Professional Documents
Culture Documents
6)
FOR
II-SECURITY
SECURITY
BY
NAVEEN THAKUR
Contents
1 Executive Summary
...
.
....2
1.1 Summary..
.
....3
1.1.1 Approach...............................................................................
.............................................................................................4
1.2 Scope...
5
5
1.2.1 Graphical Summaryy ....
....6
1.2.2 Nmap Scanning ...7
1.3 Key Finding
1.3.1
....8-25
.
..8-9
1.3.2
.9-12
1.3.3
.12-13
1.3.4
.13
1.3.5
.14-15
1.3.6
..15-16
1.3.7
..17-19
1.3.8
..20
1.3.9
..20-21
1.3.10
.
..21-22
1.3.11
.
..22
1.3.12
.......22
1.3.13
...22
1.3.14
..23
1.3.15
.23
1.3.16
..23
1.3.17
.24
1.3.18
.24
1.3.19
.24
1.3.20
.25
Conclusion
.20
Summary
Mr.SamanDeep Singh has assigned the task on penetration testing of 192.168.1.6 on 44-04-2014.This
Penetration wasperformed 5-04-2014.The
2014.The detailed report about each
each task and our findings are
described below.
The purpose of the test is to determine security vulnerabilities in the server . The tests are carried out
assuming the identity of an attacker or a user with malicious intent. At the same time due care is take
taken
not to harm the server.
Approach
Perform broad scanning with nmap to identify potential areas of exposure.
Performed automatic scan with the Nessus and also have done manual to find vulnerability.
Identify and validate vulnerability.
Rank vulnerability on the threat level, loss potential and likelihood of exploitation.
Perform supplement research activities to support analysis.
Identify issues of immediate consequence and recommend solutions.
Have given the recommendations to enhance security.
1.2Scope
The scope of this penetration test was limited to the below mentioned IP addresses.
192.168.1.6
7
6
5
4
1 High
2 Medium
3 Critical
2
1
0
Critical
High
Medium
NMAP-SCANNING
Port
State
Service
Version
21
Open
ftp
Vsftpd 2.3.4
22
Open
Ssh
23
Open
telnet
Linux telneted
25
Open
Smtp
Postfix smtpd
53
Open
Domain
80
Open
http
111
Open
rpcbind
2 (rpc #100000)
139
Open
Netbios-ssn
Netbios
445
Open
Netbios-ssn
Netbios
512
Open
Exec
513
Open
Login?
514
Open
tcpwrapped
1099
Open
rmiregistry
1524
Open
Ingreslock?
2049
Open
Nfs(nfsv2-4)
Nfs(nfsv2
2-4(rpc #100003)
2121
3306
Open
Open
ftp
mysql
ProFTPD 1.3.1
MySQL 5.0.51a-3ubuntu5
5432
Open
Postgresql
PostgreSQL DB 8.3.0-8.3.7
5900
Open
Vnc
VNC(protocol 3.3)
6000
Open
X11
(access denied)
6667
8009
Open
Open
Irc
I
Ajp13
Unreal ircd
Apache Jserv(protocol v1.3)
8180
Open
http
GNU classpathgrmiregistry
2.Creation of ssh-keygen.In
In this we have created the rsa key.
Now using this payload we have exploit it so now we are in shell and after getting uid 0 and gid 0
Means we have root privileges.
Recommendation-Upgrade
Upgrade to Samba version 3.0.25 or later.
1.3.4Rogue
Rogue Shell Backdoor Detection
Rank-Critical
Port-1524/tcp
Descriptions- A shell is listening on the remote port, without any authentication. An attacker may use
it by connecting to the remote port and sending commands directly.
Impact-In
In this attacker have root privileges he can do anything with root privileges.
Analysis-In this
his case target machine was in listening mode we used telnet for that and default
username and password so by that we just get through.
Recommendation- Verify if the remote host has been compromised, and reinstall the system if
necessary.
3.Now
Now in this case we have the root access because only root have uid=0 and gid=0
gid=0so it comes in
Critical.
Recommendation-Secure
Secure the VNC service with a strong password.
1.3.7DistCC Daemon
Rank Critical
Port 3632/tcp
Descriptions-This
This module uses a documented security weakness to execute arbitrary commands on
any system running distccd.
Impact- Attacker can get the access of particular user and by that user also can get the access of root
user.
Analysisof DistCCDaemondistcc
distcc is used for access control bypass. Use exploit/unix/misc/distcc_exec
which is daemon command execution.
In this we have use to exploits one for shell and another for the root privileges.
4.Now
Now using this exploit we got the root privileges because we have uid and gid 0.
1.3.8OS OUTDATED
The remote host is running an obsolete operating system.
Rank-Critical
Description-According
According to its version, the remote UNIX operating system is obsolete and is no longer
maintained by its vendor or provider. Lack of support implies that no new security patches will be
released for it.
Recommendation-Upgrade
Upgrade to a newer version.
1.3.9Tomcat-Tomcat
Rank High
Port 8180/tcp
Descriptions-In this case there
re is default password in this version .The effect of these issues is that
Digest authentication is no stronger than Basic authentication.
Impact- Attacker can get the administrative level privileges on apache.
Analysis of Tomcat-Tomcat.
Descriptions-The
The remote has one or more Windows shares that can be accessed through the network
with the given credentials.
Impact- it may allow an attacker
er to read/write confidential data.
Recommendation-To
To restrict access under Windows, open Explorer, do a right click on each share,
go to the 'sharing' tab, and click on 'permissions'.
1.3.12 rlogin Service Detection
Rank-High
Port -513/tcp
Descriptions-The
The remote host is running the 'rlogin' service. This service is dangerous in the sense
that it is not ciphered - that is, everyone can sniff the data that passes between the rlogin client and the
rloginserver.This includes logins and passwords.
Impact- By this attacker can login because of poor authentification.If
authentification.If the host is vulnerable to TCP
sequence number guessing (from any network) or IP spoofing (including ARP hijacking on a local
network) then it may be possible to bypass authentication.
Recommendation- Comment out the 'login' line in /etc/inetd.conf
1.3.13MySQL
MySQL Unpassworded Account Check
Rank-HIGH
Port - 3306/tcp
Descriptions- It is possible to connect to the remote MySQL database server using an unpassworded
account.
Impact- This may allow
ow an attacker to launch further attacks against the database.
Recommendation- Disable or set a password for the affected account.
1.3.16Apache
Apache HTTP Server httpOnly Cookie Information Disclosure
Rank- Medium
Port -80/tcp
Descriptions- The version of Apache HTTP Server running on the remote host has an information
disclosure vulnerability. Sending a request with HTTP headers long enough to exceed the server limit
causes the web server to respond with an HTTP 400.
Impact- This could resultt in the compromise of httpOnly cookie.
cookie
Recommendation- Upgrade to Apache version 2.0.65 / 2.2.22 or later.
1.3.19SSL
SSL Certificate with Wrong Hostname
Rank Medium
Port 25/tcp
Descriptions-The
The commonName (CN) of the SSL certificate presented on this service is for a
different machine.
Impact-Attacker
Attacker can establish a man
man-in-the-middle attack against the remote host.
Recommendation-Purchase
Purchase or generate a proper certificate for this service.
ConclusionExperience has shown that a focused effort to address the problems outlined in this report can result
in dramatic security improvement. There are many simple way to secure your system.
For systems to remain secure.however,security posture must be evaluated and improved
continously.
We conclude that the overall security needs to improve. We hope that the issues
issues cited in this
report will be addressed.