the

system, so it is thought that the vulnerabilities discovered are representative

of an hypothetical real attack.

6.2 Attacks Mitigation

Network attacks are the most common type of attack performed once inside a

network because, at first, they don’t require any other step, such as infiltrating

into anothermachine. In the case of the system tested, there are already some

measures tomitigate these attacks, for example, Kerberos is used somessages

can’t be read because of the encryption and can’t be replayed because of the

sequence numbers.

Control servers can have more than one interface so their communication

cannot be easily interrupted. These interfaces would have to be in separate

networks, so an attacker would have to access every network at the same

time to disrupt communications, and it’s uncommon for a machine to have

access to every network. One idea could be to use one network (or as many

as needed) only for control servers and another one for communication with

the rest of the servers.

Other measures that could be taken for this scenario are implementing tests

or checks in the servers software. For example, checking if the delay suddenly

increases or other uncommon events and using another interface in order to

avoid MITM attacks.

ARP spoofing can bemitigated by using static ARP tables (since the network is

unlikely to change continuously) filtering out packets with conflicting source

address information or using ARP spoofing detection software, that block

packets that appear to be spoofed, based on their headers.

With respect to the use of user credentials to attack and access servers, there

are, at first sight, two possible ways to prevent this. First, non-essential

42 CHAPTER 6. DISCUSSION

users should not exist in the domain, and also as few as possible for essential

users. And second, computers and servers should only allow the least possible

number of users at the same time, being the best situation with just one.

Also, the Active Directory configuration must be checked regularly or, at

least, when a new user or group is added to the domain. This is because the

more users and groups there are, the more possible it is to make a mistake

configuring them or forgetting to remove permissions.

Finally, looking at the clients created for attacking the servers, more checks in

the servers’ software, regarding authentication and who uses the API, should

be implemented. Also it should be considered if all the information that is

being transferred is necessary.

Practices like keeping libraries and external software updated and building

a company culture in which the security is one of the main focuses when

developing new software will help reducing the amount of vulnerabilities

present in future systems.

6.3 Methodology

Themain focus of the methodology used in this project is not to find or create

the most powerful or efficient exploit but to understand how this kind of

systems work and what are their main weaknesses.

For this, the steps of the Penetration Testing Execution Standard [9] were

followed, as explained in section 2.2. First gathering as much information as

possible about the system; creating or, in this case, using a existing threat

model; discovering vulnerabilities and developing exploits for them and,

finally, collecting data and reporting the results.

As these steps are broad, they can be used inmost penetration tests, but that is

also a weakness of the method because more robust exploits could have been

developed following a methodology focused, for example, in Active Directory

hacking.

CHAPTER 6. DISCUSSION 43

Regarding sources of error, a potential one could have been to have the

opportunity to ask and get to know about the system as much as needed,

instead of having no communication. This can be a source of error because,

inadvertently, it might lead to specific attacks that the person giving the

information prefers, instead of discovering vulnerabilities in general.

Another potential source of error is the usage of a virtual system for

penetration testing instead of a real one. Even though the virtual scenario is

as similar as possible as the real one, vulnerabilitiesmight exist in one of them

that the other one doesn’t have. Looking into the vulnerabilities discovered in

this assessment, it is believed that they can exist in both environments.

6.4 Sustainability and Ethical

Considerations

Breaking into systems by discovering flaws can lead to great damages, both

economical and personal, if done maliciously or carelessly. Because of this,

there is always an ethical part in ethical hacking and should be as important

as the hacking one.

In this thesis, both parties agreed beforehand the goals of the research

and how to deal with the results, for example, by signing a Non-Disclosure

Agreement and preventing the vulnerabilities to be public. In order to avoid

as much potential damage as possible, the results and objective have been

anonymized and some of them have been skipped.

Depending on the system, the vulnerabilities found and the countrywhere it is

done, sometimes it is illegal to perform these penetration tests, so meticulous

thought about is must be had before it is attempted.

It is of great importance to communicate the vulnerabilities to the attacked

client in the least amount of time possible since the discovery. Failing to do

this andmaybe causing some damage would carry an ethical baggage not easy

to dismiss.

44 CHAPTER 6. DISCUSSION

Sometimes, releasing the vulnerabilities results publicly puts more pressure

on the vendor to fix them as soon as possible whereas, in other cases, they

wouldn’t have been fixed. Doing this carries a great risk depending on the

target and should be carefully thought, but it’s not the topic of discussion for

this thesis.

