Penetration Testing Report - Csmaster
advertisement
ACME Widgets May 2010 Penetration Testing Report ASA Co., Ltd. Andrew Boyce Somchai Jogkaew Asha Babani-Maghirang ATTENTION: This document contains information from ASA Co., Ltd. that is confidential and privileged. The information is intended for the private use of ACME WIDGETS. By accepting this document you agree to keep the content in confidence and not copy, disclose or distribute this without written request to and written confirmation from ASA. If you are not the intended recipient, be aware that any disclosure, copying or distribution of the contents of this document is prohibited. Penetration Testing Report Page |2 As of May, 2010 Document Details Company Document Title Date Classification Document Type : : : : : ACME WIDGETS Penetration Testing Report May 06, 2010 Confidential Report Recipient Name Dr. Jim Aman Jamie Conway Title Associate Professor Assistant ©ASA Co., Ltd. Company Saint Xavier University ACME Widgets CONFIDENTIAL Penetration Testing Report Page |3 As of May, 2010 Table of Content 1. 2. EXECUTIVE SUMMARY 4 1.1 Summary 4 1.2 Scope 5 1.3 Key Findings 6 1.4 Recommendation 7 1.5 Tabular Summary 8 1.6 Overall Risk Chart 8 1.6.1 Security Risk Comparison 8 1.6.2 High Security Risk Comparison 9 1.6.3 Medium Security Risk Comparison 9 1.6.4 Low Security Risk Comparison TECHNICAL REPORT 10 11 2.1 192.168.199.1 11 2.2 192.168.199.70 16 2.3 192.168.199.99 25 2.4 192.168.199.222 31 2.5 192.168.199.230 33 2.6 192.168.199.232 44 3. CONCLUSION 49 4. PENETRATION TESTING LOG 50 ©ASA Co., Ltd. CONFIDENTIAL Penetration Testing Report Page |4 As of May, 2010 1. EXECUTIVE SUMMARY 1.1 Summary ASA© has assigned the task of carrying out Quarterly Penetration Testing of ACME WIDGETS This is the first quarter Penetration Testing report. This Penetration Test was performed during April 15th 2010 to May 5th 2010. The detailed report about each task and our findings are described below. The purpose of test is to determined security vulnerabilities in the server configurations and web applications running on the server specified as part of the scope. The tests are carried out assuming the identity of an attacker or a user with malicious intent. At the same time due care is taken not to harm the server 1.1.1 Approach Perform broad scans to identify potential areas of exposure and services that may act as entry points Perform targeted scans and manual investigation to validate vulnerabilities Test identified components to gain access to: 192.168.199.1 192.168.199.70 192.168.199.99 192.168.199.222 192.168.199.230 192.168.199.232 Identify and validate vulnerabilities. Rank vulnerabilities based on threat level, loss potential and likelihood of exploitation. Perform supplemental research and development activities to support analysis Identify issues of immediate consequence and recommend solutions Develop long term recommendations to enhance security Transfer knowledge During the network level security checks we tried to probe the ports present on the various servers and detect the services running on them with the existing security hoes, if any. At the web application level we checked the web server’s configuration issues, and more importantly the logical errors in the web application itself. ©ASA Co., Ltd. CONFIDENTIAL Penetration Testing Report Page |5 As of May, 2010 1.2 Scope The scope of this penetration test was very limited to the below mentioned IP addresses and network infrastructure. 192.168.199.1 192.168.199.70 192.168.199.99 192.168.199.222 192.168.199.230 192.168.199.232 ©ASA Co., Ltd. CONFIDENTIAL Penetration Testing Report Page |6 As of May, 2010 1.3 Key Findings In this section we would like to highlight summary of the critical issues that we discovered during our Penetration Testing exercise. 1.3.1 Insufficient Authentication On the server 192.168.199.230 (ACME-W2K-01), the “administrator” account password is blank. In case an anonymous walked in to the server room and tried an ‘administrator’ account without the password, they can easily login to the network within a second. Recommendation: We’re highly recommended to set password to ‘administrator’ account as soon as possible and. The password must meet complexity requirements. On the firewall box, port 981 is opened. Seem like lazy administrator open this port to configure the firewall. In case the hacker knows the firewall password. They can down the entire network Recommendation: We’re highly recommended to close or disable port 981. If you need to configure the firewall – which is we do it once in awhile, not very often – you should remote in to the network and configure it. 1.3.2 Login and Username Enumeration On the server 192.168.199.232 (HERMIONE) it has the user ‘hermione’; which is very easy for hacker to guess for username to login to the server Recommendation: We’re highly recommended to change/disable/delete user name ‘hermione’. ©ASA Co., Ltd. CONFIDENTIAL Penetration Testing Report Page |7 As of May, 2010 1.4 Recommendation ASA recommends that attention is given to the issues discovered during the assessment and that an action plan is generated to remediate these items. The recommendations are classified as tactical or strategic. Tactical recommendations are short term fixes to help elevate the immediate security concerns. Strategic recommendations focus on the entire environment, future directions and introduction of security best practices. A highlight of the recommendations follows: 1.4.1 Tactical Recommendations. ASA recommends that is given to the server IP address 192.168.199.230 (ACME-W2K-01) because on this server has a lot of hole and highest risk security issues. Fix the problem on ACME-W2K-01 first then back to another server later on. 1.4.2 Hardware and Software Recommendations. Most of the computer hardware and software are quiet old; we’re recommending you upgrade the system – including software and hardware to speed up the performance – because it’s more cost effective than paying a consultant. There is available operating system software that can fix the current security risk. ©ASA Co., Ltd. CONFIDENTIAL Penetration Testing Report Page |8 As of May, 2010 1.5 Tabular Summary The following table summarizes the System’s Vulnerability Assessment: Category Number of live hosts Number of Vulnerabilities Low, Medium and High Severity Vulnerabilities Low 6 Description 6 6 Medium 6 High 6 1.6 Overall Risk Chart 1.6.1 Security Risk Comparison Security Risk Comparison ©ASA Co., Ltd. Medium Low High 192.168.199.232 192.168.199.230 192.168.199.222 192.168.199.106 192.168.199.99 192.168.199.70 192.168.199.1 100% 90% 72% 80% 65% 64% 70% 60% 45% 44% 44% 50% 41% 39%39% 35% 34% 40% 25% 27% 22% 30% 21% 20% 14% 14% 14% 12% 20% 9% 10% 0% CONFIDENTIAL Penetration Testing Report Page |9 As of May, 2010 1.6.2 High Security Risk Comparison High Security Risk Comparison 39% 25% 21% 20% 14% 192.168.199.230 192.168.199.222 192.168.199.106 192.168.199.99 192.168.199.70 192.168.199.232 12% 9% 192.168.199.1 45% 40% 35% 30% 25% 20% 15% 10% 5% 0% 1.6.3 Medium Security Risk Comparison Medium Security Risk Comparison 44% 39% 35% 34% 27% 14% ©ASA Co., Ltd. 192.168.199.232 192.168.199.230 192.168.199.222 192.168.199.106 192.168.199.99 14% 192.168.199.70 192.168.199.1 50% 45% 40% 35% 30% 25% 20% 15% 10% 5% 0% CONFIDENTIAL Penetration Testing Report P a g e | 10 As of May, 2010 1.6.4 Low Security Risk Comparison Low Security Risk Comparison 72% 65% 64% 45% 41% 44% ©ASA Co., Ltd. 192.168.199.232 192.168.199.230 192.168.199.222 192.168.199.106 192.168.199.99 192.168.199.70 22% 192.168.199.1 80% 70% 60% 50% 40% 30% 20% 10% 0% CONFIDENTIAL Penetration Testing Report P a g e | 11 As of May, 2010 2. TECHNICAL REPORT For IP address 98.28.11.223 the below listed were scanned. The listed ports appear to be open on the server. Alongside the port number, we also show the service that usually runs on those ports as well as the banner displayed by the service. 