pen test report - sk

EXECUTIVE SUMMARY

A penetration test will be performed against the email server located in the Edinburgh branch of GCU Design Consultants. This penetration test will simulate an actual cyber-attack as close as possible and will be performed during GCU Design Consultants working hours.

A black box testing strategy will be used during this test. This means that the only information that we will be provided is the IP address of the email server. GCU Design Consultants have a low external web presence, with their email server being one of the few systems that someone from an external network can access. Due to this, the email server will become the focus for this penetration test.

This test will have two key goals;

1. Attempting to gain access by cracking the passwords of authenticated users.

2. Attempting to gain access by exploiting vulnerabilities located on the server.

After we have accessed the server, we can attempt to gain admin-level privileges in order to obtain sensitive information and to install backdoors to maintain future access.

The advantages of performing the test is that due to it being performed during working hours, we can determine if staff can detect that an attack is taking place and also to ascertain how staff react should intrusion be detected. We can also determine the level of sensitive information available that could assist malicious users in performing an attack and provide steps in how to resolve any potential issues that could result in a future security breach.

The risks would be that due to the activities that are being performed, that there is potential for the systems to become faulty or corrupt. However, we feel that this would be a necessary step in order to secure the long-term integrity of the company's system. All precautionary steps will be taken to ensure that the systems will be in working order after the test is done. Another risk would be that should the documentation that we compile regarding the weaknesses of the systems fall into the wrong hands then there would be potentially disastrous consequences. Thus, proper care must be taken in ensuring that all documentation is treated in a secure manner.

The results of the Penetration Test will be provided of one of the deliverables of the penetration test. All deliverables (this report included) will be provided to a select number of nominated individuals employed by GCU Design Consultants. They will be hand-delivered to the nominees in an agreed location. A back-up copy of the items will be encrypted and stored in a server located at our head office. This back-up will be erased after this report has been delivered in order to ensure that this information will remain confidential.

LEGAL & ETHICAL FRAMEWORK

There is legislation that needs to be taken into account before we undertake the penetration test. This is to ensure that we are aware of what constitutes illegal activity on our part and to gain the permission required from the customer to protect us from future legal prosecution. The legislations and sections that are revelant to the activities that we will be performing are as follows;

COMPUTER MISUSE ACT 1990

1) Unauthorised access to computer material.

(1)A person is guilty of an offence if—

(a)he causes a computer to perform any function with intent to secure access to any program or data held in any computer , or to enable any such access to be secured;

(b)the access he intends to secure, or to enable to be secured, is unauthorised; and

(c)he knows at the time when he causes the computer to perform the function that that is the case.

(2)The intent a person has to have to commit an offence under this section need not be directed at—

(a)any particular program or data;

(b)a program or data of any particular kind; or

(c)a program or data held in any particular computer.

(3)A person guilty of an offence under this section shall be liable—

(a)on summary conviction in England and Wales, to imprisonment for a term not exceeding 12 months or to a fine not exceeding the statutory maximum or to both;

(b)on summary conviction in Scotland, to imprisonment for a term not exceeding six months or to a fine not exceeding the statutory maximum or to both;

(c)on conviction on indictment, to imprisonment for a term not exceeding two years or to a fine or to both.

2) Unauthorised access with intent to commit or facilitate commission of further offences.

(1)A person is guilty of an offence under this section if he commits an offence under section 1 above (“the unauthorised access offence”) with intent—

(a)to commit an offence to which this section applies; or

(b)to facilitate the commission of such an offence (whether by himself or by any other person);and the offence he intends to commit or facilitate is referred to below in this section as the further offence.

(2)This section applies to offences—

(a)for which the sentence is fixed by law; or

(b)for which a personwho has attained the age of twenty-one years (eighteen in relation to England and Wales) and has no previous convictions may be sentenced to imprisonment for a term of five years (or, in England and Wales, might be so sentenced but for the restrictions imposed by section 33 of the M1Magistrates’ Courts Act 1980).

(3)It is immaterial for the purposes of this section whether the further offence is to be committed on the same occasion as the unauthorised access offence or on any future occasion.

(4)A person may be guilty of an offence under this section even though the facts are such that the commission of the further offence is impossible.




(c)on conviction on indictment, to imprisonment for a term not exceeding five years or to a fine or to both.

3) Unauthorised acts with intent to impair, or with recklessness as to impairing, operation of computer, etc.

(1)A person is guilty of an offence if—

(a)he does any unauthorised act in relation to a computer;

(b)at the time when he does the act he knows that it is unauthorised; and

(c)either subsection (2) or subsection (3) below applies.

