(OF IP-192.168.1.

6)

FOR
II-SECURITY
SECURITY
BY
NAVEEN THAKUR

Contents
1 Executive Summary

...
.
....2

1.1 Summary..
.
....3
1.1.1 Approach...............................................................................
.............................................................................................4
1.2 Scope...
5
5
1.2.1 Graphical Summaryy ....
....6
1.2.2 Nmap Scanning ...7
1.3 Key Finding
1.3.1

....8-25

.
..8-9

1.3.2
.9-12
1.3.3

.12-13

1.3.4

.13

1.3.5

.14-15

1.3.6

..15-16

1.3.7

..17-19

1.3.8

..20

1.3.9

..20-21

1.3.10

.
..21-22

1.3.11

.
..22

1.3.12

.......22

1.3.13

...22

1.3.14

..23

1.3.15

.23

1.3.16

..23

1.3.17

.24

1.3.18

.24

1.3.19

.24

1.3.20

.25

Conclusion
.20

Summary
Mr.SamanDeep Singh has assigned the task on penetration testing of 192.168.1.6 on 44-04-2014.This
Penetration wasperformed 5-04-2014.The
2014.The detailed report about each
each task and our findings are
described below.
The purpose of the test is to determine security vulnerabilities in the server . The tests are carried out
assuming the identity of an attacker or a user with malicious intent. At the same time due care is take
taken
not to harm the server.

Approach
Perform broad scanning with nmap to identify potential areas of exposure.
Performed automatic scan with the Nessus and also have done manual to find vulnerability.
Identify and validate vulnerability.
Rank vulnerability on the threat level, loss potential and likelihood of exploitation.
Perform supplement research activities to support analysis.
Identify issues of immediate consequence and recommend solutions.
Have given the recommendations to enhance security.

1.2Scope
The scope of this penetration test was limited to the below mentioned IP addresses.
192.168.1.6

1.2.2 Graphical Summary

7
6
5
4

1 High
2 Medium

3 Critical

2
1
0
Critical

High

Medium

NMAP-SCANNING

Port

State

Service

Version

21

Open

ftp

Vsftpd 2.3.4

22

Open

Ssh

openSSH 4.7p1 Debian 8ubuntu1

23

Open

telnet

Linux telneted

25

Open

Smtp

Postfix smtpd

53

Open

Domain

ISC Bind 9.4.2

80

Open

http

Apache httpd 2.2.8

111

Open

rpcbind

2 (rpc #100000)

139

Open

Netbios-ssn
Netbios

445

Open

Netbios-ssn
Netbios

512

Open

Exec

Samba smbd 3.X

(WORKGROUP:WORKGROUP)
Samba smbd3.X
3.X
(WORKGROUP:WORKGROUP)
Netkit-rshrexecd

513

Open

Login?

514

Open

tcpwrapped

1099

Open

rmiregistry

1524

Open

Ingreslock?

2049

Open

Nfs(nfsv2-4)
Nfs(nfsv2

2-4(rpc #100003)

2121
3306

Open
Open

ftp
mysql

ProFTPD 1.3.1
MySQL 5.0.51a-3ubuntu5

5432

Open

Postgresql

PostgreSQL DB 8.3.0-8.3.7

5900

Open

Vnc

VNC(protocol 3.3)

6000

Open

X11

(access denied)

6667
8009

Open
Open

Irc
I
Ajp13

Unreal ircd
Apache Jserv(protocol v1.3)

8180

Open

http

Apache Tomcat/Coyote JSP engine 1.1

GNU classpathgrmiregistry

1.3 KEY FINDING

1.3.1 Vsftpd Backdoor command execution
Rank - Critical
Port - 21/tcp
Descriptions-The
The version of vsftpd running on the remote host has been compiled with a backdoor.
Attempting to login with a username containing :) (a smiley face) triggers the backdoor, which results
in a shell listening on TCP port 6200.
6200
Impact-Attacker canAlter System
m Settings, Delete Files, Send Spam, View Videos, Pictures.
Analysis of vsftpd
Usedd the exploit exploit/unix/ftp/vsftpd_234_backdoor

Now we have the root privileges.

Recommendation-Validate and recompile a legitimate copy of the source code.

1.3.2 NFS Exported Share Information Disclosure
Rank-Critical
Port 2049/tcp
Descriptions-At
At least one of the NFS shares exported by the remote server could be mounted by the
scanning host.
Impact- Attacker can mount the directory and create the ssh key and can get access of the server.
Analysis of NFS exported share information disclosure.