2.1 192.168.199.1 High 21% Low 65% Port 22/TCP 80/TCP 264/TCP 443/TCP 981/TCP 53/UDP General/ICMP General.UDP Medium 14% Protocol SSH Hypertext Transfer Protocol Border Gateway Multicast Protocol (BGMP) Hypertext Transfer Protocol over SSL/TLS Remote HTTPS management for firewall devices Domain Name System Result Security note found Security hole found Security note found Security note found Security note found Security warning found Security warning found Security note found Information found on port 22/TCP Finding A Secure Shell service runs on this port. It is sometimes opened by this/these Trojan horse(s): Adore, SSHD, Shaft. Unless you know for sure what is behind it, you'd better check your system Solution If a Trojan horse is running, run a good antivirus scanner Risk factor Low ©ASA Co., Ltd. CONFIDENTIAL Penetration Testing Report P a g e | 12 As of May, 2010 Vulnerability found on port 80/TCP Finding It is possible to read arbitrary files on the remote server by pretending.../.../ or...\...\ in front on the file name. It was possible to read arbitrary files using the URL: http://192.168.199.1:80/%5c...%5c...%5c...%5cwindows%5cwin.ini Which produces: Please contact ASA Solution Upgrade firewall operating system/firmware Risk factor High Vulnerability found on port 80/TCP Finding It is possible to read arbitrary files on the remote server by pretending .%252e/.%252e in front on the file name. Solution Upgrade to JWalk Risk factor High Vulnerability found on port 80/TCP Finding It was possible to make the remote Axent raptor freeze by sending it a IP packet containing special options (of length equals to 0) An attacker may use this flaw to make your firewall crash continuously, preventing your network from working properly Solution Filter the incoming IP traffic containing IP options and contact Axent for a patch Risk factor High Information found on port 80/TCP Finding A web server is running on this port Solution If this web server only running front end Firewall administration, you may upgrade to SSL/TLS Risk factor Low Information found on port 443/TCP Finding A TLSv1 server answered on this port A web server is running on this port through SSL Risk factor Low ©ASA Co., Ltd. CONFIDENTIAL Penetration Testing Report P a g e | 13 As of May, 2010 Information found on port 443/TCP Finding Here is the SSLv3 server certificate: Certificate: Data: Version: 3 (0x2) Serial Number: 2 (0x2) Signature Algorithm: sha1WithRSAEncryption Issuer: O=SofaWare, CN=my.firewall/emailAddress=support@sofaware.com Validity Not Before: Dec 4 13:56:21 2006 GMT Not After: Dec 26 13:56:21 2037 GMT Subject: O=SofaWare, CN=my.firewall/emailAddress=support@sofaware.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:c2:88:7f:a4:bb:62:4e:1e:d7:f9:04:13:ea:a7: f7:53:cc:28:29:51:19:a2:ff:61:77:ad:49:54:71: 16:11:4e:08:2e:d8:c8:e1:ec:13:f2:72:c0:0d:8e: 29:27:b8:3a:8b:65:0c:da:ea:7b:1d:ae:58:00:cb: 83:52:5e:7e:db:fc:ef:33:f1:a1:4c:9a:18:a6:28: a5:7f:7d:b8:04:25:73:d1:42:38:9b:79:1a:67:6d: 75:71:4a:09:f2:5c:8b:65:1d:62:91:05:07:2f:04: ea:a5:e0:c2:e3:2a:57:43:78:aa:3d:1e:52:4a:40: 4a:9f:56:86:e3:fe:42:42:5d Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 86:5B:56:59:47:A1:06:6F:AD:EA:B4:21:C7:76:7F:8C:48:A3:92:CE X509v3 Authority Key Identifier: keyid:86:5B:56:59:47:A1:06:6F:AD:EA:B4:21:C7:76:7F:8C:48:A3:92:CE DirName:/O=SofaWare/CN=my.firewall/emailAddress=support@sofaware.com serial:02 X509v3 Basic Constraints: CA:TRUE Signature Algorithm: sha1WithRSAEncryption 90:8e:de:a9:ca:a1:ae:e7:f0:c5:e5:4c:0c:ff:b7:62:4e:13: da:94:fd:59:87:f7:7f:31:74:cf:3b:c1:87:46:08:a3:36:09: 05:8c:0f:fa:63:f8:8c:fe:7f:37:85:20:31:ba:20:9e:52:16: ©ASA Co., Ltd. CONFIDENTIAL Penetration Testing Report P a g e | 14 As of May, 2010 Solution Risk factor 07:c9:13:64:ba:2d:92:f6:ff:0a:a6:10:95:1a:1c:aa:87:a3: 65:0f:10:42:06:f2:a8:3f:3a:8b:f7:24:1b:98:9f:2b:32:bd: d6:58:a7:77:c0:26:34:ef:e5:e0:14:09:41:d7:08:79:90:84: cf:d0:f5:fe:bf:92:60:f1:7b:ff:0b:62:97:c7:a7:cf:f5:26: 1f:1f This TLSv1 server does not accept SSLv2 connections. This TLSv1 server also accepts SSLv3 connections. The certificate expiration date of sofaware.com is too long. Double check the certificate. Low Warning found on port 53/UDP Finding A DNS server is running on this port. If this is your internal nameserver, then forget this warning. If you are probing a remote nameserver, then it allows anyone to use it to resolve third parties names This allows hackers to do cache poisoning attacks against this nameserver. If the host allows these recursive queries via UDP, then the host can be used to 'bounce' Denial of Service attacks against another network or system Solution A DNS server is running on this port. If you do not use it, disable it. Restrict recursive queries to the hosts that should use this nameserver (such as those of the LAN connected to it) Risk factor High Information found on port 53/UDP Finding A DNS server is running on this port Solution If you do not use it, disable it Risk factor Low Warning found on port 53/UDP Finding BIND 'NAMED' is an open-source DNS server from ISC.org. Many proprietary DNS servers are based on BIND source code. The BIND based NAMED servers (or DNS servers) allow remote users to query for version and type information. The query of the CHAOS TXT record 'version.bind', will typically prompt the server to send the information back to the querying source. Solution Using the 'version' directive in the 'options' section will block the 'version.bind' query, but it will not log such attempts Risk factor High ©ASA Co., Ltd. CONFIDENTIAL Penetration Testing Report P a g e | 15 As of May, 2010 Information found on port General/ICMP Finding The remote host answers to an ICMP timestamp request. This allows an attacker to know the date which is set on your machine. This may help him to defeat all your time based authentication protocols Solution filter out the ICMP timestamp requests and the outgoing ICMP timestamp replies Risk factor Low Information found on port General/UDP For your information, here is the trace route to 192.168.199.1. Finding 192.168.199.106 192.168.199.1 Risk factor Low ©ASA Co., Ltd. CONFIDENTIAL Penetration Testing Report P a g e | 16 As of May, 2010 2.2 192.168.199.70 Low 41% High 25% Medium 34% Port 21/TCP 70/TCP 80/TCP 139/TCP 1028/TCP 137/UDP General/ICMP General.UDP General/TCP Protocol FTP Gopher Hypertext Transfer Protocol (HTTP) NetBIOS-SSN Unknown