(2)This subsection applies if the person intends by doing the act—

(a)to impair the operation of any computer;

(b)to prevent or hinder access to any program or data held in any computer;

(c)to impair the operation of any such program or the reliability of any such data; or

(d)to enable any of the things mentioned in paragraphs (a) to (c) above to be done.

(3)This subsection applies if the person is reckless as to whether the act will do any of the things mentioned in paragraphs (a) to (d) of subsection (2) above.

(4)The intention referred to in subsection (2) above, or the recklessness referred to in subsection (3) above, need not relate to—

(a)any particular computer;

(b)any particular program or data; or

(c)a program or data of any particular kind.

(5)In this section—

(a)a reference to doing an act includes a reference to causing an act to be done;

(b)“act” includes a series of acts;

(c)a reference to impairing, preventing or hindering something includes a reference to doing so temporarily.




(c)on conviction on indictment, to imprisonment for a term not exceeding ten years or to a fine or to both.

13A) Making, supplying or obtaining articles for use in offence under section 1 or 3

(1)A person is guilty of an offence if he makes, adapts, supplies or offers to supply any article intending it to be used to commit, or to assist in the commission of, an offence under section 1 or 3.

(2)A person is guilty of an offence if he supplies or offers to supply any article believing that it is likely to be used to commit, or to assist in the commission of, an offence under section 1 or 3.

(3)A person is guilty of an offence if he obtains any article with a view to its being supplied for use to commit, or to assist in the commission of, an offence under section 1 or 3.

(4)In this section “article” includes any program or data held in electronic form.




(c)on conviction on indictment, to imprisonment for a term not exceeding two years or to a fine or to both.

POLICE & JUSTICE ACT 2006

37) Making, supplying or obtaining articles for use in computer misuse offences

After section 3 of the 1990 Act there is inserted—

“3A) Making, supplying or obtaining articles for use in offence under section 1 or 3

(1)A person is guilty of an offence if he makes, adapts, supplies or offers to supply any article intending it to be used to commit, or to assist in the commission of, an offence under section 1 or 3.

(2)A person is guilty of an offence if he supplies or offers to supply any article believing that it is likely to be used to commit, or to assist in the commission of, an offence under section 1 or 3.

(3)A person is guilty of an offence if he obtains any article with a view to its being supplied for use to commit, or to assist in the commission of, an offence under section 1 or 3.

(4)In this section “article” includes any program or data held in electronic form.




(c)on conviction on indictment, to imprisonment for a term not exceeding two years or to a fine or to both.”

38) Transitional and saving provision

(1)The amendments made by—

(a)subsection (2) of section 35, and

(b)paragraphs 19(2), 25(2) and 29(2) of Schedule 14,apply only where every act or other event proof of which is required for conviction of an offence under section 1 of the 1990 Act takes place after that subsection comes into force.

(2)The amendments made by—

(a)subsection (3) of section 35, and

(b)paragraphs 23, 24, 25(4) and (5), 26, 27(2) and (7) and 28 of Schedule 14,do not apply in relation to an offence committed before that subsection comes into force.

(3)An offence is not committed under the new section 3 unless every act or other event proof of which is required for conviction of the offence takes place after section 36 above comes into force.

(4)In relation to a case where, by reason of subsection (3), an offence is not committed under the new section 3—

(a)section 3 of the 1990 Act has effect in the form in which it was enacted;

(b)paragraphs 19(3), 25(3) to (5), 27(4) and (5) and 29(3) and (4) of Schedule 14 do not apply.

(5)An offence is not committed under the new section 3A unless every act or other event proof of which is required for conviction of the offence takes place after section 37 above comes into force.

(6)In the case of an offence committed before section 154(1) of the Criminal Justice Act 2003 (c. 44) comes into force, the following provisions have effect as if for “12 months” there were substituted “ six months ”

(a)paragraph (a) of the new section 1(3);

(b)paragraph (a) of the new section 2(5);

(c)subsection (6)(a) of the new section 3;

(d)subsection (5)(a) of the new section 3A.

(7)In this section—

(a)“the new section 1(3)” means the subsection (3) substituted in section 1 of the 1990 Act by section 35 above;

(b)“the new section 2(5)” means the subsection (5) substituted in section 2 of the 1990 Act by paragraph 17 of Schedule 14 to this Act;

(c)“the new section 3” means the section 3 substituted in the 1990 Act by section 36 above;

(d)“the new section 3A” means the section 3A inserted in the 1990 Act by section 37 above.

METHODOLOGY & RESOURCES

PREPARATION PHASE

We need to acquire a list of authenticated users who have login credentials to the email server. One useful source of information is the targets website. On many company websites, contact information for members of staff, such as staff names and email address, can be found. This may also include members of the IT department and admin departments, which are the departments that will have the highest level of authorisation. One problem with this however is that if we access the website then our visit would be logged on GCU’s webserver. A way to mitigate this is by looking at the websites cached pages. Google takes a snapshot of each page it examines and uses that page as a backup. By using cache pages, we can gain all necessary information from the website without our presence being documented.

