Outcomes
The purpose of this assessment task is to apply the student’s understanding and knowledge gained from the weekly content in articulating and writing a report that:
Overview
Internet of Things (IoT) devices can be used to sense and share data from its surrounding environment for various purposes that can be useful for both humans and machines. These can be as simple as measuring the temperature of a room or more critical tasks such as monitoring the heart-rate of a sick patient in a hospital. The advances in hardware design, communication protocols, and computing technologies have created an ecosystem of a variety of IoT devices by numerous vendors and underlying infrastructure.
The network diagram provided (FIgure 1- see below) illustrates the various IoT devices integrated in a medium sized organisation’s IT network. Table 1 (see below) provides detailed specifications of the devices including hardware, software, and firmware details. Although the network is already secured with various defences, there are several problems that can lead to the organisation being compromised by cyber criminals.
Instructions
You have been hired as an external cyber security consultant to analyse the network for security issues and recommend solutions to mitigate these risks in the form of a technical report. The report is intended to be submitted to the management committee of the organisation. Therefore, highly technical concepts must be further described to a level understood by a novice audience.
Your report should consist of the following:
Please note that discussions related to security policies are beyond the scope of this assessment and therefore should be excluded from your report.
Marking Criteria
Each of the following criteria are worth 8 marks, with a total of 40 marks for the whole assessment.
Resources
The above diagram has been created using draw.io for broader compatibility instead of Visio. You can download the file in various formats as indicated below.
Table 1:
Device | Details |
Cisco ASA 5585-X | Used as the edge firewall for the organisation. Last software/firmware update unknown. |
Netgear GS116PP-100AJS | Unmanaged network switch. |
Linksys WRT1900AC | Wireless router using WEP shared key authentication. |
Wireless Temperature Sensor | Custom built temperature sensor. |
File Server | Windows Server 2016 |
Directory Server | Windows Server 2016 |
Proxy Server | Ubuntu Server 16.04 LTS Squid proxy |
Mail Server | Ubuntu Server 16.04 LTS Postfix 3.2 SquirrelMail 1.4.23 Apache 2 PHP 5 |
LAN 1 | Various Desktop configurations 9 x Windows 10 PCs 1 x Ubuntu Desktop 18.10 running the MQTT broker software for the temperature sensor |
LAN 2 | Various Desktop configurations 15 x Windows 10 PCs |
The report should be properly word processed and formatted accordingly to a professional standard and suitable to the target audience. As a minimum, the report should have the following sections. You may add sub-headings or other content as required.
PENETRATION REPORT
Introduction
The network I have been asked to do a penetration test consists of various OS like Windows, Linux, and Ubuntu etc.
Similarly, there were desktops, laptops, androids, modems and IoTs in the network.
I have found various vulnerabilities in the existing network, this report enlightens only four devices with their corresponding vulnerabilities.
I have also explained two vulnerabilities with their CVEs and CWEs.
All these vulnerable machines have some critical information which is stored as flag.txt in each machine, which if accessible by me, the machine can be declared as vulnerable and exploitable. In further part of report I have explained what security measures can be taken to secure them.
Objective
The objective of this assessment was to perform a penetration test against the ABC organization’s internal network. The consultant was tasked with following methodical approach in obtaining access to the objective goals. This test simulate an actual penetration test and how we would start from beginning to end, including the overall report.
Requirements
Security Issues
The Network
The company’s network consisted of various Ips which include
192.1.68.0.w/z
Below mentioned are the Ips which I found vulnerable and did the penetration testing.
The attack mentioned below were done on different organizations which were the reason behind the breaches and DoS.
Vulnerable Machine IPs
Attack Scenario
Security Issue
Outdated Operating Systems
An outdated OS, let say Windows, if not updated with time becomes vulnerable and led to produce vulnerability.
This issue becomes more critical if the firewall is not set with proper inbound and outbound rules.
Every time systems misses a update it becomes more and more vulnerable.
This access can be gained by any technique, generally it is done by executing attacker’s code on victim’s computer and hence resulting in compromise.
This remote code execution vulnerability can be performed on victim’s computer, victim’s website, victim’s web server.
This vulnerability is considered to be one of the most critical vulnerabilities in the information security world.
Counter Measures should be taken immediately once encountered.
Tools Used
Nmap is a tool which is open source and free utility for network discovery and security testing. Many systems and network administrators also find it useful for tasks such as network, managing service upgrade schedules, and monitoring host or service are up. Nmap use IP packets in ways which help in determining what hosts are in the network, which service (application name, version etc) these hosts offering, what operating systems they are running, what type of packet filter and firewalls are there in large networks, but works fine with single host.
