Network Security and Mitigation Strategies

PENETRATION REPORT

Introduction

The network I have been asked to do a penetration test consists of various OS like Windows, Linux, and Ubuntu etc.

Similarly, there were desktops, laptops, androids, modems and IoTs in the network.

I have found various vulnerabilities in the existing network, this report enlightens only four devices with their corresponding vulnerabilities.

I have also explained two vulnerabilities with their CVEs and CWEs.

All these vulnerable machines have some critical information which is stored as flag.txt in each machine, which if accessible by me, the machine can be declared as vulnerable and exploitable. In further part of report I have explained what security measures can be taken to secure them.

Objective            

The objective of this assessment was to perform a penetration test against the ABC organization’s internal network. The consultant was tasked with following methodical approach in obtaining access to the objective goals. This test simulate an actual penetration test and how we would start from beginning to end, including the overall report. 

Requirements 

• Overall High -Level Summary and Recommendations (Non-technical)
• Methodology walk-through and detailed outline of steps taken
• Each finding with accompanying screenshots, walk-throughs, sample code, and CVEs.
• Any additional items as deemed necessary.                                                                                                                                   

Security Issues

1. Outdated Operating Systems
2. No Validation on File Upload

     3.  Hard-coded Credentials

     4.  Insecure Data Transfer

The Network

The company’s network consisted of various Ips which include 

192.1.68.0.w/z

Below mentioned are the Ips which I found vulnerable and did the penetration testing.

The attack mentioned below were done on different organizations which were the reason behind the breaches and DoS.

Vulnerable Machine IPs

1. 192.168.0.x
2. 192.168.0.y
3. 192.168.0.z
4. 192.168.0.w

Attack Scenario 

1. Machine with IP 192.168.0.x

Security Issue

• Outdated Operating Systems

Outdated Operating Systems

An outdated OS, let say Windows, if not updated with time becomes vulnerable and led to produce vulnerability.

This issue becomes more critical if the firewall is not set with proper inbound and outbound rules.

Every time systems misses a update it becomes more and more vulnerable.

This access can be gained by any technique, generally it is done by executing attacker’s code on victim’s computer and hence resulting in compromise.

This remote code execution vulnerability can be performed on victim’s computer, victim’s website, victim’s web server.

This vulnerability is considered to be one of the most critical vulnerabilities in the information security world.

Counter Measures should be taken immediately once encountered.

Tools Used

• Nmap
• Metasploit

Nmap

Nmap is a tool which is open source and free utility for network discovery and security testing. Many systems and network administrators also find it useful for tasks such as network, managing service upgrade schedules, and monitoring host or service are up. Nmap use IP packets in ways which help in determining what hosts are in the network, which service (application name, version etc) these hosts offering, what operating systems they are running, what type of packet filter and firewalls are there in large networks, but works fine with single host. 

Metasploit

The Metasploit is the fundamental on which the professional products are built. Metasploit is an open source tool which comes with Kali Linux OS, and it is a tool which can do penetration tests and security auditing. This tool was built by Rapid7's and open source own hard working content team, new modules are always added on a regular basis, which means that the database of latest exploits will be updated as soon as it becomes available.

Reconnaissance Phase

Command used → nmap --script vuln 192.168.0.139

This command will let us know if this machine is vulnerable or not and if it is with which vulnerability it is vulnerable.

After using Nmap I was able to discover what type of OS, services this IP was using.

And furthermore it also displayed the vulnerability present in it.

In this phase I found that the machine has a risk vulnerability with 

CVE:CVE-2017-0143 which is a Remote Code Execution.

Attacking

As it was seen that the machine was vulnerable with CVE-2017-0143 and it was OBSERVED in the past recently, that organizations were hit by a Ransomware known as Wanna Cry Ransomware that affected several organizations.

This ransomware was result of the exploit known as eternal blue associated with the 

Hackers group known as Shadow Brokers.

When a computer is infected, WannaCry ransomware targets and encrypts 177 types of file. Some of the WannaCry targets were database files, multimedia and archive files, as well as documents. In its ransom note, which supports several languages, it demanded $500 worth of Bitcoins.

1. Machine with IP 192.168.0.y

Security Issue 

• No Validation on File Upload

No Validation on File Type

It was observed that the infrastructure includes a web application with working functionalities. It gave option to users to upload the file to website and then it was processed at server, but the file upload didn’t have any validation applied on it.

This means a user can upload malicious file which can harm the network and compromise the whole IT infrastructure.  

Tools Used

• Nmap
• Metasploit
• MSFVenom
• MD5 Decryptor

MSFVenom

MSF venom is a combined tool with Msfpayload and Msfencode. Msfvenom replaced msfencode and msfpayload on June 8th, 2015.