An alternative method of gaining information regarding employees is by searching for them on social media websites such as LinkedIn and Facebook. Many people don't pay attention to their privacy settings and unwittingly divulge information such as the company that they work for, what systems that they are operating, the level of importance that their job role plays and so on. Rather than manually searching through every webpage for information that may pertain to an employee, we can search for only relevant information and filter out any undesired search results. This will be achieved by performing Google hacking. Google hacking works by using advanced operators which allows for very specific search results to be produced on Google. Google’s default algorithm is designed so that when a user enters data then a broad range of information is returned via the search results. A user could spend a vast amount of time looking for very specific information as a result of this. By using advanced operators, users can specify a string to be located in specific locations (eg by querying site:gcu.ac.uk, only pages from gcu.ac.uk will be returned) This will filter out undesired search results and only provide results that are pertinent. In our case we will be using advanced operators to look for employees that previously and currently worked for GCU Design Consultants in order to determine if any sensitive information is available to view.

After gaining a list of employee names and their associated job roles, we can create a list of usernames that can be used in Hydra to perform a dictionary attack. The first part of an email address or employees name is usually a username or a variation of it, so we can create a list of usernames based on the employee information gathered.

In order to determine if there is a mechanism for us to login to the server we can scan for ports that are running. Using Kali Linux, we will use nmap against the servers IP address to obtain a list of open ports running on it. Nmap is a very powerful tool that not only provides a range of open ports but also any operating systems that are being used. Nmap provides a variety of options through switches, such as TCP connect scans and syn scans. In this case we won’t be using any switches as we already know the IP address of the target. After obtaining the list of running services, we can determine the scope of potential attack vectors and focus our attention on the most exploitable ports on the list. In this case we would be looking to see if the SSH port is operational as we will attempt to access the server as an authorised user by logging on using an SSH session.

Next, we want to ascertain the number of vulnerabilities that may be present on the server. In order to do this we will run a vulnerability scan using Nessus. Nessus is a vulnerability scanner that produces a comprehensive list of vulnerabilities that could be used on a system for exploitation. Furthermore, it ranks the vulnerabilities from most to least critical. This will allow us to focus on the most exploitable vulnerabilities and take away much of the trial-and-error involved with exploitation.

EXPLOITATION PHASE

With the list of usernames acquired during the preparation phase, we can begin the process of password cracking by using Hydra. Hydra is a Network Login Hacking Tool which uses dictionary attacks to try various username and password combinations. Hydra supports wordlists, which is essentially a list of pre-compiled words which get scanned from top to bottom. Each word in the wordlist is provided as a password for Hydra to match up to a username. If one of the words in the wordlist is a valid password for a particular username, then Hydra will display the results of its scan showing a username and password pair. We will use a customised wordlist which has over 900,000 entries in order to maximise the chance for success.

After Hydra has performed its scan, we will be able to determine if we were successful cracking the login credentials for a user. If we are unsuccessful it could be that we didn’t provide valid usernames or didn’t have a valid password in the wordlist. For the purposes of this report, it will be assumed that we were successful gaining a username and password hit.

Now we have login credentials, we can login to the server via SSH and see the level of authorisation that the user has. Ideally we would like to have administrative access to the server in order to obtain as much sensitive information as possible regarding the company. However this may not be possible depending on the privileges of the user that we have logged onto the system as. This is where privilege escalation comes into play.

For the purposes of this report, let’s assume that we haven’t logged as a system administrator but as a regular user. While we could still see certain information, we would be restricted from viewing all content, especially sensitive information. It is usually a system administrator that can access all information that a system holds. We would therefore have to find the login credentials for the highest authorised user (which would be root).

As a user we could potentially gain access to the /etc/shadow and /etc/password files. These are files which contains a list of usernames and passwords for users that have login credentials into the system. The passwords however are encrypted. In order to crack these encrypted passwords we could use John the Ripper. John the Ripper is a utility that combines several different password cracking packages into one program. Firstly, we will save the results of /etc/passwd and /etc/shadow to separate text files and merge them together using the unshadow command. After this is done, John the Ripper will be used to crack the password for the root account. Again, a wordlist can be used for provide passwords for John to match up to the root account. If this is successful we would then be able to gain access to the root account and therefore own the system.

