4/19/2015

VULNERABILITY

ASSESSMENT

REPORT NETS1016: Security Trends and Issues

Harshit Bhatia

200299513

1

Table of Contents Introduction ................................................................................................................................... 2

Details of the Network .............................................................................................................. 2

Scope of Test ............................................................................................................................. 2

Purpose of Test .......................................................................................................................... 3

Type of Test ................................................................................................................................ 3

Executive Summary ...................................................................................................................... 3

OS Security Issues ...................................................................................................................... 3

Application Issues ..................................................................................................................... 3

Technical Summary ...................................................................................................................... 5

Vulnerability Definitions ............................................................................................................ 5

Critical ..................................................................................................................................... 5

High ......................................................................................................................................... 5

Medium/Low .......................................................................................................................... 5

Informational .......................................................................................................................... 5

Tools used for the Test ............................................................................................................... 5

Nmap ...................................................................................................................................... 5

Nikto ........................................................................................................................................ 6

Nessus ...................................................................................................................................... 6

Security issues with the machines ........................................................................................... 7

172.31.106.13 .......................................................................................................................... 7

172.31.106.90 ........................................................................................................................ 10

172.31.106.196 ...................................................................................................................... 12

Annexes ....................................................................................................................................... 16

Glossary of Terms ..................................................................................................................... 16

Buffer Overflow .................................................................................................................... 16

Denial of Service ................................................................................................................. 16

Directory Traversal ............................................................................................................... 16

Social Engineering ............................................................................................................... 16

SQL Injection ........................................................................................................................ 17

Conclusion ................................................................................................................................... 17

References .................................................................................................................................. 18

2

Introduction

Details of the Network

The network is Georgian College’s Private Network called as Grey Network. It has no

access to internet.

There were a total of 9 machines tested for vulnerabilities.

The vulnerability assessment was not intended to the process of hacking the machines

and gaining credentials to exploit the systems using the appropriate exploit.

The network is on a gigabit LAN connectivity.

The Operating System of each machine tested was not known initially, but was made

clear upon the assessment of the machines.

Scope of Test

A total of 9 systems were tested, with the following IP addresses:

172.31.106.90

172.31.106.197

172.31.106.39

172.31.106.33

172.31.106.32

172.31.106.196

172.31.106.31

172.31.106.46

172.31.106.13

This report is about the analysis of only 3 vulnerable machines. The following are the IP

addresses:

172.31.106.13

3

172.31.106.90

172.31.106.196

Purpose of Test

To find whether the machines mentioned above are vulnerable and perform a vulnerability

assessment of the machines.

Type of Test

The type of the test performed on the machines is a Grey Box test. We were supplied with

appropriate user level privileges and access permitted to the internal network by relaxation

of specific security policies present on the network.

Executive Summary

OS Security Issues

Except for the machines with IPs 172.31.106.197 and 172.31.106.33, a standard

theme among all systems was that all of them contain a minimum of one instance of

critical vulnerability.

It appears that by merely repair or change these systems most of the vulnerabilities

are going to be mounted. This means that an absence of awareness to patch and

update the machines is present with the administrator.

In some of the machines the operating systems were also found as outdated, which

requires a replacement.

Application Issues

Patching and updating this system will fix the critical vulnerabilities identified.

Disable certain Internet browsing settings to not support Transport Layer Security v3

(TLSv3), which contains a vulnerability known as POODLE.

4

Some machines have an outdated Apache web server and outdated OpenSSL

software solution. The best practice is to update both solutions and update regularly

when there is an update released. It is crucial that the web server and OpenSSL

software is updated as the current installed versions are highly vulnerable to Denial

of Service (DOS) and buffer overflow attacks which may lead to a compromise in

the machine.

An SSL certificate with the wrong hostname was found, and a weak hashing

algorithm was used to sign SSL certificates. Correcting this to the proper hostname

and using a stronger hashing algorithm such as SHA-512 will strengthen the security

of the machine.

A machine has Windows XP installed in it. An operating system beyond its end-of-

life support and should be updated. Patching and updating the system will not be as

effective as updating the operating system in its entirety. However, it can be

understood that certain legacy software cannot run on newer versions of Windows

and thus management will have to sign off on this issue if that is the case.

