nts330 wk8-9 stardotstar 2 0

StarDotStar 1

Reconnaissance Report “Honeywell” V 2.0 July 25, 2016

This Report was Prepared by: StarDotStar Robert Thompson – Penetration Tester Vance Jones – Penetration Tester Tyler Weiss – Penetration Tester

This report was created for educational purposes and is entirely fictional. The systems herein have been created and maintained by this team in a virtual environment. All information in this document is confidential and may not b e disclosed to unauthorized ersonnel.

StarDotStar 2

Document Properties Title

Reconnaissance Report

Version

2.0

Authors

Robert Thompson, Vance Jones, Tyler Weiss

Pen-Testers


Reviewed By


Approved By


Classification

Confidential

Version Control Version

Honeywell”

“

| Date

| Author

| Description

2.0

July 11, 2016

Vance Jones, Robert Thompson

Draft

1.9

July 11, 2016

Vance Jones

Draft

1.8

June 25, 2016

Robert Thompson, Vance Jones

Draft

1.7

June 25, 2016

Robert Thompson

Draft

June 24, 2016

Vance Jones

Draft

1.2

June 11, 2016

Robert Thompson

Draft

1.1

June 10, 2016

Robert Thompson

First Draft

1.0

May 28, 2016

Robert Thompson

Template

1.3

–

1.6

StarDotStar 3

Executive Summary asdf

StarDotStar 4

Contents 1.2 Objective...................................... ........................................................................... ............................................... .......... 8 1.3 Timeline ...................................................................................... ......................................................................................8 1.4 Summary of Findings .................................................................... ....................................................................9 2. Recon Lab 1 ...................................... ........................................................................... ............................................. ........ 10 2.1 Summary of Findings .......................................................... .................................................................. ........ 10 2.2 Recommendations Recommendations ...................................................................... ...................................................................... 10 2.3 Detail of Findings .................................. ....................................................................... ....................................... 10 3. Recon Lab 2 ...................................... ........................................................................... ............................................. ........ 12 3.1 Summary of Findings .......................................................... .................................................................. ........ 12 3.2 Recommendations Recommendations ...................................................................... ...................................................................... 12 3.3 Detail of Findings .................................. ....................................................................... ....................................... 13 4. Recon Lab 3 ...................................... ........................................................................... ............................................. ........ 15 4.1 Summary of Findings .......................................................... .................................................................. ........ 15 4.2 Recommendations Recommendations ...................................................................... ...................................................................... 15 4.3 Detail of Findings .................................. ....................................................................... ....................................... 15 5. Scanning Lab 1 .................................. ........................................................................ ............................................. ....... 18 5.1 Summary of Findings .......................................................... .................................................................. ........ 18 5.2 Recommendations ..................................................................... ....................................................................... 18 5.3 Detail of Findings .................................. ....................................................................... ....................................... 18 6. Scanning Lab 2 .................................. ........................................................................ ............................................. ....... 22 6.1 Summary of Findings .......................................................... .................................................................. ........ 22 6.2 Recommendation Recommendation.................................. ....................................................................... ....................................... 22 6.3 Detail of Findings .................................. ....................................................................... ....................................... 22 7. Penetration Lab .............................................................................. .............................................................................. 25 7.1 Summary of Findings .......................................................... .................................................................. ........ 25 7.2 Recommendation Recommendation.................................. ....................................................................... ....................................... 25 7.3 Detail of Findings .................................. ....................................................................... ....................................... 25 7.3.1 Windows XP............................. XP................................................................... ............................................. ....... 25 7.3.2 Windows Server 2003 ............................................................ ............................................................ 27 7.3.3 Ubuntu (pWnOS)................................... ................................................................... ................................ 29

StarDotStar 5

7.3.4 Slax (Hackerdemia) ..................................... ............................................................... .......................... 29 7.4 Tools Used .................................... .......................................................................... ............................................. ....... 30 7.4.1 Metasploit Framework.................................. ............................................................ .......................... 30 7.4.2 SQLMap ............................................................................... ............................................................................... 30 7.4.3 Burp Suite ...................................... ........................................................................... ....................................... 30 7.4.4 Hashcat .................................. ........................................................................ ............................................. ....... 31 31 7.4.5 Hydra .................................................................................. .................................................................................. 31 7.4.6 BEEF XSS Framework .......................................................... ............................................................ .. 31 Appendix A ........................................................................................ ........................................................................................ 32 People Searching websites used ...................................................... ...................................................... 32 Tools used ............................................................... .................................................................................... ..................... 32 Appendix B ........................................................................................ ........................................................................................ 33 Employee and Executive Information ............................................... ............................................... 33 ARIN network details ..................................................................... ..................................................................... 35 Appendix C ...................................................................................... ........................................................................................ .. 38 poc.sh & poc.py full ful l raw output file contents: ................................... ..................................... 38 Appendix D ....................................................... ........................................................................................ ................................. 42 42 Ping Sweep Results (From Section 5.3.1): ................................. ........................................ ....... 42 TCP Port Scan Results (From Section 5.3.2):............................. 5.3.2):..................................... ........ 43 UDP Port Scan Results (From Section 5.3.2): .................................... .................................... 44 Web Port Scan Results (From Section 5.3.4): ................................... ..................................... 45 Scan Report with Reason for state (From Section 5.3.5): ................... 46 OS Scan Result (From Section 5.3.9): ................................. .............................................. ............. 48 Appendix E ..................................... .......................................................................... ................................................... .............. 49 Nessus MyPolicy.txt ....................................................................... ....................................................................... 49 Appendix F ..................................... .......................................................................... ................................................... .............. 79 Windows XP Hashes ................................. ...................................................................... ....................................... 79 Windows 2003 Hashes ................................................................... ................................................................... 79 Windows Web App Database Dump.................................... .................................................. .............. 80 Ubuntu (pWnOS) Web W eb App Database Dump ..................................... ....................................... 80 References ..................................... .......................................................................... ................................................... .............. 81

StarDotStar 6

StarDotStar 7

List of Figures No table of figures entries found.

StarDotStar 8

1.2 Objective

The goal of this assessment is to determine how much information is publicly available that could help an attacker in exploiting the company's internal network, as well as figuring out what information is available that should not be public and includes sensitive sensi tive internal information.

1.3 Timeline Penetration Test Phase

Start Date

End Date

Recon

5/23/2016

6/10/2016

Scanning

6/13/2016

6/24/2016

Penetration

6/27/2016

7/11/2016

StarDotStar 9

1.4 Summary of Findings 

Recon o Company email addresses o Employee personal information Position Address Phone number Salary o Physical facility locations and security o IP address ranges and domains owned o Website setup Languages Frameworks Software o Social media accounts: Facebook LinkedIn o Confidential Documents Letters Spreadsheets    

  

 

 

StarDotStar 10

2. Recon Lab 1 2.1 Summary of Findings

We found out software being run of the Honeywell web servers, frameworks used, net ranges, and other services hosted by Honeywell. We also found a handful of confidential documents containing personal information for employees and executives.

2.2 Recommendations

Updating all IIS 7.5 servers to 8.0. Searching for and removing any potentially harmful documents posted publicly.

2.3 Detail of Findings

1. What is the name of the organization you chose? What do they do? a. Honeywell Aerospace is a company that develops and sells aerospace technology for commercial and military use. 2. What operating systems do they use on their web server? Why? a. Most of their web servers are running windows, which we are able to tell by the fact that they are using IIS, which shows in their headers. 3. What web server are they using (Apache, IIS, etc.)? What version is it? a. IIS version 7.5 & 8.0. 4. Does it appear they are hosting their own web server? a. Yes, they own their own net range and have a large selection of servers. 5. What programming languages are used on the site? a. HTML, CSS, Javascript, JQuery 6. What are the networks in use by the organization? List Ranges? a. 129.30.0.0/16 7. Does it appear they are hosting any other services from their network ranges? (Do Not Scan network segments) a. Yes, Shodan told us they have their own DNS servers, as well as IKE (Internet Key Exchange) VPN servers.

StarDotStar 11

8. What type of information did you turn up using search engines? a. Company email format, high level executives, social media accounts, and some documents. b. This letter gave us their president’s personal address and salary!

StarDotStar 12


We found company social media accounts and documents. These gave us employee emails, phone numbers, and LinkedIn accounts, which could then use in our searches to find more information.

3.2 Recommendations

Searching for and removing confidential files posted publicly on the internet. Educating employees about using their company email for non-company activities, such as at conferences.

StarDotStar 13


1. Identify key employees. Get names, positions, salary, phone #, and e-mail addresses. a. This page on their main site got us the top level executives.

2.

3.

4. 5.

From there we focused in and found contact information, emails, and phone numbers (See Appendix B) Do they participate in any professional organizations? a. We found out their email format (for names) from a EnergyStar attendance list from an event (URL Below) i. https://www.energystar.gov/ia/partners/prod_developmen t/.../Attendee_%20list.xls Do they participate in any professional social media sites? si tes? a. A lot of them have LinkedIn accounts, which we found. (See Appendix B) Is anyone looking for a job? a. All the LinkedIn pages we checked were private. Can you locate interesting corporate documentation, passwords, etc...?

StarDotStar 14

a. The list of emails from the attendance list and letter helped us immensely. 6. Does your target company have any associations with other companies? e.g.partners a. Honeywell has dozens of other areas of business, including appliances, housing, and technology. 7. Enumerate your targets Domain Name. Name. Document all additional IP addresses that you have discovered. (Add them to your current list) a. See Appendix C for DNS enumeration results. 8. Use Maltego to search your company's domain, e-mail, social media, etc.... a. See Appendix B for some of the information we pulled from Maltego. 9. Create a visual map of your selected target's discovered systems. Identify network address ranges, possible target systems and their purpose, routers, routers, switches, etc...... Is this their their DMZ? 10. Document your advanced Google search strings and their results. a. Here are some of our searches: i. Inurl:”@honeywell.com” filetype:xls (gave us the attendance list) ii. Intext:”Tim Mahoney” intext:”Confidentual” (gave us the letter) iii. Site:Honeywell.com (Helped start DNS enumeration) (Gave us another iv. Intext:” [email protected] [email protected]” (Gave attendance spreadsheet)

StarDotStar 15


We found out physical location information, including side geo-locations and employee campus. We also gathered wireless intelligence including finding a badly secured break room WiFi network, as well as several open wireless networks.

4.2 Recommendations

Upgrading the wireless router for better encryption, and ensure employees understand the risk of connecting to open wireless network.


1. Using Recon-NG perform a full recon on your target company. Document your results. Did you find any additional additional useful or interesting info. a. See Appendix C for our script’s results, which included custom Recon-NG queries. 2. You need to research information that would be helpful for the social engineering phase of your penetration test.

a. Physical layout of the company. i. Back of facility has locked fence gates, from is open parking lot with lobby. b. Security doors, guards, cameras, etc..... i. Multiple cameras on building corners, with pan-tilt-zoom cameras over doors. c. Badges? i. Yes, RFID most likely due to being carried on lanyards, since magstripe badges are difficult to scan when their on lanyards. d. Vehicle passes?

StarDotStar 16

i. No e. Web Cams? i. Shodan returned no results. f. Digital dumpster diving. i. Several dumpsters around the back near the fence, which is only a couple feet high. g. How does the typical employee dress? dress? Dress code? i. Some business casual, workers in jeans with hard hats.