1. Mount the directory of target.

2.Creation of ssh-keygen.In
In this we have created the rsa key.

4. Command for ssh ssh II /root/.ssh/nav_rsa.pub root@192.168.1.6 ,nav_rsa.pub is encrypted key.

Here we are in root it means you have total root privileges.

Recommendation- Consider all cryptographic material generated on the remote host to be guessable.
In particular,, all SSH, SSL and OpenVPN key material should be re-generated.
re
1.3.3Samba NDR MS-RPC
RPC Request Heap-Based
Heap
Remote Buffer Overflow
Rank Critical
Port 445/tcp
Descriptions- The remote has one or more Windows shares that can be accessed through the network
with the given credentials. Depending on the share rights, it may allow attacker to read/write
confidential data.
Impact- Attacker got the command execution with root privileges.
Analysis of samba smbd 3.X
1.By using exploit/multi/samba/usermap_script and payload.

Now using this payload we have exploit it so now we are in shell and after getting uid 0 and gid 0
Means we have root privileges.

Recommendation-Upgrade
Upgrade to Samba version 3.0.25 or later.
1.3.4Rogue
Rogue Shell Backdoor Detection
Rank-Critical
Port-1524/tcp
Descriptions- A shell is listening on the remote port, without any authentication. An attacker may use
it by connecting to the remote port and sending commands directly.
Impact-In
In this attacker have root privileges he can do anything with root privileges.
Analysis-In this
his case target machine was in listening mode we used telnet for that and default
username and password so by that we just get through.

Recommendation- Verify if the remote host has been compromised, and reinstall the system if
necessary.

1.3.5RealVNC authentication bypass

Rank Critical
Port 5900/tcp
Descriptions- This is caused by the improper validation of the client authentication method which
could allow an attacker to successfully authenticate to an affected system using the null authenticatio
authentication
method.
Impact- Attacker can successfully authenticate to an affected system using the password as password.
Analysis of RealVNC authentication bypass

3.Now
Now in this case we have the root access because only root have uid=0 and gid=0
gid=0so it comes in
Critical.

Recommendation-Secure
Secure the VNC service with a strong password.

1.3.6 Backdoor Command Execution

Rank Critical
Port 6667/tcp
Descriptions- This module exploits a malicious backdoor that was added to the Unreal IRCD 3.2.8.1
download archive. This backdoor was present in the Unreal3.2.8.1.tar.gz archive between November
2009 and June 12th 2010.
Impact- Attacker can get the access of root with this backdoor and can delete the files or modifies
those.
Analysis of Unreal ircdBy Using exploit/unix/irc/unreal_ircd_3281_backdoor

Now we have root access in thiss case it means it is Critical.

Recommendation-Update it.

1.3.7DistCC Daemon
Rank Critical
Port 3632/tcp
Descriptions-This
This module uses a documented security weakness to execute arbitrary commands on
any system running distccd.
Impact- Attacker can get the access of particular user and by that user also can get the access of root
user.
Analysisof DistCCDaemondistcc
distcc is used for access control bypass. Use exploit/unix/misc/distcc_exec
which is daemon command execution.

In this we have use to exploits one for shell and another for the root privileges.

Using of another exploit.

4.Now
Now using this exploit we got the root privileges because we have uid and gid 0.

1.3.8OS OUTDATED
The remote host is running an obsolete operating system.
Rank-Critical

Description-According
According to its version, the remote UNIX operating system is obsolete and is no longer
maintained by its vendor or provider. Lack of support implies that no new security patches will be
released for it.
Recommendation-Upgrade
Upgrade to a newer version.

1.3.9Tomcat-Tomcat
Rank High
Port 8180/tcp
Descriptions-In this case there
re is default password in this version .The effect of these issues is that
Digest authentication is no stronger than Basic authentication.
Impact- Attacker can get the administrative level privileges on apache.
Analysis of Tomcat-Tomcat.

Now we have administrative privileges here.

Recommendation-Change
Change the password instead of default password should be case difficult.

1.3.10 HTTP TRACE / TRACK Methods Allowed

Port80/tcp
Rank -High
Descriptions- The version of Apache HTTP Server running on the remote host has an information
disclosure vulnerability. Sending a request with HTTP headers long enough to exceed the server limit
causes the web server to respond with an HTTP 400. By default, the offending
offending HTTP header and
value are displayed on the 400 error page. When used in conjunction with other attacks (e.g., cross
crosssite scripting), this could result in the compromise of httpOnly cookies.
Impact- Attacker can get the files in directory and also able to delete the files.