On one of the machines, an unencrypted telnet server is enabled and may lead to

potential eavesdropping attacks. We recommend disabling this service and opting to

the usage of SSH, which is a secure version of Telnet.

One of the machine requires disabling of the anonymous FTP and use of more secure

FTPS.

5

Technical Summary

Vulnerability Definitions

Critical

A vulnerability permitting remote code execution, elevation of privilege or a denial of

service on an affected system. Essential vulnerabilities are a significant threat to business

continuity and may right away be addressed.

High

A security weakness, whose exploitation might lead to the compromise of the

Confidentiality, Integrity or convenience of the company’s data.

Medium/Low

Insecure services and protocols square measure being used by the system permitting

doubtless permitting unrestricted access to sensitive info.

Informational

Similar to a medium/low vulnerability however with a far lower degree of threat. Parts

below this class are in their own nature harmless, however will doubtless be employed by

attackers as some way to perform reconnaissance mission against the target systems and

exploit them consequently supported the data gathered from things during this section.

Tools used for the Test

Nmap

Nmap ("Network Mapper") is a free and open source (license) utility for network

discovery and security auditing. Nmap uses raw IP packets in novel ways to determine

what hosts are available on the network, what services (application name and version)

those hosts are offering, what operating systems (and OS versions) they are running,

what type of packet filters/firewalls are in use, and dozens of other characteristics. It was

designed to rapidly scan large networks, but works fine against single hosts. Nmap runs

6

on all major computer operating systems, and official binary packages are available for

Linux, Windows, and Mac OS X.

Nikto

Nikto Web Scanner is a Web server scanner that tests Web servers for dangerous

files/CGIs, outdated server software and other problems. It performs generic and server

type specific checks. It also captures and prints any cookies received.

Nessus

In typical operation, Nessus begins by doing a port scan with one of its four internal

portscanners (or it can optionally use AmapM[4] or Nmap[5]) to determine which ports

are open on the target and then tries various exploits on the open ports. The

vulnerability tests, available as subscriptions, are written in NASL(Nessus Attack

Scripting Language), a scripting language optimized for custom network interaction.

7

Security issues with the machines

172.31.106.13

8

9

10

172.31.106.90

11

12

172.31.106.196

13

14

15

16

Annexes

Glossary of Terms

Buffer Overflow

Normally takes the form of inputting an overly long string of characters or commands

that the system cannot deal with. Some functions have a finite space available to store

these characters or commands and any extra characters etc. over and above this will then

start to overwrite other portions of code and in worse case scenarios will enable a remote

user to gain a remote command prompt with the ability to interact directly with the local

machine.

Denial of Service

This is an aimed attacks designed to deny a particular service that you could rely on to

conduct your business. These are attacks designed to say overtax a web server with

multiple requests which are intended to slow it down and possibly cause it to crash.

Traditionally such attacks emanated from one particular source.

Directory Traversal

Basically when a user or function tries to “break” out of the normal parent directory

specified for the application and traverse elsewhere within the system, possibly gaining

access to sensitive files or directories in the process.

Social Engineering

Normally uses a limited range of distinct subject matter to entice users to open and run an

attachment say. Usually associated with phishing/E-mail type attacks. The main themes

are:

Sexual - Sexual ideas/pictures/websites,

Curiosity - Friendly themes/appealing to someone's passion or obsession,

17

Fear - Reputable sources/virus alert,

Authority - Current affairs/bank e-mails/company e-mails

SQL Injection

Basically when a low privileged user interactively executes PL/SQL commands on the

database server by adding additional syntax into standard arguments, which is then

passed to a particular function enabling enhanced privileges.

Conclusion

Patching and updating the machines will help in eliminating the vulnerabilities most of

which are critical and high in severity. The medium and low ones can be removed with

some effort of the system administrator.

18

References

http://www.vulnerabilityassessment.co.uk/report%20template.html

http://nmap.org/

http://en.wikipedia.org/wiki/Nessus_%28software%29

http://en.wikipedia.org/wiki/Nikto_Web_Scanner