The next step is to determine if we can access the server by exploiting vulnerabilities. We will perform this step by using metasploit. Metasploit is an open-source framework which provides various exploits and payloads which allows remote unauthorised access into a system. Metasploit also provides a database of exploits that can be used. With the results of the Nessus scan, we can search for a vulnerability that was found in the Nessus scan and locate a relevant exploit. There are various payloads that allow a remote connection to a victim’s machine. These payloads can result in a bind or reverse shell to the victim machine. However there are limitations with using these shells as they create a new process, hence making our presence noticeable. In addition to this the shell would be confined within a chroot jail which means that we could only view a single sub-tree of the file system. This would make it very difficult to extract information. Due to this we would be looking to gain access to the server with meterpreter. Meterpreter is a powerful command-line shell which allows interaction with a victims machine. Meterpreter is similar to a Windows cmd or Linux bash shell in terms of functionality and allows a user to perform functions as if they were directly connected to the victims machine.

After access has been granted, there is a variety of functions that can be performed in order to extract information from the server. The information that will be targeted will be detailed in the Post Assessment Phase.

POST ASSESSMENT PHASE

With the server being fully compromised, now would be the opportunity to collect as much information as we can regarding the internal infrastructure of GCU Design Consultants. This is known as infrastructure analysis. The following will be investigated in order to procure detailed information regarding GCU Design Consultants internal network;

Interfaces: All the networking interfaces being used on the machine will be investigated, along with their IP addresses, subnet masks and gateways. This would identify any networks and services that could be targeted.

Routing: The routing table is investigated to establish a range of potential target networks.

DNS Servers: All DNS servers being used will be identified. Ultimately, the target would be the DNS database as this provides key information regarding hosts and services being used, allowing us additional targets for potential exploitation.

Cached DNS Entries: In DNS cache entries, there may be highly-valued information to be found, such as intranet login pages or management interfaces.

ARP Entries: The ARP cache could be investigated. Any static entries usually indicate an entry for a critical machine which would definitely warrant further investigation.

Listening Services: All networking services provided by the target machine will be identified. This could potentially result in the discovery of services that were not found during the initial scan, as well as the discovery of other hidden hosts and networks.

Directory Services: If the server has directory services in operation, there may be scope to gain information regarding user accounts, hosts or services via enumeration. Any information regarding users in particular can assist with social engineering attacks.

Neighbours: Protocols like CDP and LLDP can be used to identify neighbours that are directly connected to the host or are in the same subnet.

Next, we would aim to extract as much sensitive data from the server that we can. This is known as pillaging. The items that will be pillaged are as follows;

Startup Items: By examining the applications that run at when the systems starts up, we could discover information such as the role that the system plays, software running and services that are being interacted with.

Security services: We could itemise the various software that is installed on the server that is designed to keep intruders out, such as Firewalls, Intrusion Detection Systems and anti-virus software. This will give a general idea of what an attacker is up against should they attempt penetration against the internal network.

Key-logging: Key strokes could be monitored in order to detect sensitive information including passwords.

Network Traffic Capturing: Packet sniffing software, such as Wireshark, could be used to monitor traffic to and from the server. This will further identify hosts on the network, intercepts potentially sensitive data and could capture credentials. Care must be taken in only capturing relevant data and not personal data like voice over IP calls.

System Information: General information such as history files, encryption keys and documents could be located in the compromised server.

Finally, we want to maintain access into the compromised server. Most exploits will only work as long as the session is running. However if the session stops then the attacker may not be able to gain access again, which would be an undesirable outcome. So in order to ensure future access to the system could be gained, a backdoor can be installed. A backdoor is a piece of software that can allow a user to bypass normal security protocols in order to gain unauthorised access to a system. The backdoor that we can use is the meterpreter persistence script. This script will allow a persistent Meterpreter session to be created, thereby surviving any reboots.

After the penetration test has been completed, any changes that we have made to the server will be reverted back to their original settings.

PENETRATION TESTING DELIVERABLES

After the test has concluded, deliverables will be created and provided to individuals that have been nominated to receive the results of the penetration test. These deliverables will be a collection of documents that will provide in depth information regarding out findings and provide assistance in resolving any issues that could put the company at risk.

Results & Recommendations: This will be a document detailing our findings after performing the penetration test. It will contain information on the vulnerabilities found and provide a detailed recommendation on how to mitigate these vulnerabilities. All findings will be accompanied by screenshots in order to prove that we have successfully exploited the systems targeted.

Risk Rating: This document will detail how the vulnerabilities found may have an impact on the business should they be exploited. The vulnerabilities will be ordered from most to least critical and will discuss the potential risks that can occur should the vulnerabilities be exploited.

Resources: A list of resources and tools that were used during the penetration test will be documented.

Project Plan: The project plan details all the tasks that were performed during the test, the time and dates in which the tasks were undertaken and also the members of staff who were designated to each task.

pen test report - sk

Documents