The Metasploit is the fundamental on which the professional products are built. Metasploit is an open source tool which comes with Kali Linux OS, and it is a tool which can do penetration tests and security auditing. This tool was built by Rapid7's and open source own hard working content team, new modules are always added on a regular basis, which means that the database of latest exploits will be updated as soon as it becomes available.
Reconnaissance Phase
Command used → nmap --script vuln 192.168.0.139
This command will let us know if this machine is vulnerable or not and if it is with which vulnerability it is vulnerable.
After using Nmap I was able to discover what type of OS, services this IP was using.
And furthermore it also displayed the vulnerability present in it.
In this phase I found that the machine has a risk vulnerability with
CVE:CVE-2017-0143 which is a Remote Code Execution.
As it was seen that the machine was vulnerable with CVE-2017-0143 and it was OBSERVED in the past recently, that organizations were hit by a Ransomware known as Wanna Cry Ransomware that affected several organizations.
This ransomware was result of the exploit known as eternal blue associated with the
Hackers group known as Shadow Brokers.
When a computer is infected, WannaCry ransomware targets and encrypts 177 types of file. Some of the WannaCry targets were database files, multimedia and archive files, as well as documents. In its ransom note, which supports several languages, it demanded $500 worth of Bitcoins.
Security Issue
No Validation on File Type
It was observed that the infrastructure includes a web application with working functionalities. It gave option to users to upload the file to website and then it was processed at server, but the file upload didn’t have any validation applied on it.
This means a user can upload malicious file which can harm the network and compromise the whole IT infrastructure.
Tools Used
MSF venom is a combined tool with Msfpayload and Msfencode. Msfvenom replaced msfencode and msfpayload on June 8th, 2015.
The advantages of msfvenom are:
MD5 is an encryption algorithm, which generates a hash of 32 character, with no issue of the input size. This algorithm cannot be reversed, it is impossible to find the original word from the MD5 hash. This tool uses huge database in order to have the best chance of cracking the original word.
We only have to enter the hash in the MD5 decoder in order to decrypt it.
The organisation was running old Jquery, this was relatable to attack which were encountered by an industry. This attack method was identified long ago, but the organization was too lazy to follow the some of the public CVE disclosures.
Looking at this jQuery vulnerability, it allowed the disallowed files to be uploaded on the server and further executing it.
Vulnerability
Hard Coded Credentials
This vulnerability as the name suggests hard coded means that the passwords and other crucial information is hard coded in the device.
This crucial information includes internal Ips, Passwords etc.
Generally the passwords hard coded in the devices are of root users which means if logged in with these credentials then root access of device will be granted.
Reconnaissance Phase
The gateways of the IoT devices were affected:
On stripping apart rde.jar, founded hardcode credentials for the FTP service on device, which gave access to the device as a root user.
Vulnerability
Tools Used
Reconnaissance Phase
Vulnerabilities with CVE
A Remote code execution is a vulnerability in which an attacker gains access of victim’s system by any means and is able to traverse any folder of the victim’s system.
This access can be gained by any technique, generally it is done by executing attacker’s code on victim’s computer and hence resulting in compromise.
This remote code execution vulnerability can be performed on victim’s computer, victim’s website, victim’s web server.
This vulnerability is considered to be one of the most critical vulnerabilities in the information security world.
Counter Measures should be taken immediately once encountered.
Arbitrary File Upload vulnerability as the name suggests is a vulnerability due to uploading a malicious file and when accessing the file it results in a reverse shell of the victim’s machine.
This vulnerability goes hand-in-hand with remote code execution as the impact of both the vulnerability is same.
This vulnerability is generally found in the websites, the websites which allows file upload.
And file upload function has no restriction to it.
Generally, files with extension php causes the exploit of this vulnerability.
This vulnerability can also introduce bugs like SSRF – server side request forgery and XXE.
Solutions Proposed
Outdated Operating Systems introduces a of Remote code execution with CVE-2017-0143 means a bug in windows
The reason this is found is firewalls not properly configured, out dated windows.
So, the proposed solution was upgrading the windows to the latest one and keep updating it with time.
The reason why arbitrary file upload works is the improper file validation, which means if developer allowed a specific file type to be uploaded by somehow it got bypassed.
To this proper file handling was suggested as a solution which will stop this attack.
The reason behind this bug is basic human error i.e for the ease of access the developers hard code the passwords so that the co-developers can easily access the admin panel
Or
Some of the devices use default password for the root users, which people forgot to change when they deploy the device which attackers make benefit of.
The solution for this for this bug was simple which was – Change all the default passwords of the devices which don’t require human monitoring.
The devices which communicate over the internet requires transfer of data i.e packets both TCP and UDP which is most of the times over an insecure layer like HTTP.
A secure layer for data transfer is suggested to stop this type of attack such as HSTS or HTTPS etc.
These protected layer encrypts data before transferring and decrypts before delivering. An end to end encryption is introduced.