3. Wireless recon. (note: this will will be perform on the university's university's campus.) a. Using a wireless sniffing program such as Kismet, map the university's wireless wireless network. What IP address address ranges did you discover? Number, type, location of wireless APs. i. UAT has several nodes running the Scytale network. These are on a /24 subnet and are located both on the campus and throughout the dorms. I managed to find three unique MAC addresses for the APs. b. Are there open AP's? i. Yes, plenty including student APs and UAT’s Scytale wireless network. c. What methods do they use to secure APs? i. Consumer wireless uses various encryption techniques such as WPA and WEP, while enterprises use WPAEnterprise and RADIUS servers to ensure traffic is authenticated and can’t be spoofed to cause de nial of service or force reconnections. d. What is wardriving? i. Physically enumerating and assessing the layout of wireless networks in an area by driving around with a wireless device running a wireless enumeration tool, such as Kismet. e. Name two tools you can use to detect the presence of wireless networks? i. Kismet and Airodump-ng. f. How can you find out the BSSID of an access point? i. Wireless access points broadcast their BSSID in order to let host know they are available. You can find the BSSID of

StarDotStar 17

an AP using any wireless devices, or a tool such as Kismet or Airodump-ng. g. Why is the BSSID of an access point important to know? i. The BSSID is used in generating the transient key during the 5-way WPA and WEP handshakes, along with the Anouce and Snounce values. h. The FMS attack is an attack that is used against WEP. What does FMS stand for? i. Fluhrer, Mantin and Shamir i. Crack the WEP key provided in the WeakIVs.zip file under the Doc Sharing section of the course shell. The MD5 file is included just to make sure the compressing compressing / uncompressing of the file with the weak IVs is the same. Particulars of the access point from which the IVs were collected are: It is a 128 bit WEP key. The BSSID of the access point is: 00:1E:52:F6:A0:9B Given this information what is the WEP key? i. 0B:4E:D3:F6:7C:C5:40:FE:98:36:BA:A6:52

StarDotStar 18

5. Scanning Lab 1 5.1 Summary of Findings For full details, refer to Appendix D.

5.2 Recommendations 5.3 Detail of Findings



5.3.1 Perform a ping sweep of your network to identify live hosts

with Nmap. a. Using the command nmap –sn 172.16.112.0/24 –oN networkhost.txt we we enumerated all the host on the network that responded to ICMP packets using a ping sweep, and output that to a normal text file. The ping sweep resulted in the addresses for gateway, our three attack machines and two other, unidentified, hosts. 

5.3.2 Port scan the hosts on your network range with Nmap. If

you have more than 10 hosts, only provide the results of the 10 with the most ports open. a. We used the command nmap –sS -iL networkhosts.txt using using the text file containing the host from the ping sweep. This scan uses partial TCP handshakes to determine which ports are open on those hosts (the ones that respond to the SYN packet), which were possibly filtered by a firewall (no response), and which were closed (responded with RST packet). In addition to this command, more precise scans were performed with the commands nmap –sS T2 172.16.112.20,25 –v (TCP Port scan) , nmap –sU T2 172.16.112.20,25 –v (UDP (UDP Port Scan). 

5.3.3 Scan a host adjusting the timing of requests with Nmap.

a. For the web server scan (see 5.3.4) we used the T2 (polite) scanning option; because we were only scanning two ports, the scanning surface is narrower allowing us to take more

StarDotStar 19

time, reducing network traffic that could be detected by an IDS/IPS. 

5.3.4 Use Nmap to sweep your network for systems running web

servers on port 80 and port 443. a. Using the command nmap –sS –T2 -iL networkhosts.txt p80,433 we scanned all the hosts on port 80 and 443 to try and discover which host were running web services on default ports. 

5.3.5 Run a scan on a host and tell Nmap to display the reason it

finds the port in the state it does. a. Adding double verbosity to command gives the reason for state; --reason after the host/range address also works for improved output regarding open ports; example: nmap -sS sU -T2 172.16.112.1.20,25 --reason b. No-response from an open port represents the presence of a firewall. 

5.3.6 Scan a system with Nmap and output the results to a

Normal File. Just provide the command you would use, you do not have to append the results or the file. a. This was done during our ping sweep command (see 5.3.1). 

5.3.7 Scan a host as if it where denying ICMP (ping).

a. To enumerate host denying ICMP packets, we ran a SYN ping sweep using the command “nmap – PS 172.16.112.0/24 which sent SYN packets to the default port of 80 on all host. A RST or ACK packet determined if the host was up or not. 

5.3.8 Port scan on a host for open ports 1 through 500 with

Netcat. Yes, Netcat. When do you think you might use Netcat vs Nmap? a. nc -z -v 172.16.112.20 1-500 attempts a TCP handshake with the given port numbers, in this case 1-500. i. Netcat is used to create a connection and move data across that connection. ii. Nmap is used to map networks and scan address ranges and ports.

StarDotStar 20

1. NSE scripts can also be used for bypassing and vulnerability scanning 

5.3.9 Perform Operating System identification on one of the hosts

on your network. You can use either Nmap or Xprobe2. How accurate was the guess by the tool? a. Using the command nmap –O –iL networkhosts.txt we we asked nmap to try to best determine the OS of each host. The tool is great on zeroing on the type of operating system but not the version or specific distribution. Caution, some results may be false positives because of setting on target hosts. 

5.3.10 Perform application fingerprinting on a host with Nmap. In

your estimation did Nmap properly identify the services running on the machine? Were there unknown application fingerprints? If Nmap doesn’t know what a service is, what w hat steps could you take to determine what the service is? a. Running the command nmap –sV –iL networkhosts.txt we we did full service identification in order to determine if the services found by earlier scans were accurate and what versions those services were running. The results had no unknown fingerprints. b. Services were identified properly but some of the versions were ambiguous. c. Unknown service discovered on port 443 for 172.16.112.20 d. In order to determine the service for this port, we pointed a web browser at the address:port i. Netcat to port of the unknown service 1. We attempted to retrieve a GET request from the given IP:port, it responded with nothing. ii. Point a web browser at the service 1. Visiting the IP address:port failed to connect, however it works on normal HTTP. iii. Nmap specific port scan 1. Focusing the scan on just the specific port still yielded no information, we are unable to get the port to respond with any information, and therefore we cannot acquire relevant information from the port.

StarDotStar 21



5.3.11 You are on a penetration test. Your customer asks you to

identify all of the hosts in a given network range. You notice that they are filtering ICMP so you can’t ping hosts to determine if they are alive. How would you determine which hosts in the network range are actually up? a. Earlier we did a host enumeration using a SYN host discovery scan. (See 5.3.7 ). ). 

5.3.12 Which flags does a Xmas scan (-sX) set in Nmap?

a. The Xmas scan set the FIN, URG, and PSH flags on.



5.3.13 Take a couple of the hosts from your network and put them

in a plain text file. Put the IP addresses in the file so there is only one per line. Name this file “networkhosts.txt” Use Nmap N map with the appropriate command line argument to import this file and scan the contents. a. nmap -sS -sU –iL networkhosts.txt i. [-iL] is used to specify a list of hosts, from file, for input. b. We utilized this technique in an earlier portion of this section. (See 5.3.2)

StarDotStar 22

6. Scanning Lab 2 6.1 Summary of Findings

We found several vulnerabilities using both OpenVas and Nessus. This included several critical vulnerabilities for SMB, and several potential web application attack vectors.

6.2 Recommendation

Patching SMB on all machines is highly recommended as they could allow remote code execution and several loss of data and availability. Doing code review and pen testing on all web applications is also highly recommended if these applications are publicly accessible.




6.3.1 Download and install the Nessus Vulnerability Scanner on

your attack platform. a. Downloaded from tenable.com b. Nessus.org redirects to tenable.com. Products > Nessus > Try Nessus > under Vulnerability Scanning – “Try Now” c. Registered using uat.edu e-mail address. d. Nessus installed with no issues, plug-ins updated and installed automatically when ran for the first time. 

6.3.2 Fire up one of your vulnerable VMs (target) that you have

been working with so you can scan it. a. VM’s are up and ready to scan. 

6.3.2 Enter the IP address of the target system into Nessus and

Scan it. a. First scan performed was against the whole range, 172.16.112.0/24 using the “Basic Network Scan.” It immediately started populating the “Hosts” section with results; it appears that Nessus does host discovery on its own

StarDotStar 23

when performing this type of scan. Lots of vulnerabilities were detected across all hosts, including out attack platforms. 

6.3.3 Create a new custom scan policy in Nessus and name it

“MyPolicy”. In this new policy trim down the vulnerability checks so that they are more relevant to the operating system you are scanning. Give a few examples of checks that you removed. Give a few examples of checks that you kept. a. While creating “MyPolicy,” we we removed the several different linux vulnerability plug-ins, including CentOS Local Security, Fedora Local Security, Debian Local Security, FreeBSD Local Security, and Gentoo Local Security among many others. We also removed MacOS X Local Security, Mobile Devices, and Palo Alto Local Security. b. Some examples of plug-ins we kept were Windows: Microsoft Bulletins, Windows: User management, Peer-to-Peer file sharing, Web Servers, and FTP. 

6.3.4 Scan the IP address of the target system again using the

new “MyPolicy” that you created. a. We scanned specific addresses the second time using “MyPolicy,” 172.16.112.20, 172.16.112.25 ; WINVUL and the 2003 Server respectively. 

6.3.5 Do you see any items you suspect as false positives? Why do

you believe them to be false? a. There are several items that only appear in either Nessus or OpenVas. i. MS08-067: Microsoft Windows Server Service Crafted RPC Request Handling Remote Code Execution (958644) (uncredentialed check) ii. Web Application Potentially Vulnerable to Clickjacking iii. Web Server Transmits Clear-text Credentials b. These are the most likely candidates of being false positive, however several of them are easily validated. Clear-text credentials for example is due to the site using unencrypted http. The clickjacking one is probably due to the many web vulnerabilities that show up, including XSS and SQLi. However the RPC vulnerability only turned up in OpenVas and therefore is most suspect of being a false positive. Further testing such suc h as exploitation is required to determine accuracy.

StarDotStar 24

c. There are many other vulnerabilities that show up in either scanner but not both, however the majority of these are for the same application, suggesting they are much more likely to exist and the scanner simply doesn’t check ever y vulnerability for the application. Outdated apps often have many vulnerabilities, so discovering all of them is challenging for any single vulnerability scanner. 

6.3.6 Do you believe that there are vulnerabilities on the system

that the vulnerability scanner didn’t find? Why do you believe so? a. I do think there are likely other vulnerabilities, since there are only so many things a vulnerability scanner can check. In particular, web app vulnerabilities are often missed by vulnerability scanners due to requiring some creativity in their creation and usage. It already found XSS vulnerabilities, and generally web app vulnerabilities allow for further and more advanced attacks. 

6.3.7 Export the data from the scan in NBE format.

a. .NBE format is no longer supported with the newer versions of Nessus, it has been supplanted by the .nessus format; .nessus document with scan results enclosed in zip file. 

6.3.8 Create a zip file containing your lab memo documentation

and the NBE file and submit that in the dropbox for this assignment.

StarDotStar 25

7. Penetration Lab 7.1 Summary of Findings

We found several remote, web, and client c lient side attacks on two Windows computers on the company network. Using these, we were able to view sensitive information such as password hashes and database entries, as well as install a python backdoor on the network. These could result in loss of sensitive information and/or business operations. See Appendix F for discovered sensitive information.

7.2 Recommendation

Upgrading all Windows computers to an operating system still under support from Microsoft and setting up a regular patching cycle to ensure security vulnerabilities are patched in a timely manner. Hiring a security engineer to fix web based vulnerabilities and doing third party code review on future web based projects. If databases are crucial to business continuity, consider migrating to a different database management management software, or update the present software.

7.3 Detail of Findings 7.3.1 Windows XP

a. IP: 172.16.112.20 172.16.112.20 i. CVE-2008-4250 1. Severity: HIGH 2. This vulnerability allows remote code execution via a crafted RPC request to the SMB NetBIOS service running on port 445. Worse, this vulnerability grants full System access if exploited. 3. Microsoft has released a patch for the vulnerability. It is recommended to patch to the latest version of XP. If that is not possible,

StarDotStar 26

blocking external connections over port 445 on the firewall is recommended. ii. Weak MS SQL Credentials (No CVE) 1. Severity: HIGH 2. The database running on this server has default credentials of “sa:(no password)” . This can be leveraged to compromise sensitive database information, as well as get remote code execution via an uploaded shell. 3. Setting a strong password on the MS SQL database to prevent possible brute force attempts and data compromise. iii. SQL Injection Web Vulnerability (No CVE) 1. Severity: HIGH 2. This vulnerability allows any remote attacker with access to the web login page to retrieve database information as well as upload an interactive shell. 3. This has to do with improper input sanitization and variable handling. Revising the code on the site to use prepared statements and sanitize input will remedy this vulnerability. iv. CVE-2006-0003 1. Severity: MEDIUM 2. This vulnerability in the Internet Explorer program is leveraged when the user visits an attackers specially created web server, which then exploits a vulnerability in ActiveX data object. 3. Microsoft has released a patch for the vulnerability. It is recommended to patch to the latest version of XP. v. Guest Account with blank password (No CVE) 1. Severity: LOW 2. There is a deactivated guest account with blank credentials. 3. This should be removed if it is no longer in use.