Looking at the sustainability of ethical hacking, it is a concept that builds on

ideas such as justice, equity and how we want society to be for us humans

[36]. It is not only about technical fixes but also about how and why we work,

how innovation is achieved and how to deal with knowledge.

The hacking methods aim to challenge the status quo of the existing business

models, providing an alternate work ethic, with a hands-on approach and

openness of information in their core. This leads to collaboration in society

to solve problems and create new knowledge.

The same approach could also be taken for tackling the climate crisis, for

example, with open data about emissions and transparency on the impact of

products and industries. Bringing technology to the people is related with the

hands-on approach and helps to close the digital divide, which leads to equity

and justice.

6.5 Future Work

As this system is in continuous development, its security will require to be

tested from time to time, as well as always checking that the mistakes found

in this assessment are not made again. Other penetration tests could focus

on other parts of the system, other services or testing the vulnerabilities in

real-world scenarios as well.

For example, these tests could assess the external security of the system,

other services or machines which also exist in the network, spoofing servers

in functionality and not just communication relaying or even ideas like DNS

or DLL hijacking.

CHAPTER 6. DISCUSSION 45

There are companies that specialize in penetration testing and, obviously,

with more resources, time and money, more vulnerabilities could be

discovered in comparison with this thesis. It is believed that, for the scope

and time of this thesis, the results are satisfactory.

Finally, it has been taken into consideration that all software used is up to

date and that clients and users are responsible with their passwords and

managing the network. In any case, creating a good practicesmanual for final

users could be useful for minimizing mistakes when setting up or using the

systems.

Chapter 7

Conclusions

Even though a system can seem well secured, there are always vulnerabilities

in it, and that should be the main mentality when using, managing and

developing for it. The vulnerabilities tested in this assessment are only a

fraction of all the vulnerabilities that could exist. For example, hardware

vulnerabilities and social engineering could be two interesting paths to

research but are not feasible in the scope of this thesis.

The vulnerabilities discovered, for example the Man In The Middle to

disrupt connections or the client to crash servers through their interfaces,

demonstrate that every single mistake counts and can affect the entire system

easily. Attackers with, a priori, little to no power over a network, can make

use of simple tools and cause huge losses to a company.

Similar exercises in the future will be useful to keep improving the security of

the system. It is also recommended to keep up with news and trends related

to security as well as building a company culture that takes security into its

main priorities, specially when dealing with critical systems.

46

Bibliography

[1] Hodge, Rae. Zoom Security Issues: Timeline. URL: https : / / www .

cnet . com / news / zoom - security - issues - zoom - buys - security -

company - aims - for - end - to - end - encryption/ (visited on

05/17/2020).

[2] Winder, Davey. Cyber Attacks Against Hospitals. URL: https://www.

forbes . com / sites / daveywinder / 2020 / 04 / 08 / cyber - attacks -

against - hospitals - fighting - covid - 19 - confirmed - interpol -

issues-purple-alert/ (visited on 05/17/2020).

[3] Common Vulnerabilities and Exposures (CVE). URL: https://cve.

mitre.org/ (visited on 02/18/2020).

[4] Schatz, Daniel, Bashroush, Rabig, and Wall, Julie. “Towards a More

Representative Definition of Cyber Security”. In: JDFSL 12.2 (2017).

URL: https://commons.erau.edu/jdfsl/vol12/iss2/8/.

[5] Nate Lord, DigitalGuardian. What is Cyber Security? URL: https :

/ / digitalguardian . com / blog / what - cyber - security (visited on

04/02/2020).

[6] Walkowski, Debbie.What Is The CIATriad? 2019. URL: https://www.

f5.com/labs/articles/education/what-is-the-cia-triad (visited

on 02/21/2020).

[7] NIST. URL: https://csrc.nist.gov/ (visited on 02/23/2020).

[8] DOI, US. Penetration testing. URL: https://www.doi.gov/ocio/

customers/penetration-testing (visited on 07/05/2020).

47

48 BIBLIOGRAPHY

[9] PTES. The penetration testing execution standard. URL: http://www.

pentest-standard.org/ (visited on 02/18/2020).

[10] Wikipedia. OSI Model. URL: https://en.wikipedia.org/wiki/OSI_

model (visited on 02/17/2020).

