INTERNAL PENETRATION TEST
Ethical Hacking Bootcamp
Virtual Infosec Africa, Department of Telecommunications Engineering
Author:
Bernard Kobina Forson Essel
Source
Table of Contents
Executive Summary
The internal network penetration test conducted on the IP range 10.10.10.0/24 for Virtual Infosec Africa evaluated the security of the network infrastructure through a series of targeted assessments.
Initially, Nmap was used for host and service discovery, revealing several active devices and their associated services. This scan identified critical services, such as HTTP, SSH, and FTP, with some running outdated versions or misconfigured settings, which could pose security risks.
Following this, Metasploit was employed for vulnerability scanning, uncovering multiple security weaknesses. Notably, several high-risk vulnerabilities were detected, including unpatched software and misconfigured services that could be exploited by attackers to gain unauthorized access to the network.
To assess the web application security, Eyewitness was utilized to document and analyze the web-based services. This analysis pinpointed several web applications with known vulnerabilities and improper configurations, potentially allowing sensitive data exposure or system compromise.
The findings highlight significant security gaps that need to be addressed promptly. The detailed report includes specific recommendations for patch management, service hardening, and web application security improvements to enhance the network's overall security posture.
Analysis of Overall Security Posture
The penetration test revealed several critical vulnerabilities in the network infrastructure, indicating a weakened security posture. The host and service discovery phase exposed multiple active devices with open ports and outdated or misconfigured services. These findings suggest that the network is susceptible to various types of attacks, including unauthorized access and exploitation of known vulnerabilities. The presence of unpatched services, particularly those with critical roles like HTTP and SSH, further compounds the risk, making it easier for potential attackers to exploit these weaknesses.
Additionally, the vulnerability scanning using Metasploit uncovered significant security flaws, including unpatched software and misconfigurations that could be leveraged for unauthorized access. The web-based surface attack analysis using Eyewitness highlighted vulnerabilities in web applications, which could potentially lead to data breaches or system compromises. Collectively, these findings point to an urgent need for a comprehensive security overhaul. Implementing recommended remediation strategies, such as regular patching, service hardening, and securing web applications, is crucial for fortifying the network and mitigating potential threats. Without these improvements, the network remains vulnerable to exploitation and potential breaches.
Key Recommendations
- Ensure all software is updated with the latest security patches and implement a regular patch management process.
- Review and close unnecessary open ports, and harden configurations for critical services.
- Strengthen authentication by implementing multifactor authentication (MFA) and apply the principle of least privilege to user accounts and services.
- Conduct periodic vulnerability assessments and penetration tests, and prioritize and remediate high-risk vulnerabilities promptly.
- Review and secure web applications, implement web application firewalls (WAFs), and adhere to secure coding practices.
- Enable comprehensive logging and monitoring to detect suspicious activities, and develop and regularly update an incident response plan.
Testing Methodology
The penetration test began with a thorough Host and Service Discovery phase using Nmap, a widely-used network scanning tool. This step involved scanning the provided IP range (10.10.10.0/24) to identify all active hosts and enumerate the services running on their respective ports. By mapping out the network and cataloging open ports and services, this phase provided a foundational understanding of the network's topology and potential entry points for further testing.
Following discovery, the Vulnerability Scanning phase employed Metasploit to assess the identified services for known vulnerabilities. This automated scanning process aimed to uncover weaknesses such as outdated software, unpatched vulnerabilities, and misconfigurations that could be exploited by attackers. The results highlighted critical security issues and provided a basis for prioritizing remediation efforts based on the severity of the vulnerabilities discovered.
Finally, the Web-Based Surface Attack analysis was conducted using Eyewitness, which focused on the security of web applications within the network. This tool documented the web-based services and assessed their security posture, identifying vulnerabilities and misconfigurations that could lead to data breaches or system compromises. This phase aimed to provide insights into the security of web applications and recommend improvements to safeguard against potential exploits.
HOSTS DISCOVERY
The Nmap tool was use to scan for the host available in the network scope. The command used for the host discovery is shown below:
The output from the host discovery was then filtered to get their IP Addresses. The host discovery filter by using the grep and awk commands is shown below:
SUBDOMAIN ENUMERATION
The subdomain enumeration was done using the aiodnsbrute on the hosts in the network scope(10.10.10.1/24)
SERVICE DISCOVERY
The service discovery helps for the identification and understanding of the services running on the network and the ports they're using and also provide an insight into the network's attack surface.
Service Discovery also helps to identify which services are running on specific devices along with their versions enabling testers to pinpoint any known vulnerabilities associated with those services which could serve as entry point for attackers.
Port Scanning identifies open ports which serves as gateway for communication between devices by finding this open ports testers can define which services are accessible and possess potential vulnerabilities. For an instance,an open port running an outdated or misconfigured service could provide attacks with a direct path to exploit the network.
NMAP,SERVICE DISCOVERY & PORT SCANNING
The Service Discovery and Port Scanning was done using the Nmap tool. The command and output with the various file outputs are shown below:
The HTTP service scan discovery using the nmap tool is show below:
Nmap Service Discovery Output
VULNERABILITY SCANNING
DETAILED FINDINGS
APACHE 2.4.49(SSL & HTTP)
Apache 2.4.49 Analysis
| Current Rating | CVSS |
|---|
| High | 8.8 |
Finding Summary
It was found that there was insufficient security on the APACHE HTTP server 2.4.49 whereby an attacker can use a path traversal attack to map URLs to files outside the directories configured by Alias-like directories. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution.
Evidence
The Metasploit Auxiliary Module was used to scan for vulnerabilities on the HTTP server which is shown below:
Affected Resources:
10.10.10.2, 10.10.10.30, 10.10.10.45, 10.10.10.55
Recommendations:
- Upgrade Apache: Update to Apache HTTP Server 2.4.51 or later, which contains fixes for these vulnerabilities.
- Secure Aliased Directories: Ensure Alias and AliasMatch directives are correctly configured and protected.
- Apply Require all denied where needed.
- Disable CGI Scripts: If CGI scripts are not required in aliased directories, disable them.
- Review Configurations: Regularly check and audit directory configurations and access controls.
- Implement Rate Limiting: Use modules like mod_evasive to control request rates and mitigate potential DoS attacks.
- Monitor Server Performance: Use monitoring tools to detect and respond to unusual server behavior.
References:
https://www.cve.org/CVERecord?id=CVE-2021-42013
SQL 5.6.49 (mysql)
MySQL 5.6.49 Analysis
| Current Rating | CVSS |
|---|
| Medium | 4.3 |
Finding Summary.
The MySQL version running on the remote host is 5.6.x, up to and including 5.6.48, and is affected by several vulnerabilities. The CVE-2020-14539 vulnerability in the MySQL Server's optimizer allows a low-privileged attacker with network access to cause a denial of service by making the server hang or crash. The CVE-2020-14550 affects the MySQL Client's C API, enabling a similar denial of service attack. Additionally, CVE-2020-1967 impacts MySQL Connectors using OpenSSL, where an unauthenticat