StarDotStar 27

7.3.2

Windows Server 2003

a. IP: 172.16.112.25 172.16.112.25 i. CVE-2008-4250

1. Severity: HIGH 2. This vulnerability allows remote code execution via a crafted RPC request to the SMB NetBIOS service running on port 445. Worse, this vulnerability grants full System access if exploited. 3. Microsoft has released a patch for the vulnerability. It is recommended to patch to the latest version of XP. If that is not possible, blocking external connections over port 445 on the firewall is recommended.

ii. Weak MS SQL Credentials (No CVE)

1. Severity: HIGH 2. The database running on this server has default credentials of sa:(no password). This can be leverages to compromise sensitive database information, as well as get remote code execution via an uploaded shell. 3. Setting a strong password on the MS SQL database to prevent possible brute force attempts and data compromise. iii. SQL Injection Web Vulnerability (No CVE)

1. Severity: HIGH

StarDotStar 28

2. This vulnerability allows any remote attacker with access to the web login page to retrieve database information as well as upload an interactive shell. 3. This has to do with improper input sanitization and variable handling. Revising the code on the site to use prepared statements and sanitize input will remedy this vulnerability.

vi. Guest Account with blank password (No CVE) 1. Severity: LOW 2. There is a deactivated guest account with blank credentials. 3. This should be removed if it is no longer in use.

StarDotStar 29

7.3.3 Ubuntu (pWnOS)

a. IP: 10.10.10.100 i. SQL Injection Web Vulnerability (No CVE)

1. Severity: HIGH 2. This vulnerability allows any remote attacker with access to the web login page to retrieve database information as well as upload an interactive shell. 3. This has to do with improper input sanitization and variable handling. Revising the code on the site to use prepared statements and sanitize input will wil l remedy this vulnerability.

7.3.4 Slax (Hackerdemia)

a. IP: 192.168.1.123 192.168.1.123 i. Directory Listing 1. Severity: LOW 2. The /inc folder in the web root is viewable, giving the viewer access to see all the .php files (cannot actually view due to being backend) and gain information on the structure of the web server. 3. Adding rules to the .htaccess file regarding the /inc folder to prevent browsing is recommended. recommended. ii.

SMTP Enumeration 1. Severity: LOW 2. The smtp mail server is able to be enumerated using the Metasploit module auxiliary/scanner/smtp/smtp_enum . This provided a list of email accounts stored by the server. 3. Updating the sendmail configuration to not allow for enumeration is recommended.

StarDotStar 30

7.4 Tools Used 7.4.1 Metasploit Framework

We used the Metasploit framework to to launch both the MS08-067 and IE Create Object attacks, as well as gain a shell using the default MS SQL credentials. Once in, Metasploit’s meterpreter shell shell let us dump user hashes and upload/download files.

One of the files uploaded was a backdoor that we wrote. This was written in Python 2.7, and performs a reverse connection to our attack platform and provides access to the system whenever wanted. The source code of this script is included in the zipfile with this report. Name: pythonBD.py ( (Note: The entire code is commented out to negate risk during code-review)

7.4.2 SQLMap

To dump the databases, we used manual and automated SQL injections. For the automation we used SQLMap, a Python based tool that, once it knows the database d atabase type, can traverse tables and reveal database information.

7.4.3 Burp Suite

In order to find out potential injectable fields, we used Burp Suite to capture Post -requests -requests with parameters which could be injectable. SQLMap then would replay those saved request while testing the injectable field with SQL queries.

StarDotStar 31

7.4.4 Hashcat

For cracking the hashes, we used hashcat 3.0. To maximize results, we used the GPU cracking options, which let us run the dumped hashes against over 500 million password from several wordlists, as well as test every letter number password possible up to eight characters.

7.4.5 Hydra

While we did not get any results, we used hydra to test for weak credentials in smtp on the Ubuntu (Hackerdemia) box. We did this using leaked users from the smtp service.

7.4.6 BEEF XSS Framework

We tested and experimented with BEEF (Browser (Browser Exploitation Framework) which yielded few results due to not finding any XSS or CSRF vulnerabilities. However an attacker with the same shell access we obtained could edit the web applications to include client side XSS attacks such as CSRF and session hijacking using BEEF or other means.

StarDotStar 32

Appendix A People Searching websites used

     

www.peekyou.com www.411.com www.spokeo.com www.rehold.com www.whitepages.com http://people.equilar.com/

Tools used

     

Recong-ng Maltego Burp Suite dnsenum.pl Python Bash

StarDotStar 33

Appendix B

Employee and Executive Information Name

Position

Professional Email

Tim Mahoney

President

[email protected]

Rob Ferris

Vice President, External Communication

Bob Morrison

Controls Software Integration

James Bryson

[email protected]

https://www.linkedin.c om/in/rob-ferris54109a6

[email protected]

https://www.linkedin.c om/in/bob-morrison895a7561

[email protected] james.bryson@honey well.com

James Mcqueeney

LinkedIn

Phone Number

Address

4807060472

16065 S 18th Place, Phoenix AZ

https://uk.linkedin.com /in/james-bryson723b591

[email protected] [email protected]

Dan Morket

[email protected]

Carey Smith

President of Defense and Space

[email protected]

https://www.linkedin.c om/in/carey-smith7545a613

Carl Esposito

VP, Marketing and Product Management

[email protected]

https://www.linkedin.c om/in/carl-espositob821848

Bill Reavis

Dir. Media Relations

[email protected]

https://www.linkedin.c om/in/bill-reavis3853125a

Karen Crabtree

Vice President of Marketing and Product Management

[email protected]

https://www.linkedin.c om/in/carl-espositob821848

Samantha Tiger

[email protected]

Douglas Welch

Sr. Network Security Engineer

[email protected]

https://www.linkedin.c om/in/doug-welch238a813a

Clifford Vaughan

Solution Engineer

[email protected]

https://www.linkedin.c om/in/cvaughan3

David Snyder

Process Engineer

[email protected]

https://www.linkedin.c om/in/david-snyder56b07861

7000 Columbia Gateway Drive, Columbia, MD

StarDotStar 34

Naseeba Ali

[email protected]

Kimberly Forrer

Real Estate Portfolio Manager

[email protected]

https://www.linkedin.c om/in/kimberly-forrer63475824

Roth Eddings

Director, External Communications

[email protected]

https://www.linkedin.c om/in/rob-ferris54109a6

John Wyrwas

Director of Program Management

[email protected]

https://www.linkedin.c om/in/john-wyrwas3b569a11

1 Rock Island Arsenal Rock Island IL

Alan Thompson

EMEA VAT Manager

https://uk.linkedin.com /in/alan-thompson79524b15

2800 Eisenhower Ave, Alexandria

https://www.linkedin.c om/in/catherineschade-52a6b354

6078 Shawnee Court, Bettendorf IA

Catherine Schade

[email protected] Alan.Thompson2@Honey well.com

[email protected]

StarDotStar 35

ARIN network details

Net Range: 129.30.0.0 - 129.30.255.255 129.30.255.255 CIDR: 129.30.0.0/16 129.30.0.0/16 Name: HONEYWELL Organization: Honeywell International, Inc. Email address in comments: [email protected]

StarDotStar 36

Net Range: 165.195.0.0 - 165.195.255.255 165.195.255.255 CIDR: 165.195.0.0/16 165.195.0.0/16 Name: HONEYWELL Organization: Honeywell International Inc.

StarDotStar 37

Net Range: 199.61.0.0 - 199.64.255.255 199.64.255.255 CIDR:199.61.0.0/16 199.62.0.0/15 199.64.0.0/16 Name: HONEYWELL Organization: Honeywell International Inc.

StarDotStar 38

Appendix C poc.sh & poc.py full raw output file contents:

HTTP/1.1 301 Moved Permanently Connection: Keep-Alive Set-Cookie: ISAWPLB{D8A4C545-3B43-410C-A99C-C401BC720537}={0EE049A3-30DA431B-BEA2-7712B9811104}; HttpOnly; Path=/ Content-Length: 147 Date: Fri, 10 Jun 2016 23:25:40 GMT Location: http://www.honeywell.com Content-Type: text/html; charset=UTF-8 Server: Microsoft-IIS/7.5 Microsoft-IIS/7.5 X-Powered-By: ASP.NET X-Frame-Options: SAMEORIGIN

; <<>> DiG 9.9.5-9+deb8u2-Debian <<>> honeywell.com ANY +noall +answer ;; global options: +cmd honeywell.com. honeywell.com . 123 IN A 199.64.218.61 honeywell.com. honeywell.com . 14398 IN NS dns1.honeywell.com. dns1.honeywell.com . honeywell.com. honeywell.com . 14398 IN NS dns2.honeywell.com. dns2.honeywell.com . honeywell.com. honeywell.com . 14398 IN SOA de08undgm01.honeywell.c de08undgm01.honeywell.com. om. hostmaster.honeywell.com. 2015092460 7200 3600 604800 86400 honeywell.com. honeywell.com . 298 IN MX 15 honeywellcom.mail.protection.outlook.com. honeywell.com. honeywell.com . 14398 IN TXT "google-site"google-sit everification=FKijZCsx1UCydtYo2KJ1YIKBI-UaCa0JD3NzSI8BhG4" honeywell.com. honeywell.com . 14398 IN TXT "MS=ms35314715" honeywell.com. honeywell.com . 14398 IN TXT "v=spf1 ip4:199.64.220.26 ip4:199.61.24.27 ip4:199.15.215.105 ip4:198.245.81.13 include:mktomail.com include:spf.messaging.microsoft.com a mx ?all" honeywell.com. honeywell.com . 14398 IN TXT "3uvUsWYLVTiRB+qIRL4SugHQhjKlHiDFExvbhDey/CL+oX66+F4TIJzPH97ktR/dJPZjSr X5BMjhiQUqvSeH7A==" # # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/whois_tou.html # # If you see inaccuracies in the results, please report at # https://www.arin.net/public/whoisinaccuracy/index.xhtml #

# # The following results may also be obtained via: # https://whois.arin.net/rest/nets;q=199.64.218.61?showDetails=true&showARIN=false&showNon ArinTopLevelNet=false ArinTopLevelNet=false&ext=ne &ext=netref2 tref2

StarDotStar 39

# NetRange: 199.61.0.0 - 199.64.255.255 CIDR: 199.61.0.0/16, 199.62.0.0/15, 199.64.0.0/16 NetName: HONEYWELL NetHandle: NET-199-61-0-0-1 Parent: NET199 (NET-199-0-0-0-0) (NET-199-0- 0-0-0) NetType: Direct Assignment OriginAS: Organization: Honeywell International Inc. (HONEY-13) RegDate: 1993-11-23 Updated: 2012-02-24 Ref: https://whois.arin.net/rest/net/NET-199-61-0-0-1

OrgName: Honeywell International Inc. OrgId: HONEY-13 Address: 101 Columbia Columbia Road Road City: Morristown StateProv: NJ PostalCode: 07962 Country: US RegDate: 2007-07-19 Updated: 2015-07-09 Ref: https://whois.arin.net/rest/org/HONEY-13

OrgAbuseHandle: ABUSE106-ARIN OrgAbuseName: Abuse OrgAbusePhone: +1-480-592-1137 OrgAbuseEmail: [email protected] OrgAbuseRef: https://whois.arin.net/rest/poc/ABUSE106-ARIN OrgNOCHandle: CERF-HM-ARIN OrgNOCName: ATand T Enhanced Network Services OrgNOCPhone: +1-858-812-5000 OrgNOCEmail: [email protected] OrgNOCRef: https://whois.arin.net/rest/poc/CERF-HM-ARIN OrgTechHandle: RTE57-ARIN OrgTechName: Eddings, Roth T OrgTechPhone: +1-480-287-4158 OrgTechEmail: [email protected] OrgTechRef: https://whois.arin.net/rest/poc/RTE57-ARIN OrgTechHandle: DGW24-ARIN OrgTechName: welch, douglas grant OrgTechPhone: +1-602-436-0406 OrgTechEmail: [email protected] OrgTechRef: https://whois.arin.net/rest/poc/DGW24-ARIN