[11] Information Sciences Institute. Transmission Control Protocol. RFC

793. RFC Editor, Sept. 1981, pp. 1–89. URL: https://tools.ietf.

org/html/rfc793.

[12] Plummer, David C. An Ethernet Address Resolution Protocol. RFC

826. RFC Editor, Nov. 1982, pp. 1–8. URL: https:/ /tools. ietf.

org/html/rfc826.

[13] Wikipedia.Man-in-the-middle attack. URL: https://en.wikipedia.

org/wiki/Man-in-the-middle_attack (visited on 02/20/2020).

[14] Sun Microsystems, Inc. RPC: Remote Procedure Call. RFC 1057. RFC

Editor, June 1988, pp. 1–25. URL: https://tools.ietf.org/html/

rfc1057.

[15] Microsoft.Windows Authentication. URL: https://docs.microsoft.

com/en-us/windows-server/security/windows-authentication/

windows-authentication-overview (visited on 04/15/2020).

[16] Microsoft. Active Directory. URL: https://docs.microsoft.com/

en-us/windows-server/identity/ad-ds/get-started/virtual-

dc / active - directory - domain - services - overview (visited on

03/04/2020).

[17] RedHat. System Security Services Daemon. URL: https://access.

redhat . com / documentation / en - us / red _ hat _ enterprise _

linux/6/html/deployment_guide/sssd- introduction (visited on

04/26/2020).

[18] MIT. Kerberos. URL: https://web.mit.edu/kerberos/ (visited on

02/15/2020).

BIBLIOGRAPHY 49

[19] Microsoft.Microsoft SMBProtocol andCIFSProtocolOverview. URL:

https : / / docs . microsoft . com / es - es / windows / win32 / fileio /

microsoft - smb - protocol - and - cifs - protocol - overview ?

redirectedfrom=MSDN (visited on 07/05/2020).

[20] Team, Samba. Samba. URL: https://www.samba.org/ (visited on

05/05/2020).

[21] Kohnfelder, Loren and Garg, Praerit. The threats to our products.

URL: https://adam.shostack.org/microsoft/The-Threats-To-

Our-Products.docx (visited on 03/19/2020).

[22] Rapid7.Metasploit. URL: https://www.metasploit.com/ (visited on

03/19/2020).

[23] Lyon, Gordon. Nmap. URL: https : / / nmap . org/ (visited on

03/21/2020).

[24] Will, Justin Warner and Nelson, Matt. Powershell Empire. URL:

https://www.powershellempire.com/ (visited on 03/21/2020).

[25] Combs, Gerald. Wireshark. URL: https : / / www . wireshark . org/

(visited on 03/21/2020).

[26] Team, Samba. SMBclient. URL: https : / / www . samba . org / samba /

docs/current/man-html/smbclient.1.html (visited on04/26/2020).

[27] Lowe, Mark. Enum4Linux. URL: https : / / tools . kali . org /

information-gathering/enum4linux (visited on 04/26/2020).

[28] byt3bl33d3r. CrackMapExec. URL: https : / / github . com /

byt3bl33d3r/CrackMapExec (visited on 04/26/2020).

[29] Team, Samba.RPCclient. URL: https://www.samba.org/samba/docs/

current/man-html/rpcclient.1.html (visited on 04/26/2020).

[30] Wikipedia. Responsible disclosure. URL: https : / / en . wikipedia .

org/wiki/Responsible_disclosure (visited on 03/25/2020).

[31] Conde Ortiz, Daniel. Man In The Middle Script. URL: https : / /

github.com/DanielCondeOrtiz/PenetrationTesting/blob/master/

mitm.py (visited on 05/17/2020).

50 BIBLIOGRAPHY

[32] Friedl, Steve. NBTscan. URL: http : / / www . unixwiz . net / tools /

nbtscan.html (visited on 04/26/2020).

[33] Evans, Shawn. SMBMap. URL: https://github.com/ShawnDEvans/

smbmap (visited on 04/26/2020).

[34] Secureauth. impacket. URL: https://github.com/SecureAuthCorp/

impacket (visited on 04/27/2020).

[35] Moreau, Marc-André. FreeRDP. URL: https://www.freerdp.com/

(visited on 04/02/2020).

[36] Zapico Lamela, Jorge

Luis. “Hacker Ethic, Openness, and Sustainability”. In: (2013). URL:

http://urn.kb.se/resolve?urn=urn:nbn:se:kth:diva-635998.

www.kth.seTRITA-EECS-EX-2020:662