NetBIOS-NS Result Security hole found Security note found Security hole found Security hole found Security note found Security warnings found Security notes found Security notes found Security hole found Vulnerability found on port 21/TCP It was possible to make the remote FTP server crash by creating a huge directory Finding structure. This is usually called the 'wu-ftpd buffer overflow' even though it affects other FTP servers. It is very likely that an attacker can use this flaw to execute arbitrary code on the remote server. This will give him a shell on your system, which is not a good thing The remote FTP server closes the connection when a command is too long or is given a too long argument This probably due to a buffer overflow, which allows anyone to execute arbitrary code on the remote host. This problem is threatening, because the attackers don't need an account to exploit this flaw Solution Risk factor Upgrade your FTP server. Consider removing directories writable by 'Anonymous' High ©ASA Co., Ltd. CONFIDENTIAL Penetration Testing Report P a g e | 17 As of May, 2010 Warning found on port 21/TCP Finding This FTP service allows anonymous logins. If you do not want to share data with anyone you do not know, then you should deactivate the anonymous account, since it may only cause troubles. The content of the d--------- 1 owner d--------- 1 owner d--------- 1 owner d--------- 1 owner d--------- 1 owner d--------- 1 owner ---------- 1 owner ---------- 1 owner d--------- 1 owner ---------- 1 owner ---------- 1 owner ---------- 1 owner ---------- 1 owner ---------- 1 owner ---------- 1 owner sp4rk_i386.Exe d--------- 1 owner Risk factor remote FTP root is : group 0 Apr 20 9:37 41414141 group 0 Apr 23 19:56 CVGRKQNGJI group 0 Apr 20 9:46 DTDJMCEKJZ group 0 Apr 20 10:11 FISNOBUAOF group 0 Apr 20 13:09 GUVPBZPJCR group 0 Apr 18 21:04 IE 5.5 SP1 Full group 1432324 Apr 18 20:33 ie401sp1.exe group 88676325 Apr 18 20:41 ie55sp1.exe group 0 Apr 18 21:50 ie5setup group 491768 Apr 18 20:19 ie6setup.exe group 0 Apr 23 18:35 nessus_test group 2716376 Apr 18 20:20 Q244599i.EXE group 339784 Apr 18 20:19 Q246009i.EXE group 386816 Apr 18 20:19 Q831167.exe group 7220896 Apr 18 20:20 group 0 Apr 21 19:57 XXXXXXXXXX Low Information found on port 21/TCP Finding An FTP server is running on this port Solution If you do not use it, disable it. Risk factor Low Information found on port 70/TCP Finding An Gopher Protocol is running on this port Solution If you do not use it, disable it. Risk factor Low ©ASA Co., Ltd. CONFIDENTIAL Penetration Testing Report P a g e | 18 As of May, 2010 Vulnerability found on port 80/TCP Finding When IIS receives a user request to run a script, it renders the request in a decoded canonical form, then performs security checks on the decoded request. A vulnerability results because a second, superfluous decoding pass is performed after the initial security checks are completed. Thus, a specially crafted request could allow an attacker to execute arbitrary commands on the IIS Server Solution Update patch KB301625 Risk factor High Information found on port 80/TCP Finding A web server is running on this port, The remote web server type is IIS3.0 The following CGI have been discovered /scripts/iisadmin/ism.dll (ftp/serv [] gopher/serv [] http/serv [] ) Risk factor Low Vulnerability found on port 139/TCP Finding The following registry keys are writeable by users who are not in the admin group: HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug These keys contain the name of the program that shall be started when the computer starts. The users who have the right to modify them can easily make the admin run a Trojan program which will give them admin privileges Solution use regedt32 and set the permissions of this key to - Admin group : Full Control - System : Full Control - Everyone : Read Make sure that 'Power Users' do not have any special privilege for this key Risk factor High ©ASA Co., Ltd. CONFIDENTIAL Penetration Testing Report P a g e | 19 As of May, 2010 Vulnerability found on port 139/TCP Finding The registry key HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon is writeable by users who are not in the admin group. This key contains a value which defines which program should be run when a user logs on. As this program runs in the SYSTEM context, the users who have the right to change the value of this key can gain more privileges on this host Solution use regedt32 and set the permissions of this key to - Admin group : Full Control - System : Full Control - Everyone : Read Make sure that 'Power Users' do not have any special privilege for this key Risk factor High Vulnerability found on port 139/TCP Finding The registry key HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg is missing. This key allows you to define what can be viewed in the registry by non administrators Solution Install service pack 3 if not done already, and create and create SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths Under this key, create the value 'Machine' as a REG_MULTI_SZ and put in it what you allow to be browsed remotely Risk factor Medium Vulnerability found on port 139/TCP Finding It seems that is was possible to crash the remote windows remotely by sending a specially crafted packet. An attacker may use this flaw to prevent this host from working properly. This attack is known as SMBDie Solution Apply the update patches KB326830, KB326830, KB326830, KB326830, KB326830 Risk factor Medium ©ASA Co., Ltd. CONFIDENTIAL Penetration Testing Report P a g e | 20 As of May, 2010 Warning found on port 139/TCP Finding There are 17 services running on this host : 1. Alerter [Alerter] 2. Computer Browser [Browser] 3. EventLog [EventLog] 4. Gopher Publishing Service [GOPHERSVC] 5. Server [LanmanServer] 6. Workstation [LanmanWorkstation] 7. License Logging Service [LicenseService] 8. TCP/IP NetBIOS Helper [LmHosts] 9. Messenger [Messenger] 10. FTP Publishing Service [MSFTPSVC] 11. Net Logon [Netlogon] 12. NT LM Security Support Provider [NtLmSsp] 13. Plug and Play [PlugPlay] 14. Protected Storage [ProtectedStorage] 15. Remote Procedure Call (RPC) Locator [RPCLOCATOR] 16. Spooler [Spooler] 17. World Wide Web Publishing Service [W3SVC] You should turn off the services you do not use. This list is useful to an attacker, who can make his attack more silent by not port scanning this host Solution To prevent the listing of the services for being obtained, you should either have tight login restrictions, so that only trusted users can access your host, and/or you should filter incoming traffic to this port Risk factor Low Warning found on port 139/TCP Finding The alerter service is running. This service allows NT users to send pop-ups messages to each others. This service can be abused by an attacker who can trick valid users into doing some actions that may harm their accounts or your network (social engineering attack) Solution Disable the service Risk factor Low ©ASA Co., Ltd. CONFIDENTIAL Penetration Testing Report P a g e | 21 As of May, 2010 Warning found on port 139/TCP Finding The remote registry can be accessed remotely using the login / password combination used for the SMB