StarDotStar 40

OrgTechHandle: CV136-ARIN OrgTechName: Vaughan, Cliff OrgTechPhone: +1-480-592-5125 OrgTechEmail: [email protected] OrgTechRef: https://whois.arin.net/rest/poc/CV136-ARIN RTechHandle: CV136-ARIN RTechName: Vaughan, Cliff RTechPhone: +1-480-592-5125 RTechEmail: [email protected] RTechRef: https://whois.arin.net/rest/poc/CV136-ARIN RNOCHandle: CV136-ARIN RNOCName: Vaughan, Cliff RNOCPhone: +1-480-592-5125 RNOCEmail: [email protected] RNOCRef: https://whois.arin.net/rest/poc/CV136-ARIN RAbuseHandle: ABUSE106-ARIN RAbuseName: Abuse RAbusePhone: +1-480-592-1137 RAbuseEmail: [email protected] RAbuseRef: https://whois.arin.net/rest/poc/ABUSE106-ARIN

# # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/whois_tou.html # # If you see inaccuracies in the results, please report at # https://www.arin.net/public/whoisinaccuracy/index.xhtml #

DNS ENUM RESULTS: honeywell.com 199.64.218.61 dns1.honeywell.com 199.64.220.7 dns2.honeywell.com 199.61.24.26 honeywell-com.mail.protection.outlook.com 207.46.163.170 honeywell-com.mail.protection.outlook.com 207.46.163.138 honeywell-com.mail.protection.outlook.com 207.46.163.215 ads.honeywell.com 23.5.216.142 san2.honeywell.com.edgekey.net 23.5.216.142 e11442.x.akamaiedge.net 23.5.216.142 apps.honeywell.com 77.73.98.236 dns1.honeywell.com 199.64.220.7 dns2.honeywell.com 199.61.24.26

StarDotStar 41

dns3.honeywell.com 199.64.74.200 extranet.honeywell.com 199.61.20.164 mail1.honeywell.com 199.64.220.25 mail2.honeywell.com 199.61.24.28 nova.honeywell.com 137.135.129.175 portal.honeywell.com 199.64.2.222 projects.honeywell.com 199.64.218.48 rcs.honeywell.com 199.61.20.118 search.honeywell.com 199.64.2.164 stats.honeywell.com 66.235.139.17 honeywell.com.112.2o7.net 66.235.139.18 honeywell.com.112.2o7.net 66.235.139.17 honeywell.com.112.2o7.net 66.235.139.206 honeywell.com.112.2o7.net 66.235.138.193 honeywell.com.112.2o7.net 192.243.250.88 honeywell.com.112.2o7.net 66.235.138.195 honeywell.com.112.2o7.net 66.235.139.207 honeywell.com.112.2o7.net 192.243.250.72 honeywell.com.112.2o7.net 66.235.139.19 honeywell.com.112.2o7.net 66.235.139.205 honeywell.com.112.2o7.net 66.235.138.194 vps.honeywell.com 23.96.252.52 vpshoneywell.azurewebsites.net 23.96.252.52 ssl.vpshoneywell.azurewebsites.net 23.96.252.52 webmail.honeywell.com 199.64.200.150 www.honeywell.com 40.114.43.40 prod.honeywell.trafficmanager.net 40.114.43.40 ent-prd-dcx-webcd.cloudapp.net 40.114.43.40

StarDotStar 42

Appendix D Ping Sweep Results (From Section 5.3.1): Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-06-22 16:14 MST Nmap scan report for 172.16.112.1 Host is up (0.00058s latency). MAC Address: 00:50:56:A5:B6:7E (VMware) Nmap scan report for 172.16.112.5 Host is up (0.00055s latency). MAC Address: 00:50:56:A5:4D:A2 (VMware) Nmap scan report for 172.16.112.11 Host is up (0.00053s latency). MAC Address: 00:50:56:A5:CA:AA (VMware) Nmap scan report for 172.16.112.20 Host is up (-0.087s latency). MAC Address: 00:50:56:A5:29:9A (VMware) Nmap scan report for 172.16.112.25 Host is up (0.00053s latency). MAC Address: 00:50:56:A5:FD:A5 (VMware) Nmap scan report for 172.16.112.7 Host is up. Nmap done: 256 IP addresses (6 hosts up) scanned in 4.34 seconds

StarDotStar 43

TCP Port Scan Results (From Section 5.3.2):

8 open ports found on 172.16.112.20 6 open ports found on 172.16.112.25 Result: Nmap scan report for 172.16.112.20 Host is up (0.00034s latency). Not shown: 992 closed ports PORT STATE SERVICE 21/tcp open ftp 25/tcp open smtp 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 443/tcp open https 445/tcp open microsoft-ds 1025/tcp open NFS-or-IIS MAC Address: 00:50:56:A5:29:9A (VMware) Nmap scan report for 172.16.112.25 Host is up (0.00029s latency). Not shown: 994 closed ports PORT STATE SERVICE 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 1025/tcp open NFS-or-IIS 1433/tcp open ms-sql-s MAC Address: 00:50:56:A5:FD:A5 (VMware)

StarDotStar 44

UDP Port Scan Results (From Section 5.3.2):

11 ports found on 172.16.112.20 9 ports found on 172.16.112.25 Results: Nmap scan report for 172.16.112.20 Host is up (0.00033s latency). Not shown: 989 closed ports PORT STATE SERVICE 123/udp open ntp 137/udp open netbios-ns 138/udp open|filtered netbios-dgm 161/udp open|filtered snmp 445/udp open|filtered microsoft-ds 500/udp open|filtered isakmp 1026/udp open|filtered win-rpc 1434/udp open|filtered ms-sql-m 1900/udp open|filtered upnp 3456/udp open|filtered IISrpc-or-vat 4500/udp open|filtered nat-t-ike MAC Address: 00:50:56:A5:29:9A (VMware) Nmap scan report for 172.16.112.25 Host is up (0.00038s latency). Not shown: 991 closed ports PORT STATE SERVICE 123/udp open|filtered ntp 137/udp open netbios-ns 138/udp open|filtered netbios-dgm 161/udp open|filtered snmp 162/udp open|filtered snmptrap 445/udp open|filtered microsoft-ds 500/udp open|filtered isakmp 1434/udp open|filtered ms-sql-m 4500/udp open|filtered nat-t-ike MAC Address: 00:50:56:A5:FD:A5 (VMware)

StarDotStar 45

Web Port Scan Results (From Section 5.3.4):

Port 443 is open on 172.16.112.1 Ports 80/443 are open 172.16.112.20 Port 80 is open on 172.16.112.25 Results: Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-06-23 15:28 MST Nmap scan report for 172.16.112.1 Host is up (0.00038s latency). PORT STATE SERVICE 80/tcp closed http 443/tcp open https MAC Address: 00:50:56:A5:B6:7E (VMware) Nmap scan report for 172.16.112.20 Host is up (0.00028s latency). PORT STATE SERVICE 80/tcp open http 443/tcp open https MAC Address: 00:50:56:A5:29:9A (VMware) Nmap scan report for 172.16.112.25 Host is up (0.00032s latency). PORT STATE SERVICE 80/tcp open http 443/tcp closed https MAC Address: 00:50:56:A5:FD:A5 (VMware)

StarDotStar 46

Scan Report with Reason for state (From Section 5.3.5):

Nmap scan report for 172.16.112.1 Host is up, received arp-response (0.00038s latency). Scanned at 2016-06-23 15:49:03 MST for 1219s Not shown: 1996 closed ports Reason: 998 port-unreaches and 998 resets PORT STATE SERVICE REASON 22/tcp open ssh syn-ack ttl 64 443/tcp open https syn-ack ttl 64 514/udp open|filtered syslog no-response 4500/udp open|filtered nat-t-ike no-response MAC Address: 00:50:56:A5:B6:7E (VMware) Nmap scan report for 172.16.112.20 Host is up, received arp-response (0.00034s latency). Scanned at 2016-06-23 15:49:03 MST for 1214s Not shown: 1981 closed ports Reason: 992 resets and 989 port-unreaches PORT STATE SERVICE REASON 21/tcp open ftp syn-ack ttl 128 25/tcp open smtp syn-ack ttl 128 80/tcp open http syn-ack ttl 128 135/tcp open msrpc syn-ack ttl 128 139/tcp open netbios-ssn syn-ack ttl 128 443/tcp open https syn-ack ttl 128 445/tcp open microsoft-ds syn-ack ttl 128 1025/tcp open NFS-or-IIS syn-ack ttl 128 123/udp open ntp udp-response ttl 128 137/udp open netbios-ns udp-response ttl 128 138/udp open|filtered netbios-dgm no-response 161/udp open|filtered snmp no-response 445/udp open|filtered microsoft-ds no-response 500/udp open|filtered isakmp no-response 1026/udp open|filtered win-rpc no-response 1434/udp open|filtered ms-sql-m no-response 1900/udp open|filtered upnp no-response 3456/udp open|filtered IISrpc-or-vat no-response 4500/udp open|filtered nat-t-ike no-response MAC Address: 00:50:56:A5:29:9A (VMware) Nmap scan report for 172.16.112.25 Host is up, received arp-response (0.00037s latency). Scanned at 2016-06-23 15:49:03 MST for 1219s Not shown: 1985 closed ports Reason: 994 resets and 991 port-unreaches PORT STATE SERVICE REASON 80/tcp open http syn-ack ttl 128 135/tcp open msrpc syn-ack ttl 128 139/tcp open netbios-ssn syn-ack ttl 128 445/tcp open microsoft-ds syn-ack ttl 128 1025/tcp open NFS-or-IIS syn-ack ttl 128 1433/tcp open ms-sql-s syn-ack ttl 128

StarDotStar 47

123/udp open|filtered ntp no-response 137/udp open netbios-ns udp-response ttl 128 138/udp open|filtered netbios-dgm no-response 161/udp open|filtered snmp no-response 162/udp open|filtered snmptrap no-response 445/udp open|filtered microsoft-ds no-response 500/udp open|filtered isakmp no-response 1434/udp open|filtered ms-sql-m no-response 4500/udp open|filtered nat-t-ike no-response MAC Address: 00:50:56:A5:FD:A5 (VMware)

StarDotStar 48

OS Scan Result (From Section 5.3.9):

Nmap scan report for 172.16.112.1 Host is up (0.00037s latency). Not shown: 998 closed ports PORT STATE SERVICE 22/tcp open ssh 443/tcp open https MAC Address: 00:50:56:A5:B6:7E (VMware) Device type: general purpose Running: OpenBSD 5.X OS CPE: cpe:/o:openbsd:openbsd:5 OS details: OpenBSD 5.0 - 5.4 Network Distance: 1 hop Nmap scan report for 172.16.112.20 Host is up (0.00036s latency). Not shown: 992 closed ports PORT STATE SERVICE 21/tcp open ftp 25/tcp open smtp 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 443/tcp open https 445/tcp open microsoft-ds 1025/tcp open NFS-or-IIS MAC Address: 00:50:56:A5:29:9A (VMware) Device type: general purpose Running: Microsoft Windows XP|2003 OS CPE: cpe:/o:microsoft:windows_xp::sp2:professional cpe:/o:microsoft:windows_server_2003 OS details: Microsoft Windows XP Professional SP2 or Windows Server 2003 Network Distance: 1 hop Nmap scan report for 172.16.112.25 Host is up (0.00042s latency). Not shown: 994 closed ports PORT STATE SERVICE 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 1025/tcp open NFS-or-IIS 1433/tcp open ms-sql-s MAC Address: 00:50:56:A5:FD:A5 (VMware) Device type: general purpose Running: Microsoft Windows 2003 OS CPE: cpe:/o:microsoft:windows_server_2003::sp1 cpe:/o:microsoft:windows_server_2003::sp2 OS details: Microsoft Windows Server 2003 SP1 or SP2 Network Distance: 1 hop