1.3.11 Microsoft Windows SMB Shares Unprivileged Access

Rank HIGH
Port-445/tcp

Descriptions-The
The remote has one or more Windows shares that can be accessed through the network
with the given credentials.
Impact- it may allow an attacker
er to read/write confidential data.
Recommendation-To
To restrict access under Windows, open Explorer, do a right click on each share,
go to the 'sharing' tab, and click on 'permissions'.
1.3.12 rlogin Service Detection
Rank-High
Port -513/tcp
Descriptions-The
The remote host is running the 'rlogin' service. This service is dangerous in the sense
that it is not ciphered - that is, everyone can sniff the data that passes between the rlogin client and the
rloginserver.This includes logins and passwords.
Impact- By this attacker can login because of poor authentification.If
authentification.If the host is vulnerable to TCP
sequence number guessing (from any network) or IP spoofing (including ARP hijacking on a local
network) then it may be possible to bypass authentication.
Recommendation- Comment out the 'login' line in /etc/inetd.conf
1.3.13MySQL
MySQL Unpassworded Account Check
Rank-HIGH
Port - 3306/tcp
Descriptions- It is possible to connect to the remote MySQL database server using an unpassworded
account.
Impact- This may allow
ow an attacker to launch further attacks against the database.
Recommendation- Disable or set a password for the affected account.

1.3.14 Anonymous FTP Enabled

Rank- Medium
Port -21/tcp
Descriptions- This FTP service allows anonymous logins. Any remote user may connect and
authenticate without providing a password or unique credentials.
Impact- This may allow an attacker to access any files made available on the FTP server.
Recommendation- Disable anonymous FTP if it is not required. Routinely check the FTP server to
ensure sensitive content is not available.

1.3.15 /doc Directory Browsable

Rank -Medium
Port -80/tcp
Descriptions- The /doc directory is browsable. /doc shows the contents of the /usr/doc directory.
Impact- By this attacker can reveals not only
only which programs are installed but also their versions.
Recommendation- Use access restrictions for the /doc directory.

1.3.16Apache
Apache HTTP Server httpOnly Cookie Information Disclosure
Rank- Medium
Port -80/tcp
Descriptions- The version of Apache HTTP Server running on the remote host has an information
disclosure vulnerability. Sending a request with HTTP headers long enough to exceed the server limit
causes the web server to respond with an HTTP 400.
Impact- This could resultt in the compromise of httpOnly cookie.
cookie
Recommendation- Upgrade to Apache version 2.0.65 / 2.2.22 or later.

1.3.17SSL Certificate Expiry

Rank-Medium
Port - 25/tcp
Descriptions- This script checks expiry dates of certificates associated with SSLSSL enabled services on
the target and reports whether any have already expired.
Recommendation- Purchase or generate a new SSL certificate to replace the existing one.

1.3.18SSL Self-Signed Certificate

Rank-Medium
Port - 25/tcp
Descriptions- The X.509 certificate chain for this service is not signed by a recognized certificate
authority.
Impact-Attacker
Attacker can establish a man
man-in-the-middle attack against the remote host.
Recommendation-Purchase
Purchase or generate a proper certificate for this service.

1.3.19SSL
SSL Certificate with Wrong Hostname
Rank Medium
Port 25/tcp
Descriptions-The
The commonName (CN) of the SSL certificate presented on this service is for a
different machine.
Impact-Attacker
Attacker can establish a man
man-in-the-middle attack against the remote host.
Recommendation-Purchase
Purchase or generate a proper certificate for this service.

1.3.20 SMB Signing Required

Rank-Medium
Port -445/tcp
Descriptions-Signing
Signing is not required on the remote SMB server. This can allow man
man-in-the-middle
attacks against the SMB server.
Impact-Attacker
Attacker can login in remote server.
Recommendation-Enforce
Enforce message signing in the host's configuration.

ConclusionExperience has shown that a focused effort to address the problems outlined in this report can result
in dramatic security improvement. There are many simple way to secure your system.
For systems to remain secure.however,security posture must be evaluated and improved
continously.
We conclude that the overall security needs to improve. We hope that the issues
issues cited in this
report will be addressed.