tests. Having the registry accessible to the world is not a good thing as it gives extra knowledge to a hacker Solution Apply the Service Pack three – SP3 -- if not done already, and set the key HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg to restrict what can be browsed by non administrators. In addition to this, you should consider filtering incoming packets to this port Risk factor Low Warning found on port 139/TCP Finding The domain SID can be obtained remotely. Its value is ACME : 5-21-1730571904-1379865857-4547331 An attacker can use it to obtain the list of the local users of this host Solution Filter the ports 137 to 139 and 445 Risk factor Low Warning found on port 139/TCP Finding The remote host seems to be a Primary Domain Controller or a Backup Domain Controller. This can be told by the value of the registry key ProductType under HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions This knowledge may be of some use to an attacker and help him to focus his attack on this host Solution Filter the ports 137 to 139 and 445 Risk factor Low Warning found on port 139/TCP Finding The domain SID could be used to enumerate the names of the users of this domain. (we only enumerated users name whose ID is between 1000 and 1200 for performance reasons) This gives extra knowledge to an attacker, which is not a good thing - Administrator account name: Administrator (id 500) - Guest account name: hpotter (id 501) - ACMEDC$ (id 1000) - IUSR_ACMEDC (id 1001) - backtrack (id 1002) Solution Filter incoming connections this port Risk factor Medium ©ASA Co., Ltd. CONFIDENTIAL Penetration Testing Report P a g e | 22 As of May, 2010 Warning found on port 139/TCP Finding Here is the list of the SMB shares of this host NETLOGON Logon server share ftproot ADMIN$ Remote Admin IPC$ Remote IPC C$ Default share This is potentially dangerous as this may help the attack of a potential hacker Solution Disable ADMIN$, C$ Risk factor Medium Warning found on port 139/TCP Finding Here is the browse list of the remote host 1. ACME-W2K-01 2. ACMEDC Solution Filter incoming traffic to this port Risk factor Low Warning found on port 139/TCP Finding Administrator account have password which never expire Solution Set password to Administrator account to and disable password non-expiry Risk factor Medium ©ASA Co., Ltd. CONFIDENTIAL Penetration Testing Report P a g e | 23 As of May, 2010 Vulnerability found on port 139/TCP Finding The following shares can be accessed as hpotter : - ie5setup - ftproot - ie6setup.exe -. - nessus_test - .. - Q244599i.EXE - .nessus_test_2 - Q246009i.EXE - 41414141 - Q831167.exe - CVGRKQNGJI - sp4rk_i386.Exe - DTDJMCEKJZ - XXXXXXXXXX - FISNOBUAOF - NETLOGON - GUVPBZPJCR + Content of this share : - IE 5.5 SP1 Full -. - ie401sp1.exe - .. - ie55sp1.exe Solution To restrict their access under WindowsNT, open the explorer, do a right click on each, go to the 'sharing' tab, and click on 'permissions' Risk factor High Information found on port 139/TCP Finding An SMB server is running on this port Solution If you do not need it, disable it. Risk factor Low Warning found on port 139/TCP Finding It was possible to log into the remote host using the following login/password combinations:'guest'/'' It was possible to log into the remote host using a NULL session. The concept of a NULL session is to provide a null username and a null password, which grants the user the 'guest' access Solution If account ‘Guest’ is enable, disable it. OR update patch KB143474 Risk factor High ©ASA Co., Ltd. CONFIDENTIAL Penetration Testing Report P a g e | 24 Warning found on port 139/UDP Finding The following 11 NetBIOS names have been gathered : 1. ACMEDC = This is the computer name 2. ACMEDC 3. ACME = Workgroup / Domain name 4. ACME = Workgroup / Domain name (Domain Controller) 5. ACME 6. ACMEDC = This is the current logged in user or registered workstation name. 7. INet~Services = Workgroup / Domain name (Domain Controller) 8. IS~ACMEDC 9. ACME = Workgroup / Domain name (part of the Browser elections) 10. ACME 11. __MSBROWSE__ The remote host has the following MAC address on its adapter : 00:0c:29:c7:26:b9 Solution If you do not want to allow everyone to find the NetBIOS name of your computer, you should filter incoming traffic to this port Risk factor Medium Information found on port General/TCP Finding The remote host accepts loose source routed IP packets. The feature was designed for testing purpose. An attacker may use it to circumvent poorly designed IP filtering and exploit another flaw. However, it is not dangerous by itself Solution Drop source routed packets on this host or on other ingress routers or firewalls Risk factor Low ©ASA Co., Ltd. CONFIDENTIAL Penetration Testing Report P a g e | 25 2.3 192.168.199.99 High 9% Medium 27% Low 64% Port 80/TCP 135/TCP 139/TCP 1024/TCP 1025/TCP 1030/TCP 1074/UDP 3389/ICMP 5800/UDP 5900/TCP 137/UDP General/ICMP General/UDP Protocol Hypertext Transfer Protocol (HTTP) End Point Mapped NetBIOS-SSN KDM BlackJack IADL Fastechnololm MS-WBT-Server VNC Client VNC server NetBIOS-NS Result Security notes found Security hole found Security warnings found Security notes found Security notes found Security notes found Security notes found Security warning found Security warning found Security notes found Security warning found Security warning found Security notes found Information found on port 80/TCP Finding A Web server is running on this port the remote web server is IIS 6.0 Risk factor Low ©ASA Co., Ltd. CONFIDENTIAL Penetration Testing Report P a g e | 26 Information found on port 135/TCP Finding The remote host is running a version of Windows which has a flaw in its RPC interface which may allow an attacker to execute arbitrary code and gain SYSTEM privileges. There is at least one Worm which is currently exploiting this vulnerability. Namely, the MsBlaster worm Solution Update patch KB823980 Risk factor High Information found on port 135/TCP Finding Distributed Computing Environment (DCE) services running on the remote host can be enumerated by connecting on port 135 and doing the appropriate queries. An attacker may use this fact to gain more knowledge about the remote host. Solution Filter incoming traffic to this port Risk factor Low Information found on port 139/TCP Finding A 'rfpoison' packet has been sent to the remote host. This packet is supposed to crash the 'services.exe' process, rendering the system instable Solution If you see that this attach was successful please update WindowsNT SP6, More info Risk factor Medium Information found on port 139/TCP Finding A SMB server is running on this port Information found on port 1024/TCP Finding A web server is running on this port, The remote web server type is IIS 6.0 ©ASA Co., Ltd. CONFIDENTIAL Penetration Testing Report P a g e | 27 Information found on port 1025/TCP Finding Distributed Computing Environment (DCE) services running on the remote host can be enumerated by connecting on port 135 and doing the appropriate queries. An attacker may use this fact to gain more knowledge about the remote host. Here is the list of DCE services running on this port: UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1 