StarDotStar 49

Appendix E Nessus MyPolicy.txt I Summary ========= This document reports on the results of an automatic security scan. The report first summarises the results found. Then, for each host, the report describes every issue found. Please consider the advice given in each description, in order to rectify the issue. All dates are displayed using the timezone "Coordinated Universal Time", which is abbreviated "UTC". Vendor security updates are not trusted. Overrides are on. When a result has an override, override, this report uses the threat of the override. Notes are included in the report. This report might not show details of all issues that were found. It only lists hosts that produced issues. Issues with the threat level "Debug" are not shown. Issues with the threat level "False Positive" are not shown. This report contains all 46 results selected by the filtering described above. above. Before filtering there were 46 results. Scan started: Wed Jun 22 07:33:33 2016 UTC Scan ended: Wed Jun 22 07:39:26 2016 UTC Task: Immediate scan of IP 172.16.112.20 Host Summary ************ Host High Medium Low Log False Positive 172.16.112.20 4 9 0 33 0 Total: 1 4 9 0 33 0

II Results per Host =================== Host 172.16.112.20 ****************** Scanning of this host started at: Wed Jun 22 07:33:44 2016 UTC Number of results: 46

StarDotStar 50

Port Summary for Host 172.16.112.20 ----------------------------------Service (Port) 445/tcp 80/tcp 25/tcp general/tcp general/icmp general/SMBClient general/CPE-T 443/tcp 21/tcp 139/tcp 1025/tcp

Threat Level High High Medium Log Log Log Log Log Log Log Log

Security Issues for Host 172.16.112.20 -------------------------------------Issue ----NVT: Vulnerabilities in SMB Could Allow Remote Code Execution (958687) - Remote OID: 1.3.6.1.4.1.25623.1.0.900233 Threat: High (CVSS: 10.0) Port: 445/tcp Summary: This host is missing a critical security update according to Microsoft Bulletin MS09-001. Vulnerability Detection Result: Vulnerability was detected according to the Vulnerability Detection Method. Impact: Successful exploitation could allow remote unauthenticated attackers to cause denying the service by sending a specially crafted network message to a system running the server service. Impact Level: System/Network Solution: Solution type: VendorFix Run Windows Update and update the listed hotfixes or download and update mentioned hotfixes in the advisory from the below link, http://www.microsoft.com/technet/security/bulletin/ms09-001.mspx Affected Software/OS: Microsoft Windows 2K Service Pack 4 and prior. Microsoft Windows XP Service Pack 3 and prior. Microsoft Windows 2003 Service Pack 2 and prior. Vulnerability Insight: The issue is due to the way Server Message Block (SMB) Protocol software

StarDotStar 51

handles specially crafted SMB packets. Vulnerability Detection Method: Details: Vulnerabilities in SMB Could Allow Remote Code Execution (958687) - Remote (OID: 1.3.6.1.4.1.25623.1.0.900233) Version used: $Revision: 3183 $ References: CVE: CVE-2008-4114, CVE-2008-4834, CVE-2008-4835 BID: 31179 Other: http://www.milw0rm.com/exploits/6463 http://www.microsoft.com/technet/security/bulletin/ms09-001.mspx

Issue ----NVT: Microsoft Windows SMB Server NTLM Multiple Vulnerabilities (971468) OID: 1.3.6.1.4.1.25623.1.0.902269 Threat: High (CVSS: 10.0) Port: 445/tcp Summary: This host is missing a critical security update according to Microsoft Bulletin MS10-012. Vulnerability Detection Result: Vulnerability was detected according to the Vulnerability Detection Method. Impact: Successful exploitation will allow remote attackers to execute arbitrary code or cause a denial of service or bypass the authentication mechanism via brute force technique. Impact Level: System/Application Solution: Solution type: VendorFix Run Windows Update and update the listed hotfixes or download and update mentioned hotfixes in the advisory from the below link, http://www.microsoft.com/technet/security/bulletin/ms10-012.mspx Affected Software/OS: Microsoft Windows 7 Microsoft Windows 2000 Service Pack and prior Microsoft Windows XP Service Pack 3 and prior Microsoft Windows Vista Service Pack 2 and prior Microsoft Windows Server 2003 Service Pack 2 and prior Microsoft Windows Server 2008 Service Pack 2 and prior Vulnerability Insight: - An input validation error exists while processing SMB requests and can be exploited to cause a buffer overflow via a specially crafted SMB packet.

StarDotStar 52

- An error exists in the SMB implementation while parsing SMB packets during the Negotiate phase causing memory corruption via a specially crafted SMB packet. - NULL pointer dereference error exists in SMB while verifying the 'share' and 'servername' fields in SMB packets causing denial of service. - A lack of cryptographic entropy when the SMB server generates challenges during SMB NTLM authentication and can be exploited to bypass the authentication mechanism. Vulnerability Detection Method: Details: Microsoft Windows SMB Server NTLM Multiple Vulnerabilities (971468) (OID: 1.3.6.1.4.1.25623.1.0.902269) Version used: $Revision: 3183 $ References: CVE: CVE-2010-0020, CVE-2010-0021, CVE-2010-0022, CVE-2010-0231 CERT: DFN-CERT-2010-0192 Other: http://secunia.com/advisories/38510/ http://support.microsoft.com/kb/971468 http://www.vupen.com/english/advisories/2010/0345 http://www.microsoft.com/technet/security/bulletin/ms10-012.mspx

Issue ----NVT: Microsoft Security Bulletin MS07-040 OID: 1.3.6.1.4.1.25623.1.0.101005 Threat: High (CVSS: 9.3) Port: 80/tcp Summary: Microsoft .NET is affected by multiples criticals vulnerabilities. Two of these vulnerabilities could allow remote code execution on client systems! with .NET Framework installed, and one could allow information disclosure on Web servers running ASP.NET. Vulnerability Detection Result: Missing MS07-040 patch, detected Microsoft .Net Framework version: 2.0.50727.42 Solution: Microsoft has released an update to correct this issue, you can download it from the following web site: http://www.microsoft.com/technet/security/bulletin/ms07-040.mspx Vulnerability Detection Method: Details: Microsoft Security Bulletin MS07-040 (OID: 1.3.6.1.4.1.25623.1.0.101005) Version used: $Revision: 3208 $

StarDotStar 53

References: CVE: CVE-2007-0041, CVE-2007-0042, CVE-2007-0043

Issue ----NVT: Microsoft IIS WebDAV Remote Authentication Bypass Vulnerability OID: 1.3.6.1.4.1.25623.1.0.900711 Threat: High (CVSS: 7.6) Port: 80/tcp Summary: The host is running Microsoft IIS Webserver with WebDAV Module and is prone to remote authentication bypass vulnerability. Vulnerability Detection Result: Vulnerability was detected according to the Vulnerability Detection Method. Impact: Successful exploitation will let the attacker craft malicious UNICODE characters and send it over the context of IIS Webserver where WebDAV is enabled. As a result due to lack of security implementation check it will let the user fetch password protected directories without any valid authentications. Impact Level: Application Solution: Solution type: VendorFix Run Windows Update and update the listed hotfixes or download and update mentioned hotfixes in the advisory from the below link, http://www.microsoft.com/technet/security/Bulletin/MS09-020.mspx Affected Software/OS: Microsoft Internet Information Services version 5.0 to 6.0 Workaround: Disable WebDAV or Upgrade to Microsoft IIS 7.0 http://www.microsoft.com/technet/security/advisory/971492.mspx Vulnerability Insight: Due to the wrong implementation of UNICODE characters support (WebDAV extension) for Microsoft IIS Server which fails to decode the requested URL properly. Unicode character checks are being done after IIS Server internal security check, which lets the attacker execute any crafted UNICODE character in the HTTP requests to get information on any password protected directories without any authentication schema. Vulnerability Detection Method: Details: Microsoft IIS WebDAV Remote Authentication Bypass Vulnerability (OID: 1.3.6.1.4.1.25623.1.0.900711) Version used: $Revision: 3264 $ References: CVE: CVE-2009-1535

StarDotStar 54

BID: 34993 Other: http://view.samurajdata.se/psview.php?id=023287d6&page=2 http://www.microsoft.com/technet/security/advisory/971492.mspx http://blog.zoller.lu/2009/05/iis-6-webdac-auth-bypass-and-data.html http://downloads.securityfocus.com/vulnerabilities/exploits/34993.rb http://downloads.securityfocus.com/vulnerabilities/exploits/34993.txt

Issue ----NVT: Microsoft Windows SMTP Server DNS spoofing vulnerability OID: 1.3.6.1.4.1.25623.1.0.100624 Threat: Medium (CVSS: 6.4) Port: 25/tcp Summary: The Microsoft Windows Simple Mail Transfer Protocol (SMTP) Server is prone to a DNS spoofing vulnerability. Successfully exploiting this issue allows remote attackers to spoof DNS replies, allowing them to redirect network traffic and to launch man-in-the-middle attacks. Vulnerability Detection Result: Vulnerability was detected according to the Vulnerability Detection Method. Solution: This issue is reported to be patched in Microsoft security advisory MS10-024 please see the references for more information. Vulnerability Detection Method: Details: Microsoft Windows SMTP Server DNS spoofing vulnerability (OID: 1.3.6.1.4.1.25623.1.0.100624) Version used: $Revision: 3152 $ References: CVE: CVE-2010-1690, CVE-2010-1689 BID: 39910, 39908 Other: http://www.securityfocus.com/bid/39910 http://www.securityfocus.com/bid/39908 http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0058.html http://www.microsoft.com http://www.coresecurity.com/content/CORE-2010-0424-windows-stmp-dns-query-idbugs http://www.microsoft.com/technet/security/Bulletin/MS10-024.mspx

Issue ----NVT:

http TRACE XSS attack

StarDotStar 55

OID: 1.3.6.1.4.1.25623.1.0.11213 Threat: Medium (CVSS: 5.8) Port: 80/tcp Summary: Debugging functions are enabled on the remote HTTP server. The remote webserver supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods which are used to debug web server connections. It has been shown that servers supporting this method are subject to cross-site-scripting attacks, dubbed XST for Cross-Site-Tracing, when used in conjunction with various weaknesses in browsers. An attacker may use this flaw to trick your legitimate web users to give him their credentials. Vulnerability Detection Result: Solution: Use the URLScan tool to deny HTTP TRACE requests or to permit only the! methods needed to meet site requirements and policy. Solution: Disable these methods. Vulnerability Detection Method: Details: http TRACE XSS attack (OID: 1.3.6.1.4.1.25623.1.0.11213) Version used: $Revision: 3362 $ References: CVE: CVE-2004-2320, CVE-2003-1567 BID: 9506, 9561, 11604 CERT: CB-K14/0981 , DFN-CERT-2014-1018 Other: http://www.kb.cert.org/vuls/id/867593

Issue ----NVT: Microsoft Windows SMTP Server MX Record Denial of Service Vulnerability OID: 1.3.6.1.4.1.25623.1.0.100596 Threat: Medium (CVSS: 5.0) Port: 25/tcp Summary: The Microsoft Windows Simple Mail Transfer Protocol (SMTP) Server is prone to a denial-of-service vulnerability and to to an information-disclosure v! ulnerability. Successful exploits of the denial-of-service vulnerability will cause the affected SMTP server to stop responding, denying service to legitimate users. Attackers can exploit the information-disclosure issue to gain access to sensitive information. Any information obtained may lead to further attacks.