The advantages of msfvenom are:

• A single tool
• Available command line options
• High speed

MD5 Decrypto

MD5 is an encryption algorithm, which generates a hash of 32 character, with no issue of the input size. This algorithm cannot be reversed, it is impossible to find the original word from the MD5 hash. This tool uses huge database in order to have the best chance of cracking the original word.
We only have to enter the hash in the MD5 decoder in order to decrypt it.

Attacking  Phase

The organisation was running old Jquery, this was relatable to attack which were encountered by an industry. This attack method was identified long ago, but the organization was too lazy to follow the some of the public CVE disclosures.

Looking at this jQuery vulnerability, it allowed the disallowed files to be uploaded on the server and further executing it.

1. Machine with IP 192.168.0.145

Vulnerability

• Hard-coded Credentials

Hard Coded Credentials

This vulnerability as the name suggests hard coded means that the passwords and other crucial information is hard coded in the device.

This crucial information includes internal Ips, Passwords etc.

Generally the passwords hard coded in the devices are of root users which means if logged in with these credentials then root access of device will be granted.

Reconnaissance Phase

• Detailed Nmap scan showed that the device is a Schnieder Electric’s IoT Device
• A password of device was hard-coded of the root and admin account, which allowed ease to proximate attackers to login at the panel.

Attacking Phase

The gateways of the IoT devices were affected:

• TSXETG3000 all versions
• TSXETG3010 all versions
• TSXETG3021 all versions
• TSXETG3022 all versions

On stripping apart rde.jar, founded hardcode credentials for the FTP service on device, which gave access to the device as a root user.

1. Machine with IP 192.168.0.163 

Vulnerability

• Insecure Data Transfer and Storage

Tools Used

• Wireshark

Wireshar

• A tool which used to capture the raw TCP and UDP packets. 
• It captures both incoming and outgoing packets.

Reconnaissance Phase

• On research it was clear that the device was performing as per the instructions which were sent over the internet.
• So I checked how the traffic was sent to the device over the internet.
•  The traffic was sent over HTTP insecurely.
• Traffic can be easily seen, and what instruction was sent.

Exploitatio

• I performed Man-in-the-middle-attack. 
• A man-in-the-middle attack is an attack in which an attacker relays and probably eaves drop the communication between two people who will obviously believe they are directly communicating to each other. An example of this attack is eavesdropping, in this the attacker makes  connection with the victims and reads their conversation or speaking technically, the attacker captures all the traffic and send it to the receiver, the traffic could be manipulated or just read .
• After performing MITM I was able to manipulate the traffic and hence exploit it.

Vulnerabilities with CVE

1. Remote Code Execution CVE-2017-0143

A Remote code execution is a vulnerability in which an attacker gains access of victim’s system by any means and is able to traverse any folder of the victim’s system.

This access can be gained by any technique, generally it is done by executing attacker’s code on victim’s computer and hence resulting in compromise.

This remote code execution vulnerability can be performed on victim’s computer, victim’s website, victim’s web server.

This vulnerability is considered to be one of the most critical vulnerabilities in the information security world.

Counter Measures should be taken immediately once encountered.

1. Arbitrary File Upload CVE-2018-9206

Arbitrary File Upload vulnerability as the name suggests is a vulnerability due to uploading a malicious file and when accessing the file it results in a reverse shell of the victim’s machine.

This vulnerability goes hand-in-hand with remote code execution as the impact of both the vulnerability is same.

This vulnerability is generally found in the websites, the websites which allows file upload.

And file upload function has no restriction to it.

Generally, files with extension php causes the exploit of this vulnerability.

This vulnerability can also introduce bugs like SSRF – server side request forgery and XXE.

  Solutions Proposed

1. Outdated OS

Outdated Operating Systems introduces a of Remote code execution with CVE-2017-0143 means a bug in windows 

The reason this is found is firewalls not properly configured, out dated windows.

So, the proposed solution was upgrading the windows to the latest one and keep updating it with time. 

1. No Validation on File Type

The reason why arbitrary file upload works is the improper file validation, which means if developer allowed a specific file type to be uploaded by somehow it got bypassed.

To this proper file handling was suggested as a solution which will stop this attack.

1. Hard Coded Credentials

The reason behind this bug is basic human error i.e for the ease of access the developers hard code the passwords so that the co-developers can easily access the admin panel 

Or

Some of the devices use default password for the root users, which people forgot to change when they deploy the device which attackers make benefit of.

The solution for this for this bug was simple which was – Change all the default passwords of the devices which don’t require human monitoring.

1. Insecure Data Transfer and Storage

The devices which communicate over the internet requires transfer of data i.e packets both TCP and UDP which is most of the times over an insecure layer like HTTP.

A secure layer for data transfer is suggested to stop this type of attack such as HSTS or HTTPS etc.

These protected layer encrypts data before transferring and decrypts before delivering. An end to end encryption is introduced.