Endpoint : ncacn_ip_tcp:192.168.199.99[1025] Annotation : IPSec Policy agent endpoint Named pipe : spoolss Win32 service or process : spoolsv.exe Description : Spooler service Solution Risk factor UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1 Endpoint : ncacn_ip_tcp:192.168.199.99[1025] Named pipe : lsass Win32 service or process : lsass.exe Description : SAM access Filter incoming traffic to this port Low Information found on port 1030/TCP Finding Distributed Computing Environment (DCE) services running on the remote host can be enumerated by connecting on port 135 and doing the appropriate queries. An attacker may use this fact to gain more knowledge about the remote host. Here is the list of DCE services running on this port: UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1 Endpoint : ncacn_ip_tcp:192.168.199.99[1030] Solution Risk factor UUID Endpoint : 906b0ce0-c70b-1067-b317-00dd010662da, version 1 : ncacn_ip_tcp:192.168.199.99[1030] UUID Endpoint : 906b0ce0-c70b-1067-b317-00dd010662da, version 1 : ncacn_ip_tcp:192.168.199.99[1030] UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1 Endpoint : ncacn_ip_tcp:192.168.199.99[1030] Filter incoming traffic to this port Low ©ASA Co., Ltd. CONFIDENTIAL Penetration Testing Report P a g e | 28 Information found on port 1074/TCP Finding Distributed Computing Environment (DCE) services running on the remote host can be enumerated by connecting on port 135 and doing the appropriate queries. An attacker may use this fact to gain more knowledge about the remote host. Here is the list of DCE services running on this port: UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1 Endpoint : ncacn_ip_tcp:192.168.199.99[1074] Named pipe : atsvc Win32 service or process : mstask.exe Description : Scheduler service UUID Endpoint Solution Risk factor : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1 : ncacn_ip_tcp:192.168.199.99[1074] UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1 Endpoint : ncacn_ip_tcp:192.168.199.99[1074] Filter incoming traffic to this port Low Warning found on port 3389/TCP Finding The Terminal Services are enabled on the remote host. Terminal Services allow a Windows user to remotely obtain a graphical login (and therefore act as a local user on the remote host). If an attacker gains a valid login and password, he may be able to use this service to gain further access on the remote host. An attacker may also use this service to mount a dictionary attack against the remote host to try to log in remotely. Solution Risk factor Note that RDP (the Remote Desktop Protocol) is vulnerable to Man-in-the-middle attacks, making it easy for attackers to steal the credentials of legitimates users by impersonating the Windows server Disable the Terminal Services if you do not use them, and do not allow this service to run across the internet Medium ©ASA Co., Ltd. CONFIDENTIAL Penetration Testing Report P a g e | 29 Warning found on port 5800/TCP Finding The remote server is running VNC version 4.0. VNC permits a console to be displayed remotely. For more information please visit www.realvnc.com Solution Disable VNC access from the network by using a firewall, or stop VNC service if not needed Risk factor Medium Warning found on port 5900/TCP Finding The remote server is running VNC, software which permits a console to be displayed remotely. This allows users to control the host remotely Solution Make sure the use of this software is done in accordance with your corporate security policy and filter incoming traffic to this port Risk factor Medium Warning found on port General/ICMP Finding The remote host answers to an ICMP timestamp request. This allows an attacker to know the date which is set on your machine. This may help him to defeat all your time based authentication protocols Solution filter out the ICMP timestamp requests, and the outgoing ICMP timestamp replies Risk factor Low Information found on port General/ICMP Finding Here is the route recorded between 192.168.199.106 and 192.168.199.99 : 192.168.199.99 Warning found on port 137/UDP Finding The following 3 NetBIOS names have been gathered: WORKMASTER = This is the computer name registered for workstation services by a WINS client. ACME = Workgroup / Domain name ACME = Workgroup / Domain name (part of the Browser elections) Solution Risk factor MAC address on the remote adapter : 00:02:a5:97:ce:02 If you do not want to allow everyone to find the NetBIOS name of your computer, you should filter incoming traffic to this port Medium ©ASA Co., Ltd. CONFIDENTIAL Penetration Testing Report P a g e | 30 Information found on port General/UDP Finding For your information, here is the trace route to 192.168.199.99 : - 192.168.199.106 - 192.168.199.99 Warning found on port General/TCP Finding The remote host accepts loose source routed IP packets. The feature was designed for testing purpose. An attacker may use it to circumvent poorly designed IP filtering and exploit another flaw. However, it is not dangerous by itself Solution drop source routed packets on this host or on other ingress routers or firewalls Risk factor Low ©ASA Co., Ltd. CONFIDENTIAL Penetration Testing Report P a g e | 31 2.4 192.168.199.222 High 14% Medium 14% Low 72% Port 902/TCP 912/TCP 3389/TCP 8222/TCP 137/UDP General/UDP Protocol IdeaFarm Apex-Mesh RDP Unknown NetBIOS-NS Result Security notes found Security hole found Security warnings found Security notes found Security warning found Security notes found Information found on port 902/TCP Finding The remote host appears to be running VMware ESX or GSX Server. According to its banner, the remote host appears to be running a VMware server authentication daemon, which likely indicates the remote host is running VMware ESX or GSX Server Vulnerability found on port 912/TCP Finding It was possible to perform a denial of service against the remote Interscan SMTP server by sending it a special long HELO command. This problem allows an attacker to prevent your Inter scan SMTP server from handling requests Solution Contact your vendor for a patch Risk factor High ©ASA Co., Ltd. CONFIDENTIAL Penetration Testing Report P a g e | 32 Warning found on port 912/TCP Finding This SMTP server is running on a non standard port. This might be a backdoor set up by crackers to send spam or even control your machine Solution Check and clean your configuration Risk factor Medium Warning found on port 3389/TCP Finding The Terminal Services are enabled on the remote host. Terminal Services allow a Windows user to remotely obtain graphical login (and therefore act as a local user on the remote host). If an attacker gains a valid login and password, he may be able to use this service to gain further access on the remote host. An attacker may also use this service to mount a dictionary attack against the remote host to try to log in remotely. Note that RDP (the Remote Desktop Protocol) is vulnerable to Man-in-the-middle attacks, making it easy for attackers to steal the credentials of legitimates users by impersonating the Windows server Solution Disable the Terminal Services if you do not use them, and do not allow this service to run across the internet Risk factor