StarDotStar 56

Vulnerability Detection Result: Vulnerability was detected according to the Vulnerability Detection Method. Solution: Microsoft released fixes to address this issue. Please see the references for more information. Vulnerability Detection Method: Details: Microsoft Windows SMTP Server MX Record Denial of Service Vulnerability (OID: 1.3.6.1.4.1.25623.1.0.100596) Version used: $Revision: 3152 $ References: CVE: CVE-2010-0024, CVE-2010-0025 BID: 39308, 39381 CERT: DFN-CERT-2010-0523 Other: http://www.securityfocus.com/bid/39308 http://www.securityfocus.com/bid/39381 http://www.microsoft.com http://support.avaya.com/css/P8/documents/100079218 http://www.microsoft.com/technet/security/Bulletin/MS10-024.mspx

Issue ----NVT: Microsoft Security Bulletin MS06-033 OID: 1.3.6.1.4.1.25623.1.0.101009 Threat: Medium (CVSS: 5.0) Port: 80/tcp Summary: This Information Disclosure vulnerability could allow an attacker to bypass ASP.! Net security and gain unauthorized access to objects in the Application folders explicitly by! name. this could be used to produce useful information that could be used to try to fu! rther compromise the affected system. Vulnerability Detection Result: Missing MS06-033 patch, detected Microsoft .Net Framework version: 2.0.50727.42 Solution: Microsoft has released a patch to correct this issue, you can download it from the following web site: http://www.microsoft.com/technet/security/bulletin/ms06-033.mspx Vulnerability Detection Method: Details: Microsoft Security Bulletin MS06-033

StarDotStar 57

(OID: 1.3.6.1.4.1.25623.1.0.101009) Version used: $Revision: 3208 $ References: CVE: CVE-2006-1300 BID: 18920

Issue ----NVT: IIS Service Pack - 404 OID: 1.3.6.1.4.1.25623.1.0.11874 Threat: Medium (CVSS: 5.0) Port: 80/tcp Summary: Ensure that the server is running the latest stable Service Pack Vulnerability Detection Result: The remote IIS server *seems* to be Microsoft IIS 5.1 - SP0 Solution: Solution type: VendorFix The Patch level (Service Pack) of the remote IIS server appears to be lower than the current IIS service pack level. As each service pack typically contains many security patches, the server may be at risk. Caveat: This test makes assumptions of the remote patch level based on static return values (Content-Length) within the IIS Servers 404 error message. As such, the test can not be totally reliable and should be manually confirmed. Vulnerability Detection Method: Details: IIS Service Pack - 404 (OID: 1.3.6.1.4.1.25623.1.0.11874) Version used: $Revision: 3301 $

Issue ----NVT: Microsoft IIS Tilde Character Information Disclosure Vulnerability OID: 1.3.6.1.4.1.25623.1.0.802887 Threat: Medium (CVSS: 5.0) Port: 80/tcp Product detection result: cpe:/a:microsoft:iis:5.1 Detected by: Microsoft IIS Webserver Version Detection (OID: 1.3.6.1.4.1.25623.1.0.900710) Summary: This host is running Microsoft IIS Webserver and is prone to information disclosure vulnerability. Vulnerability Detection Result:

StarDotStar 58

File/Folder name found on server starting with :aspnet Impact: Successful exploitation will allow remote attackers to obtain sensitive information that could aid in further attacks. Impact Level: Application Solution: Solution type: WillNotFix No solution or patch was made available for at least one year since disclosure of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to a newer release, disable respective features, remove the product or replace the product by another one. Affected Software/OS: Microsoft Internet Information Services versions 7.5 and prior Vulnerability Insight: Microsoft IIS fails to validate a specially crafted GET request containing a '~' tilde character, which allows to disclose all short-names of folders and files having 4 letters extensions. Vulnerability Detection Method: Details: Microsoft IIS Tilde Character Information Disclosure Vulnerability (OID: 1.3.6.1.4.1.25623.1.0.802887) Version used: $Revision: 3046 $ Product Detection Result: Product:cpe:/a:microsoft:iis:5.1 Method:Microsoft IIS Webserver Version Detection (OID: 1.3.6.1.4.1.25623.1.0.900710) References: BID: 54251 Other: http://www.osvdb.org/83771 http://www.exploit-db.com/exploits/19525 http://code.google.com/p/iis-shortname-scanner-poc http://soroush.secproject.com/downloadable/iis_tilde_shortname_disclosure.txt http://soroush.secproject.com/downloadable/microsoft_iis_tilde_character_vulnerability_fea ture.pdf

Issue ----NVT: Microsoft ASP.NET Information Disclosure Vulnerability (2418042) OID: 1.3.6.1.4.1.25623.1.0.901161 Threat: Medium (CVSS: 5.0) Port: 80/tcp

StarDotStar 59

Summary: This host is missing a critical security update according to Microsoft Bulletin MS10-070. Vulnerability Detection Result: Vulnerability was detected according to the Vulnerability Detection Method. Impact: Successful exploitation could allow remote attackers to decrypt and gain access to potentially sensitive data encrypted by the server or read data from arbitrary files within an ASP.NET application. Obtained information may aid in further attacks. Impact Level: System/Application Solution: Solution type: VendorFix Run Windows Update and update the listed hotfixes or download and update mentioned hotfixes in the advisory from the below link, http://www.microsoft.com/technet/security/bulletin/MS10-070.mspx Affected Software/OS: Microsoft ASP.NET 1.0 Microsoft ASP.NET 4.0 Microsoft ASP.NET 3.5.1 Microsoft ASP.NET 1.1 SP1 and prior Microsoft ASP.NET 2.0 SP2 and prior Microsoft ASP.NET 3.5 SP1 and prior Vulnerability Insight: The flaw is due to an error within ASP.NET in the handling of cryptographic padding when using encryption in CBC mode. This can be exploited to decrypt data via returned error codes from an affected server. Vulnerability Detection Method: Details: Microsoft ASP.NET Information Disclosure Vulnerability (2418042) (OID: 1.3.6.1.4.1.25623.1.0.901161) Version used: $Revision: 3183 $ References: CVE: CVE-2010-3332 BID: 43316 CERT: DFN-CERT-2011-0712 , DFN-CERT-2010-1237 Other: http://www.vupen.com/english/advisories/2010/2429 http://www.microsoft.com/technet/security/bulletin/MS10-070.mspx http://www.troyhunt.com/2010/09/fear-uncertainty-and-and-padding-oracle.html http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-securityvulnerability.aspx

StarDotStar 60

Issue ----NVT: Microsoft IIS IP Address/Internal Network Name Disclosure Vulnerability OID: 1.3.6.1.4.1.25623.1.0.902796 Threat: Medium (CVSS: 5.0) Port: 80/tcp Summary: The host is running Microsoft IIS Webserver and is prone to IP address disclosure vulnerability. Vulnerability Detection Result: Vulnerability was detected according to the Vulnerability Detection Method. Impact: Successful exploitation will allow remote attackers to gain internal IP address or internal network name, which could assist in further attacks against the target host. Impact Level: Application Solution: Solution type: VendorFix Apply the hotfix for IIS 6.0 from below l ink http://support.microsoft.com/kb/834141/#top Affected Software/OS: Microsoft Internet Information Services version 4.0, 5.0, 5.1 a nd 6.0 Workaround: Apply workaround from below link for IIS 4.0, 5.0 and 5.1 http://support.microsoft.com/default.aspx?scid=KB EN-US Q218180 Vulnerability Insight: The flaw is due to an error while processing 'GET' request. When MS IIS receives a GET request without a host header, the Web server will reveal the IP address of the server in the content-location field or the location field in the TCP header in the response. Vulnerability Detection Method: Details: Microsoft IIS IP Address/Internal Network Name Disclosure Vulnerability (OID: 1.3.6.1.4.1.25623.1.0.902796) Version used: $Revision: 3060 $ References: BID: 3159 Other: http://support.microsoft.com/kb/834141/ http://www.securityfocus.com/bid/3159/info http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q218180 http://www.juniper.net/security/auto/vulnerabilities/vuln3159.html

StarDotStar 61

Issue ----NVT: Microsoft Security Bulletin MS06-056 OID: 1.3.6.1.4.1.25623.1.0.101006 Threat: Medium (CVSS: 4.3) Port: 80/tcp Summary: A cross-site scripting vulnerability exists in a server running a vulnerable ver! sion of the .Net Framework 2.0 that could inject a client side script in the user's browser. The script could s! poof content, disclose information, or take any action that the user could take on the affecte! d web site. Vulnerability Detection Result: Missing MS06-056 patch, detected Microsoft .Net Framework version: 2.0.50727.42 Solution: Microsoft has released a patch to correct this issue, you can download it from the foll owing web site: http://www.microsoft.com/technet/security/Bulletin/MS06-056.mspx Vulnerability Detection Method: Details: Microsoft Security Bulletin MS06-056 (OID: 1.3.6.1.4.1.25623.1.0.101006) Version used: $Revision: 3208 $ References: CVE: CVE-2006-3436 BID: 20337

Issue ----NVT: ICMP Timestamp Detection OID: 1.3.6.1.4.1.25623.1.0.103190 Threat: Log (CVSS: 0.0) Port: general/icmp Summary: The remote host responded to an ICMP timestamp request. The Timestamp Reply is an ICMP message which replies to a Timestamp message. It consists of the originating timestamp sent by the sender of the Timestamp as well as a receive timestamp and a transmit timestamp. This information could theoretically be used to exploit weak time-based random number generators in other services. Vulnerability Detection Result: Vulnerability was detected according to the Vulnerability Detection Method. Log Method:

StarDotStar 62

Details: ICMP Timestamp Detection (OID: 1.3.6.1.4.1.25623.1.0.103190) Version used: $Revision: 3115 $ References: CVE: CVE-1999-0524 CERT: CB-K15/1514 , CB-K14/0632 , DFN-CERT-2014-0658 Other: http://www.ietf.org/rfc/rfc0792.txt

Issue ----NVT: OS Detection OID: 1.3.6.1.4.1.25623.1.0.105937 Threat: Log (CVSS: 0.0) Port: general/tcp Summary: This script consolidates the OS information detected by several NVTs and tries t! o find the best matching OS. Vulnerability Detection Result: Best matching OS: cpe:/o:microsoft:windows Found by NVT 1.3.6.1.4.1.25623.1.0.105355 (FTP OS Identification) Other OS detections (in order of reliability): OS: cpe:/o:microsoft:windows found by 1.3.6.1.4.1.25623.1.0.111067 (HTTP OS Iden! tification) OS: cpe:/o:microsoft:windows found by 1.3.6.1.4.1.25623.1.0.102011 () OS: cpe:/o:microsoft:windows found by 1.3.6.1.4.1.25623.1.0.102002 (Detects remo! te operating system version) Log Method: Details: OS Detection (OID: 1.3.6.1.4.1.25623.1.0.105937) Version used: $Revision: 2709 $

Issue ----NVT: arachni (NASL wrapper) OID: 1.3.6.1.4.1.25623.1.0.110001 Threat: Log (CVSS: 0.0) Port: general/tcp Summary: This plugin uses arachni ruby command li ne to find

StarDotStar 63

web security issues. See the preferences section for arachni options. Note that OpenVAS is using limited set of arachni options. Therefore, for more complete web assessment, you should use standalone arachni tool for deeper/customized checks. Vulnerability Detection Result: Arachni could not be found in your system path. OpenVAS was unable to execute Arachni and to perform the scan you requested. Please make sure that Arachni is installed and that arachni is available in the PATH variable defined for your environment. Log Method: Details: arachni (NASL wrapper) (OID: 1.3.6.1.4.1.25623.1.0.110001) Version used: $Revision: 3117 $

Issue ----NVT: Traceroute OID: 1.3.6.1.4.1.25623.1.0.51662 Threat: Log (CVSS: 0.0) Port: general/tcp Summary: A traceroute from the scanning server to the target system was conducted. This traceroute is provided primarily for informational value only. In the vast majority of cases, it does not represent a vulnerability. However, if the displayed traceroute contains any private addresses that should not have been publicly visible, then you have an issue you need to correct. Vulnerability Detection Result: Here is the route from 172.16.112.11 to 172.16.112.20: 172.16.112.11 172.16.112.20 Solution: Block unwanted packets from escaping your network. Log Method: Details: Traceroute (OID: 1.3.6.1.4.1.25623.1.0.51662) Version used: $Revision: 2837 $

Issue ----NVT:

SMB Remote Version Detection

StarDotStar 64

OID: 1.3.6.1.4.1.25623.1.0.807830 Threat: Log (CVSS: 0.0) Port: general/tcp Summary: Detection of Server Message Block(SMB). This script sends SMB Negotiation request and try to get the version from the response. Vulnerability Detection Result: Only SMBv1 is enabled on remote target Log Method: Details: SMB Remote Version Detection (OID: 1.3.6.1.4.1.25623.1.0.807830) Version used: $Revision: 3467 $

Issue ----NVT: CPE Inventory OID: 1.3.6.1.4.1.25623.1.0.810002 Threat: Log (CVSS: 0.0) Port: general/CPE-T Summary: This routine uses information collected by other routines about CPE identities (http://cpe.mitre.org/) of operating systems, services and applications detected during the scan. Vulnerability Detection Result: 172.16.112.20|cpe:/a:microsoft:ftp_service 172.16.112.20|cpe:/a:microsoft:.net_framework:2.0.50727.42 172.16.112.20|cpe:/a:microsoft:exchange_server 172.16.112.20|cpe:/a:microsoft:iis:5.1 172.16.112.20|cpe:/o:microsoft:windows Log Method: Details: CPE Inventory (OID: 1.3.6.1.4.1.25623.1.0.810002) Version used: $Revision: 2837 $

Issue ----NVT: SMB Test OID: 1.3.6.1.4.1.25623.1.0.90011 Threat: Log (CVSS: 0.0) Port: general/SMBClient Summary:

StarDotStar 65

Test remote host SMB Functions Vulnerability Detection Result: OS Version = WINDOWS 5.1 Domain = WORKGROUP SMB Serverversion = WINDOWS 2000 LAN MANAGER Log Method: Details: SMB Test (OID: 1.3.6.1.4.1.25623.1.0.90011) Version used: $Revision: 3376 $

Issue ----NVT: Anonymous FTP Checking OID: 1.3.6.1.4.1.25623.1.0.900600 Threat: Log (CVSS: 0.0) Port: general/tcp Summary: This FTP Server allows anonymous logins. A host that provides an FTP service may additionally provide Anonymous FTP access as well. Under this arrangement, users do not strictly need an account on the host. Instead the user typicall y enters 'anonymous' or 'ftp' when prompted for username. Although users are commonly asked to send their email address as their password, little to no verification is actually performed on the supplied data. Vulnerability Detection Result: Vulnerability was detected according to the Vulnerability Detection Method. Solution: If you do not want to share files, you should disable anonymous logins. Log Method: Details: Anonymous FTP Checking (OID: 1.3.6.1.4.1.25623.1.0.900600) Version used: $Revision: 2833 $ References: CVE: CVE-1999-0497

Issue ----NVT: FTP Banner Detection OID: 1.3.6.1.4.1.25623.1.0.10092 Threat: Log (CVSS: 0.0) Port: 21/tcp

StarDotStar 66

Summary: This Plugin detects the FTP Server Banner Vulnerability Detection Result: Remote FTP server banner : 220 Microsoft FTP Service Log Method: Details: FTP Banner Detection (OID: 1.3.6.1.4.1.25623.1.0.10092) Version used: $Revision: 2622 $

Issue ----NVT: Services OID: 1.3.6.1.4.1.25623.1.0.10330 Threat: Log (CVSS: 0.0) Port: 21/tcp Summary: This routine attempts to guess which service is running on the remote ports. For instance, it searches for a web server which could listen on another port than 80 or 443 and makes this information available for other check routines. Vulnerability Detection Result: An FTP server is running on this port. Here is its banner : 220 Microsoft FTP Service Log Method: Details: Services (OID: 1.3.6.1.4.1.25623.1.0.10330) Version used: $Revision: 3210 $

Issue ----NVT: SMTP Server type and version OID: 1.3.6.1.4.1.25623.1.0.10263 Threat: Log (CVSS: 0.0) Port: 25/tcp Summary: This detects the SMTP Server's type and version by connecting to the server and processing the buffer received. Vulnerability Detection Result: Remote SMTP server banner :

StarDotStar 67

220 WINVUL Microsoft ESMTP MAIL Service, Version: 6.0.2600.2180 6.0.2600.2180 ready at Wed, 2! 2 Jun 2016 01:34:00 -0600 Solution: Change the login banner to something generic. Log Method: Details: SMTP Server type and version (OID: 1.3.6.1.4.1.25623.1.0.10263) Version used: $Revision: 2599 $

Issue ----NVT: Services OID: 1.3.6.1.4.1.25623.1.0.10330 Threat: Log (CVSS: 0.0) Port: 25/tcp Summary: This routine attempts to guess which service is running on the remote ports. For instance, it searches for a web server which could listen on another port than 80 or 443 and makes this information available for other check routines. Vulnerability Detection Result: An SMTP server is running on this port Here is its banner : 220 WINVUL Microsoft ESMTP MAIL Service, Version: 6.0.2600.2180 6.0.2600.2180 ready at Wed, 2! 2 Jun 2016 01:33:58 -0600 Log Method: Details: Services (OID: 1.3.6.1.4.1.25623.1.0.10330) Version used: $Revision: 3210 $

Issue ----NVT: SMTP Missing Support For STARTTLS OID: 1.3.6.1.4.1.25623.1.0.105091 Threat: Log (CVSS: 0.0) Port: 25/tcp Summary: The remote Mailserver does not support the STARTTLS command. Vulnerability Detection Result: The remote Mailserver does not support the STARTTLS command.

StarDotStar 68

Log Method: Details: SMTP Missing Support For STARTTLS (OID: 1.3.6.1.4.1.25623.1.0.105091) Version used: $Revision: 2823 $

Issue ----NVT: Microsoft Exchange Server Remote Detection OID: 1.3.6.1.4.1.25623.1.0.111085 Threat: Log (CVSS: 0.0) Port: 25/tcp Summary: The script checks the SMTP/POP3/IMAP server banner for the presence of Microsoft Exchange Server. Vulnerability Detection Result: Detected Microsoft Exchange Version: 6.0.2600.2180 Location: 25/tcp CPE: cpe:/a:microsoft:exchange_server Concluded from version identification result: 220 WINVUL Microsoft ESMTP MAIL Service, Version: 6.0.2600.2180 6.0.2600.2180 ready at Wed, 2! 2 Jun 2016 01:33:58 -0600 Service version: 6.0.2600.2180 Log Method: Details: Microsoft Exchange Server Remote Detection (OID: 1.3.6.1.4.1.25623.1.0.111085) Version used: $Revision: 2880 $

Issue ----NVT: Microsoft dotNET version grabber OID: 1.3.6.1.4.1.25623.1.0.101007 Threat: Log (CVSS: 0.0) Port: 80/tcp Summary: The remote host seems to have Microsoft .NET installed. Vulnerability Detection Result: OpenVAS was able to Detected Microsoft .NET Framework Version:2.0.50727.42 and A! SP.NET Version:2.0.50727.42 Solution: It's recommended to disable verbose error displaying to avoid version detection. this can be done througth the IIS management console.

StarDotStar 69

Log Method: Details: Microsoft dotNET version grabber (OID: 1.3.6.1.4.1.25623.1.0.101007) Version used: $Revision: 2837 $

Issue ----NVT: Windows SharePoint Services detection OID: 1.3.6.1.4.1.25623.1.0.101018 Threat: Log (CVSS: 0.0) Port: 80/tcp Summary: The remote host is running Windows SharePoint Services. Microsoft SharePoint products and technologies include browser-based collaborat! ion and a document-management platform. These can be used to host web sites that access shared workspaces and documents! from a browser. Vulnerability Detection Result: Server: Microsoft-IIS/5.1 Operating System Type: Windows XP X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Solution: It's recommended to allow connection to this host onl y from trusted hosts or net! works. Log Method: Details: Windows SharePoint Services detection (OID: 1.3.6.1.4.1.25623.1.0.101018) Version used: $Revision: 3467 $

Issue ----NVT: HTTP Server type and version OID: 1.3.6.1.4.1.25623.1.0.10107 Threat: Log (CVSS: 0.0) Port: 80/tcp Summary: This detects the HTTP Server's type and version. Vulnerability Detection Result: The remote web server type is : Microsoft-IIS/5.1 Solution:

StarDotStar 70

Configure your server to use an alternate name like 'Wintendo httpD w/Dotmatrix display' Be sure to remove common logos like apache_pb.gif. With Apache, you can set the directive 'ServerTokens Prod' to limit the information emanating from the server in its response headers. Log Method: Details: HTTP Server type and version (OID: 1.3.6.1.4.1.25623.1.0.10107) Version used: $Revision: 3564 $

Issue ----NVT: DIRB (NASL wrapper) OID: 1.3.6.1.4.1.25623.1.0.103079 Threat: Log (CVSS: 0.0) Port: 80/tcp Summary: This script uses DIRB to find directories and files on web applications via brute forcing. Vulnerability Detection Result: This are the directories/files found with brute force: http://172.16.112.20:80/ Log Method: Details: DIRB (NASL wrapper) (OID: 1.3.6.1.4.1.25623.1.0.103079) Version used: $Revision: 3117 $

Issue ----NVT: Services OID: 1.3.6.1.4.1.25623.1.0.10330 Threat: Log (CVSS: 0.0) Port: 80/tcp Summary: This routine attempts to guess which service is running on the remote ports. For instance, it searches for a web server which could listen on another port than 80 or 443 and makes this information available for other check routines. Vulnerability Detection Result: A web server is running on this port Log Method:

StarDotStar 71

Details: Services (OID: 1.3.6.1.4.1.25623.1.0.10330) Version used: $Revision: 3210 $

Issue ----NVT: Web mirroring OID: 1.3.6.1.4.1.25623.1.0.10662 Threat: Log (CVSS: 0.0) Port: 80/tcp Summary: This script makes a mirror of the remote web site and extracts the list of CGIs that are used by the remote host. It is suggested you allow a long-enough timeout value for this test routine and also adjust the setting on the number of pages to mirror. Vulnerability Detection Result: The following CGI have been discovered : Syntax : cginame (arguments [default value]) /Default.aspx (__VIEWSTATE [/wEPDwUKMjA5NTM4ODIyM2QYAQUeX19Db250cm9sc1JlcXVpcmVQ! b3N0QmFja0tleV9fFgEFCWJ0blN1Ym1pdNEpbLWanoVbqK5Ie869aFbfxNEe] txtLogin [] txtPas! sword [] btnSubmit [] __EVENTVALIDATION [/wEWBALz2dacBQKG87HkBgK1qbSRCwLCi9reA1L! Ic4ZiFdqfwrKYt5jOrNlidpaE] ) Log Method: Details: Web mirroring (OID: 1.3.6.1.4.1.25623.1.0.10662) Version used: $Revision: 2837 $

Issue ----NVT: Directory Scanner OID: 1.3.6.1.4.1.25623.1.0.11032 Threat: Log (CVSS: 0.0) Port: 80/tcp Summary: This plugin attempts to determine the presence of various common dirs on the remote web server Vulnerability Detection Result: The following directories were discovered: /old While this is not, in and of itself, a bug, you should manually inspect

StarDotStar 72

these directories to ensure that they are in compliance with company security standards The following directories require authentication: /printers Log Method: Details: Directory Scanner (OID: 1.3.6.1.4.1.25623.1.0.11032) Version used: $Revision: 2837 $ References: Other: OWASP:OWASP-CM-006

Issue ----NVT: HTTP TRACE OID: 1.3.6.1.4.1.25623.1.0.11040 Threat: Log (CVSS: 0.0) Port: 80/tcp Summary: Transparent or reverse HTTP proxies may be implement on some sites. Vulnerability Detection Result: The TRACE method revealed 99 proxy(s) between us and the web server: 1. ? - Microsoft-IIS/5.1 ... 99. ? - Microsoft-IIS/5.1 Log Method: Details: HTTP TRACE (OID: 1.3.6.1.4.1.25623.1.0.11040) Version used: $Revision: 3395 $

Issue ----NVT: Directories used for CGI Scanning OID: 1.3.6.1.4.1.25623.1.0.111038 Threat: Log (CVSS: 0.0) Port: 80/tcp Summary: The script prints out the directories which are used when CGI scanning is enabled. Vulnerability Detection Result: The following directories are used for CGI scanning: http://172.16.112.20/scripts

StarDotStar 73

http://172.16.112.20/cgi-bin http://172.16.112.20/old http://172.16.112.20/ Log Method: Details: Directories used for CGI Scanning (OID: 1.3.6.1.4.1.25623.1.0.111038) Version used: $Revision: 3092 $

Issue ----NVT: Nikto (NASL wrapper) OID: 1.3.6.1.4.1.25623.1.0.14260 Threat: Log (CVSS: 0.0) Port: 80/tcp Summary: This plugin uses nikto(1) to find weak CGI scripts and other known issues regarding web server security. See the preferences section for configuration options. Vulnerability Detection Result: Here is the Nikto report: - Nikto v2.1.6 --------------------------------------------------------------------------+ Target IP: 172.16.112.20 + Target Hostname: 172.16.112.20 + Target Port: 80 + Start Time: 2016-06-22 07:35:01 (GMT0) --------------------------------------------------------------------------+ Server: Microsoft-IIS/5.1 + Retrieved x-aspnet-version header: 2.0.50727 + Retrieved x-powered-by header: ASP.NET + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user a! gent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent ! to render the content of the site in a different fashion to the MIME type + Retrieved dasl header: + Retrieved dav header: 1, 2 + Retrieved ms-author-via header: DAV + Uncommon header 'ms-author-via' found, with contents: DAV + Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE! , MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH + OSVDB-5646: HTTP method ('Allow' Header): 'DELETE' may allow clients to remove! files on the web server. + OSVDB-397: HTTP method ('Allow' Header): 'PUT' method could allow clients to s! ave files on the web server. + OSVDB-5647: HTTP method ('Allow' Header): 'MOVE' may allow clients to change f! ile locations on the web server. + Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE,!