Medium Information found on port 8222/TCP Finding A web server is running on this port Warning found on port 3389/TCP Finding The following 3 NetBIOS names have been gathered ACME-W2K3-SRV02 = This is the computer name registered for workstation services by a WINS client. ACMEWIDGETS = Workgroup / Domain name ACME-W2K3-SRV02 = Computer name MAC address on its adapter : 00:08:02:90:d2:95 Solution If you do not want to allow everyone to find the NetBIOS name of your computer, you should filter incoming traffic to this port Risk factor Medium Information found on port 3389/TCP Finding For your information, here is the trace route to 192.168.199.222 : 192.168.199.106 192.168.199.222 ©ASA Co., Ltd. CONFIDENTIAL Penetration Testing Report P a g e | 33 2.5 192.168.199.230 Low 22% High 39% Medium 39% Port 135/TCP 139/TCP 445/TCP 1031/TCP General/ICMP 1032/UDP 137/UDP General/UDP General/TCP Protocol End Point Mapper NetBIOS-SSN Microsoft-DS SMB file sharing IAD2 IAD3 NetBIOS-NS Result Security hole found Security hole found Security hole found Security notes found Security warnings found Security notes found Security warning found Security note found Security warning found Vulnerability found on port 135/TCP Finding The remote host is running a version of Windows which has a flaw in its RPC interface which may allow an attacker to execute arbitrary code and gain SYSTEM privileges. There is at least one Worm which is currently exploiting this vulnerability. Namely, the MsBlaster worm Solution Update patch KB823980 Risk factor High Vulnerability found on port 135/TCP Finding MS Windows RPC service (RPCSS) crashes trying to dereference a null pointer when it receives a certain malformed request. All MS RPC-based services (i.e. a large part of MS Windows 2000+) running on the target machine are rendered inoperable Solution Block access to TCP port 135 Risk factor High ©ASA Co., Ltd. CONFIDENTIAL Penetration Testing Report P a g e | 34 Warning found on port 135/TCP Finding Distributed Computing Environment (DCE) services running on the remote host can be enumerated by connecting on port 135 and doing the appropriate queries. An attacker may use this fact to gain more knowledge about the remote host. Solution Filter incoming traffic to this port Risk factor Low Vulnerability found on port 139/TCP Finding It was possible to crash the remote host using the 'rfparalyze' denial of service attack. Solution Contact Microsoft for a patch. Meanwhile, filter incoming TCP connections to this port Risk factor High Information found on port 139/TCP Finding An SMB server is running on this port Vulnerability found on port 445/TCP Finding It was possible to log into the remote host using the following login/password combinations : 'administrator'/'' It was possible to log into the remote host using a NULL session. The concept of a NULL session is to provide a null username and a null password, which grants the user the 'guest' access. Solution To prevent null sessions, see MS KB Article Q143474 (NT 4.0) and Q246261 (Windows 2000). Note that this won't completely disable null sessions, but will prevent them from connecting to IPC$ Risk factor High Vulnerability found on port 445/TCP Finding The remote Windows 2000 does not have the Service Pack 4 applied Solution Update the Windows 2000 SP4 Risk factor High ©ASA Co., Ltd. CONFIDENTIAL Penetration Testing Report P a g e | 35 Vulnerability found on port 445/TCP Finding The following registry keys are writeable by users who are not in the admin group HKLM\Software\Microsoft\Windows\CurrentVersion\Run These keys contain the name of the program that shall be started when the computer starts. The users who have the right to modify them can easily make the admin run a Trojan program which will give them admin privileges Solution use regedt32 and set the permissions of this key to - Admin group : Full Control - System : Full Control - Everyone : Read Make sure that 'Power Users' do not have any special privilege for this key Risk factor High Vulnerability found on port 445/TCP Finding Hotfix to fix Flaw in Microsoft VM could Allow Code Execution (810030) Impact of vulnerability: Three vulnerabilities, the most serious of which could enable an attacker to gain complete control over a user's system Solution Administrators should install the patch immediately. Affected Software: Versions of the Microsoft virtual machine (Microsoft VM) are identified by build numbers, which can be determined using the JVIEW tool as discussed in the FAQ. All builds of the Microsoft VM up to and including build 5.0.3805 are affected by these vulnerabilities. Risk factor High Vulnerability found on port 445/TCP Finding Incorrect VBScript Handling in IE cans Allow Web Pages to Read Local Files. Impact of vulnerability: Information Disclosure Affected Software: Microsoft Internet Explorer 5.01 Microsoft Internet Explorer 5.5 Microsoft Internet Explorer 6.0 Solution Upgrade to Internet Explorer 7.0 or higher. Risk factor High ©ASA Co., Ltd. CONFIDENTIAL Penetration Testing Report P a g e | 36 Vulnerability found on port 445/TCP Finding The remote Windows host has a ASN.1 library which is vulnerable to a flaw which could allow an attacker to execute arbitrary code on this host. To exploit this flaw, an attacker would need to send a specially crafted ASN.1 encoded packet with improperly advertised lengths. This particular check sent a malformed NTLM packet and determined that the remote host is not patched Solution Update patches MS04-007. Risk factor High Vulnerability found on port 445/TCP Finding User 'administrator' has NO password! The password of 'Dumbledore' is 'Dumbledore' ! Solution Set an Administrator password and the password must meet complexity requirements. Change the password of ‘Dumbledore’ Risk factor High Vulnerability found on port 445/TCP Finding The following shares can be accessed as Dumbledore - System32 Solution To restrict their access under WindowsNT, open the explorer, do a right click on each, go to the 'sharing' tab, and click on 'permissions' Risk factor High Vulnerability found on port 445/TCP Finding The remote host is vulnerable to a flaw in the Windows Script Engine, which provides Windows with the ability to execute script code. To exploit this flaw, an attacker would need to lure one user on this host to visit a rogue website or to send him an HTML e-mail with a malicious code in it Solution Update patch MS03-008 Risk factor High Vulnerability found on port 445/TCP Finding The account 'administrator'/'' is valid. The worm W32/Deloder may use it to break into the remote host and upload infected data in the remote shares Solution Change an Administrator password to meet complexity requirements Risk factor High ©ASA Co., Ltd. CONFIDENTIAL Penetration Testing Report P a g e | 37 Vulnerability found on port 445/TCP Finding It seems that is was possible to crash the remote windows remotely by sending a specially crafted packet. An attacker may use this flaw to prevent this host from working properly. This attack is known as SMBDie Solution Update patch MS02-045 Risk factor High Warning found on port 445/TCP Finding The remote registry can be accessed remotely using the