StarDotStar 74

MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH + OSVDB-5646: HTTP method ('Public' Header): 'DELETE' may allow clients to remov! e files on the web server. + OSVDB-397: HTTP method ('Public' Header): 'PUT' method could allow clients to ! save files on the web server. + OSVDB-5647: HTTP method ('Public' Header): 'MOVE' may allow clients to change ! file locations on the web server. + WebDAV enabled (PROPPATCH LOCK MKCOL UNLOCK SEARCH COPY PROPFIND listed as all! owed) + OSVDB-13431: PROPFIND HTTP verb may show the server's internal IP address: htt! p://172.16.112.20/ + OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to X! ST + OSVDB-877: HTTP TRACK method is active, suggesting the host is vulnerable to X! ST + Cookie ASPSESSIONIDAQCACDBA created without the httponly flag + OSVDB-3092: /old/: This might be interesting... + OSVDB-3092: /localstart.asp: This may be interesting... + OSVDB-3092: /iishelp/iis/misc/default.asp: Default IIS page found. + /portal/changelog: Vignette richtext HTML editor changelog found. + 8495 requests: 0 error(s) and 26 item(s) reported on remote host + End Time: 2016-06-22 07:35:38 (GMT0) (37 seconds) --------------------------------------------------------------------------+ 1 host(s) tested Log Method: Details: Nikto (NASL wrapper) (OID: 1.3.6.1.4.1.25623.1.0.14260) Version used: $Revision: 2837 $

Issue ----NVT: wapiti (NASL wrapper) OID: 1.3.6.1.4.1.25623.1.0.80110 Threat: Log (CVSS: 0.0) Port: 80/tcp Summary: This plugin uses wapiti to find web security issues. Make sure to have wapiti 2.x as wapiti 1.x is not supported. See the preferences section for wapiti options. Note that OpenVAS is using limited set of wapiti options. Therefore, for more complete web assessment, you should use standalone wapiti tool for deeper/customized checks. Vulnerability Detection Result: wapiti report filename is empty. that could mean that wrong version of wapiti is used or tmp dir is not accessible. Make sure to have wapiti 2.x as wapiti 1.x is not supported.

StarDotStar 75

In short: check installation of wapiti and OpenVAS Log Method: Details: wapiti (NASL wrapper) (OID: 1.3.6.1.4.1.25623.1.0.80110) Version used: $Revision: 3207 $

Issue ----NVT: Microsoft IIS Webserver Version Detection OID: 1.3.6.1.4.1.25623.1.0.900710 Threat: Log (CVSS: 0.0) Port: 80/tcp Summary: This script detects the installed MS IIS Webserver and sets the result in KB Vulnerability Detection Result: Detected Microsoft IIS Webserver Version: 5.1 Location: 80/tcp CPE: cpe:/a:microsoft:iis:5.1 Concluded from version identification result: IIS/5.1 Log Method: Details: Microsoft IIS Webserver Version Detection (OID: 1.3.6.1.4.1.25623.1.0.900710) Version used: $Revision: 2711 $

Issue ----NVT: SMB on port 445 OID: 1.3.6.1.4.1.25623.1.0.11011 Threat: Log (CVSS: 0.0) Port: 139/tcp Summary: This script detects wether port 445 and 139 are open and if thet are running SMB servers. Vulnerability Detection Result: An SMB server is running on this port Log Method: Details: SMB on port 445 (OID: 1.3.6.1.4.1.25623.1.0.11011)

StarDotStar 76

Version used: $Revision: 2837 $

Issue ----NVT: Services OID: 1.3.6.1.4.1.25623.1.0.10330 Threat: Log (CVSS: 0.0) Port: 443/tcp Summary: This routine attempts to guess which service is running on the remote ports. For instance, it searches for a web server which could listen on another port than 80 or 443 and makes this information available for other check routines. Vulnerability Detection Result: An unknown service is running on this port. It is usually reserved for HTTPS Log Method: Details: Services (OID: 1.3.6.1.4.1.25623.1.0.10330) Version used: $Revision: 3210 $

Issue ----NVT: Identify unknown services with nmap OID: 1.3.6.1.4.1.25623.1.0.66286 Threat: Log (CVSS: 0.0) Port: 443/tcp Summary: This plugin performs service detection by l aunching nmap's service probe against ports running unidentified services. Description : This plugin is a complement of find_service.nasl. It launches nmap -sV (probe requests) against ports that are running unidentified services. Vulnerability Detection Result: Nmap service detection result for this port: https This is a guess. A confident identification of the service was not possible. Log Method: Details: Identify unknown services with nmap (OID: 1.3.6.1.4.1.25623.1.0.66286) Version used: $Revision: 2752 $

StarDotStar 77

Issue ----NVT: SMB NativeLanMan OID: 1.3.6.1.4.1.25623.1.0.102011 Threat: Log (CVSS: 0.0) Port: 445/tcp Summary: It is possible to extract OS, domain and SMB server information from the Session Setup AndX Response packet which is generatedduring NTLM authentication. Vulnerability Detection Result: Detected SMB workgroup: WORKGROUP Detected SMB server: Windows 2000 LAN Manager Detected OS: Windows 5.1 Log Method: Details: SMB NativeLanMan (OID: 1.3.6.1.4.1.25623.1.0.102011) Version used: $Revision: 3462 $

Issue ----NVT: SMB on port 445 OID: 1.3.6.1.4.1.25623.1.0.11011 Threat: Log (CVSS: 0.0) Port: 445/tcp Summary: This script detects wether port 445 and 139 are open and if thet are running SMB servers. Vulnerability Detection Result: A CIFS server is running on this port Log Method: Details: SMB on port 445 (OID: 1.3.6.1.4.1.25623.1.0.11011) Version used: $Revision: 2837 $

Issue ----NVT: Microsoft SMB Signing Disabled OID: 1.3.6.1.4.1.25623.1.0.802726 Threat: Log (CVSS: 0.0) Port: 445/tcp

StarDotStar 78

Summary: Checking for SMB signing is disabled. The script logs in via smb, checks the SMB Negotiate Protocol response to confirm SMB signing is disabled. Vulnerability Detection Result: SMB signing is disabled on this host Log Method: Details: Microsoft SMB Signing Disabled (OID: 1.3.6.1.4.1.25623.1.0.802726) Version used: $Revision: 2576 $

Issue ----NVT: Identify unknown services with nmap OID: 1.3.6.1.4.1.25623.1.0.66286 Threat: Log (CVSS: 0.0) Port: 1025/tcp Summary: This plugin performs service detection by l aunching nmap's service probe against ports running unidentified services. Description : This plugin is a complement of find_service.nasl. It launches nmap -sV (probe requests) against ports that are running unidentified services. Vulnerability Detection Result: Nmap service detection result for this port: msrpc Log Method: Details: Identify unknown services with nmap (OID: 1.3.6.1.4.1.25623.1.0.66286) Version used: $Revision: 2752 $

StarDotStar 79

Appendix F Windows XP Hashes

Administrator:500:e52cac67 Administrator:500:e52cac67419a9a224a3b1 419a9a224a3b108f3fa6cb6 08f3fa6cb6d:8846f7eaee8f d:8846f7eaee8fb117ad06bd b117ad06bd d830b7586c::: Cracked! (password) ASPNET:1005:5fb17a5330132 ASPNET:1005:5fb17a533013285bffc02083c 85bffc02083c3f48e6c:58 3f48e6c:58404e31eb4dd 404e31eb4ddf8a869a5685fa f8a869a5685fa 813b2e::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c 089c0::: Cracked! (*blank no password*) HelpAssistant:1000:dfbcc05 HelpAssistant:1000:dfbcc05e8a55611dba e8a55611dba5dc13d2fb361 5dc13d2fb3614b:9cbfb55b0 4b:9cbfb55b0d260922555fa d260922555fa 6d0376e7bfd::: IUSR_AKELLYD3D808A1:1003:fbca4ac487 D3D808A1:1003:fbca4ac487cb197e452a cb197e452a412e36b81d3d:3 412e36b81d3d:329c4e70078 29c4e7007896d4ddf1187 96d4ddf1187 12790b8920::: IWAM_AKELLYD3D808A1:1004:64ee602436e96fe19775591fdbf3c5e2:5ea7d1b5760548726e4449 25c0cbb1fe::: SUPPORT_388945a0:1002:aad3b4 SUPPORT_388945a0:1002:aad3b435b51404eeaa 35b51404eeaad3b435b51404ee:9 d3b435b51404ee:941c0cc0a1 41c0cc0a1466f 466f 335a2de8f9802fe036:::

Windows 2003 Hashes

Administrator:500:51cd2328 Administrator:500:51cd23289304854d22c3 9304854d22c34254e51bff 4254e51bff62:bc23a1506 62:bc23a1506bd3c8d3a533 bd3c8d3a533 680c516bab27::: Cracked! (P@55w0rd!) ASPNET:1007:16a6c99cc13bd ASPNET:1007:16a6c99cc13bd5757b48b7809 5757b48b78093bb5570:da7 3bb5570:da7e180110d6509 e180110d6509aa401a5a aa401a5a 7b2dcdc17::: dave:1022:921988ba001dc8 dave:1022:921988ba001dc8e14a3b108f3fa e14a3b108f3fa6cb6d:e19cc 6cb6d:e19ccf75ee54e06b f75ee54e06b06a5907af13c 06a5907af13c ef42::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c 089c0::: Cracked! (*blank no password*) IUSR_RALPH:1003:bab940dd IUSR_RALPH:1003:bab940dd7c0477b218566 7c0477b21856625027bdf484 25027bdf484:5cfe2745a7b :5cfe2745a7bdca18901e dca18901e a74cb73da17c::: IWAM_RALPH:1004:3b96f3c59c820586983121e72e3ae9f8:b36cd113cd77d576917a 7025f111c86e:::

StarDotStar 80

manager:1019:1ed43cc6d27e263f4ae30af03e6e662d:20c4b6dadf1d4944d55058b5 f069149c::: operadmin:1017:f150e8fb8eefadf18e5d533411003c5c:d6dec4e236ee0cca62fb6fd5 69cded8e::: SQLDebugger:1008:aad3b435b51404eeaad3b435b51404ee:8507d66605f11e40f5e 9150c6106bc41::: supersupport:1018:51cd23289304854dc17ec4fe2a5374cb:0d05cd9c8ded97e26a6b 35ef8c7fc08e::: SUPPORT_388945a0:1001:aad3b4 SUPPORT_388945a0:1001:aad3b435b51404eeaa 35b51404eeaad3b435b514 d3b435b51404ee:c94304a 04ee:c94304ab8c44f b8c44f 6db09e78487592cef5c:::

Windows Web App Database Dump

userid 1 2 3

middle_name admin boy johnson

username admin jsmith rjohnson

password s3cr3t password 31337

last_name admin smith james

first_name admin john robert

Note: Both Windows servers were hosting the same databases and web apps.

Ubuntu (pWnOS) Web App Database Dump

user_id

pass

email

active

1

c2c4b 4e51d 9e23c 02c15 702c1 36c3e 950ba 9a4af

[email protected]

NULL

Last name Privett

first_name

user_level

registration_date

Dan

0

5/7/2011 17:27

StarDotStar 81

References Alharbi, M. A. (2010, April 6). Writing a Penetration Testing Report . Retrieved from SANS: https://www.sans.org/readingroom/whitepapers/testing/writing-penetration-testing-report-33343

nts330 wk8-9 stardotstar 2 0

Recommend Documents