login / password combination used for the SMB tests. Having the registry accessible to the world is not a good thing as it gives extra knowledge to a hacker Solution Apply Service Pack 3 if not done already, and set the key HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg to restrict what can be browsed by non administrators Risk factor Low Warning found on port 445/TCP Finding The domain SID can be obtained remotely. Its value is: ACME : 5-21--1552363205--155084131--731358600 An attacker can use it to obtain the list of the local users of this host Solution Filter the ports 137 to 139 and 445 Risk factor Low Warning found on port 445/TCP Finding The domain SID can be obtained remotely. Its value is: ACME-W2K-01 : 5-21-776561741-1580818891-854245398 An attacker can use it to obtain the list of the local users of this host Solution Filter the ports 137 to 139 and 445 Risk factor Low ©ASA Co., Ltd. CONFIDENTIAL Penetration Testing Report P a g e | 38 Warning found on port 445/TCP Finding The host SID could be used to enumerate the names of the local users of this host. (we only enumerated users name whose ID is between 1000 and 1200 for performance reasons) This gives extra knowledge to an attacker, which is not a good thing : - Administrator account name : administrator (id 500) - Guest account name : Guest (id 501) - smas (id 1001) - GORKHALI (id 1002) - kechasolti (id 1004) - ser (id 1005) - aman (id 1007) - barcelona (id 1008) - Severus.Snape (id 1009) - Dumbledore (id 1011) - Morpheus (id 1013) - hack (id 1017) - Nepali (id 1018) - ksr (id 1019) Solution filter incoming connections this port Risk factor Medium Warning found on port 445/TCP Finding The registry key HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\CachedLogo nsCount is non-null. It means that the remote host locally caches the passwords of the users when they log in, in order to continue to allow the users to login in the case of the failure of the PDC Solution Use regedt32 and set the value of this key to 0 (Zero) Risk factor Low ©ASA Co., Ltd. CONFIDENTIAL Penetration Testing Report P a g e | 39 Warning found on port 445/TCP Finding The following local accounts have never logged in: 1. smas 2. GORKHALI 3. kechasolti 4. aman 5. Severus.Snape 6. Dumbledore 7. Morpheus 8. hack 9. Nepali 10. Ksr Unused accounts are very helpful to hacker Solution Delete or disable the unused accounts. Risk factor Medium Warning found on port 445/TCP Finding Here is the list of the SMB share of this host ADMIN$ Remote Admin IPC$ Remote IPC C$ Default share This is potentially dangerous as this may help the attack of a potential hacker Solution Disable ADMIN$, C$ Risk factor Medium Warning found on port 445/TCP Finding The following local accounts have passwords which never expire: 1. administrator 2. aman 3. Severus.Snape Solution Disable password non expiry Risk factor Medium ©ASA Co., Ltd. CONFIDENTIAL Penetration Testing Report P a g e | 40 Warning found on port 445/TCP Finding The following local accounts have never changed their password: 1. administrator 2. Guest 3. smas 4. GORKHALI 5. kechasolti 6. ser 7. aman 8. barcelona 9. Severus.Snape 10. Dumbledore 11. Morpheus 12. hack 13. Nepali 14. ksr Solution To minimize the risk of break-in, users should change their password regularly Risk factor Medium Warning found on port 445/TCP Finding The remote host is running a version of the shlwapi.dll which crashes when processing a malformed HTML form. An attacker may use this flaw to prevent the users of this host from working properly. To exploit this flaw, an attacker would need to send a malformed HTML file to the remote user, either by e-mail or by making him visit a rogue web site Solution Upgrade to Windows Server 2008 R2 Risk factor Low Information found on port 445/TCP Finding A CIFS server is running on this port ©ASA Co., Ltd. CONFIDENTIAL Penetration Testing Report Information found on port 445/TCP Finding The following shares can be accessed as administrator: 1. C$ (readable?, writeable) 2. Content of this share : 3. arcldr.exe 4. arcsetup.exe 5. ASmith 6. AUTOEXEC.BAT 7. boot.ini 8. cd 9. CONFIG.SYS 10. Documents and Settings 11. IO.SYS 12. MSDOS.SYS Risk factor Low P a g e | 41 13. net 14. NTDETECT.COM 15. ntldr 16. pagefile.sys 17. Program Files 18. RECYCLER 19. System Volume Information 20. WINNT 21. ADMIN$ (readable?, writeable) 22. system32 (readable?, writeable) Information found on port IAD2/TCP Finding Distributed Computing Environment (DCE) services running on the remote host can be enumerated by connecting on port 135 and doing the appropriate queries. An attacker may use this fact to gain more knowledge about the remote host. Here is the list of DCE services running on this port: UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1 Endpoint : ncacn_ip_tcp:192.168.199.230[1031] Named pipe : atsvc Win32 service or process : mstask.exe Description : Scheduler service Solution Risk factor UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1 Endpoint : ncacn_ip_tcp:192.168.199.230[1031] Filter incoming traffic to this port. Low ©ASA Co., Ltd. CONFIDENTIAL Penetration Testing Report P a g e | 42 Warning found on port General/ICMP Finding The remote host answers to an ICMP timestamp request. This allows an attacker to know the date which is set on your machine. This may help him to defeat all your time based authentication protocols Solution Filter out the ICMP timestamp requests, and the outgoing ICMP timestamp replies Risk factor Low Information found on port IAD3/UDP Finding Distributed Computing Environment (DCE) services running on the remote host can be enumerated by connecting on port 135 and doing the appropriate queries. An attacker may use this fact to gain more knowledge about the remote host. Here is the list of DCE services running on this port: UUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1 Endpoint : ncadg_ip_udp:192.168.199.230[1032] Annotation : Messenger Service Named pipe : ntsvcs Win32 service or process : messenger Description : Messenger service Solution Filter incoming traffic to this port Risk factor Low Warning found on port 137/UDP Finding The following 6 NetBIOS names have been gathered: ACME-W2K-01 = This is the computer name registered for workstation services by a WINS client. ACME = Workgroup / Domain name ACME-W2K-01 = This is the current logged in user registered for this workstation. ACME-W2K-01 = Computer name ACME-W2K-01$ = This is the current logged in user registered for this workstation. ACME = Workgroup / Domain name (part of the Browser elections) The remote host has the following MAC address on its adapter: 00:03:ff:96:ce:02 Solution If you do not want to allow everyone to find the NetBIOS name of your computer, you should filter incoming traffic to this port Risk factor Medium ©ASA Co., Ltd. CONFIDENTIAL Penetration Testing Report P a g e | 43 Information found on port General/UDP Finding For your information, here is the trace route to 192.168.199.230: 192.168.199.106 192.168.199.230 Warning found on port 137/UDP Finding The remote host accepts loose source routed IP packets. The feature was designed for testing purpose. An attacker may use it to circumvent poorly designed IP filtering and exploit another flaw. However, it is not dangerous by itself Solution Drop source routed packets on this host or on other ingress routers or firewalls Risk factor Low ©ASA Co., Ltd. CONFIDENTIAL Penetration Testing Report P a g e | 44 2.6 192.168.199.232 Low 44% High 12% Medium 44% Port 135/TCP 139/TCP 445/TCP General/ICMP 1025/TCP 1026/UDP 137/UDP General/UDP General/TCP Protocol End Point Mappter NetBIOS-SSN Microsoft-DS SMB file sharing BlackJack CAP NetBIOS Result Security hole found Security warnings found Security notes found Security warnings found Security notes found Security notes found Security warnings found Security notes found Security notes found Vulnerability found on port 135/TCP Finding The remote host is running a version of Windows which has a flaw in its RPC interface which may allow an attacker to execute arbitrary code and gain SYSTEM privileges. There is at least one Worm which is currently exploiting this vulnerability. Namely, the MsBlaster worm Solution Update patch KB823980 Risk factor High ©ASA Co., Ltd. CONFIDENTIAL Penetration Testing Report P a g e | 45 Vulnerability found on port 135/TCP Finding MS Windows RPC service (RPCSS) crashes trying to dereference a null pointer when it receives a certain malformed request. All MS RPC-based services (i.e. a large part of MS Windows 2000+) running on the target machine are rendered inoperable Solution Block access to TCP port 135 Risk factor High Warning found on port 135/TCP Finding Distributed Computing Environment (DCE) services running on the remote host can be enumerated by connecting on port 135 and doing the appropriate queries. An attacker may use this fact to gain more knowledge about the remote host. Solution Filter incoming traffic to this port Risk factor Low Information found on port 139/TCP Finding A 'rfpoison' packet has been sent to the remote host. This packet is supposed to crash the 'services.exe' process, rendering the system instable Solution If you see that this attach was successful please update WindowsNT SP6, More info Risk factor Medium Information found on port 139/TCP Finding An SMB server is running on this port Information found on port 445/TCP Finding A CIFS sever is running on this port Warning found on port General/ICMP Finding The remote host answers to an ICMP timestamp request. This allows an attacker to know the date which is set on your machine. This may help him to defeat all your time based authentication protocols. Solution Filter out the ICMP timestamp requests and the outgoing ICMP timestamp replies Risk factor Low ©ASA Co., Ltd. CONFIDENTIAL Penetration Testing Report P a g e | 46 Information found on port General/ICMP Finding Here is the route recorded between 192.168.199.106 and 192.168.199.232: 192.168.199.232 Information found on port 1025/TCP Finding Distributed Computing Environment (DCE) services running on the remote host can be enumerated by connecting on port 135 and doing the appropriate queries. An attacker may use this fact to gain more knowledge about the remote host. Here is the list of DCE services running on this port: UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1 Endpoint : ncacn_ip_tcp:192.168.199.232[1025] Named pipe : atsvc Win32 service or process : mstask.exe Description : Scheduler service Solution Risk factor UUID Endpoint : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1 : ncacn_ip_tcp:192.168.199.232[1025] UUID Endpoint : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1 : ncacn_ip_tcp:192.168.199.232[1025] UUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1 Endpoint : ncacn_ip_tcp:192.168.199.232[1025] Annotation : Messenger Service Named pipe : ntsvcs Win32 service or process : messenger Description : Messenger service Filter incoming traffic to this port Low ©ASA Co., Ltd. CONFIDENTIAL Penetration Testing Report P a g e | 47 Information found on port 1026/UDP Finding Distributed Computing Environment (DCE) services running on the remote host can be enumerated by connecting on port 135 and doing the appropriate queries. An attacker may use this fact to gain more knowledge about the remote host. Here is the list of DCE services running on this port: UUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1 Endpoint : ncadg_ip_udp:192.168.199.232[1026] Annotation : Messenger Service Named pipe : ntsvcs Win32 service or process : messenger Description : Messenger service Solution Filter incoming traffic to this port Risk factor Low Warning found on port 137/UDP Finding The following 9 NetBIOS names have been gathered : HERMIONE = This is the computer name registered for workstation services by a WINS client. HOME = Workgroup / Domain name HERMIONE = This is the current logged in user registered for this workstation. HERMIONE = Computer name HOME = Workgroup / Domain name (part of the Browser elections) HOME __MSBROWSE__ HPOTTER = This is the current logged in user registered for this workstation. DADDY = This is the current logged in user registered for this workstation. The remote host has the following MAC address on its adapter: 00:02:b3:27:8e:ff Solution If you do not want to allow everyone to find the NetBIOS name of your computer, you should filter incoming traffic to this port Risk factor Medium ©ASA Co., Ltd. CONFIDENTIAL Penetration Testing Report P a g e | 48 Information found on port General/UDP Finding For your information, here is the trace route to 192.168.199.232: 1. 192.168.199.106 2. 192.168.199.232 Warning found on port General/TCP Finding The remote host accepts loose source routed IP packets. The feature was designed for testing purpose. An attacker may use it to circumvent poorly designed IP filtering and exploit another flaw. However, it is not dangerous by itself Solution Drop source routed packets on this host or on other ingress routers or firewalls Risk factor Low ©ASA Co., Ltd. CONFIDENTIAL Penetration Testing Report P a g e | 49 3. CONCLUSION Experience has shown that a focused effort to address the problems outlined in this report can result in dramatic security improvements. The identified problem varies – some of the problems do not required high tech solution but some do. For systems to remain secure, however, security posture must be evaluated and improved continuously. Establishing the organizational structure that will support these ongoing improvements is essential in order to maintain control of corporate information systems. We conclude that the overall security needs to improve. We hope that the issues cited in this report will be addressed. ASA will be glad to help your organization for help, upgrade and maintenance. For more information please contact us Andrew Boyce Somchai Jogkaew Asha Maghirang : drewbeta@gmail.com : somtum2000@gmail.com : babani8104@gmail.com ©ASA Co., Ltd. CONFIDENTIAL Penetration Testing Report P a g e | 50 4. PENETRATION TESTING LOG First of all, we’re totally forgotten to capture the screenshot. So, we tried to capture as much as we can before we submit the report ©ASA Co., Ltd. CONFIDENTIAL Penetration Testing Report ©ASA Co., Ltd. P a g e | 51 CONFIDENTIAL Penetration Testing Report ©ASA Co., Ltd. P a g e | 52 CONFIDENTIAL
