Penetration testing the Payland Mining Co. Network and attached workstation’s

By Matthew Utin Date:28/01/15

Introduction

Why the role of penetration testing for this client?

• The company PayLand mining Co, wants to check how secure their network and attached workstations are within their offices.

What will be tested?

• Wireless access points

• The full network.

• Attached workstations.

Requirements• Setting up a safe area to pen test

• Notification to employees that testing is in progress.

• A Linux machine .e.g. kali Linux or Ubuntu Linux, for performing tests.

• Penetration testing tools.

• Penetration test the Wi-Fi (Outside network)

• Penetration test the inner network (Inside network)

• Penetration test the workstations (Inside network)

• Give information on fixes that can be implemented after the tests have been completed.

• Word processing software to write up the end report.

Payland mining Co’s background• Payland mining Co, is the country’s leading export of RARANIUM,

diamonds and other precious materials.

• Here is a table below, showing the layout of the sites.Site One Site Two Site three• Server • Wap Network • Backup Server e.g.

RAID.• Wap Network • Backup server e.g.

RAID.• Wap Network

• 50 workstations • 10 workstations • Router/Wi-Fi• Router/Wi-Fi • Router/Wi-Fi • 5 workstations

The penetration testing strategy.• The attacker scenario is going to

be used to demonstrate what the network and systems can take to be compromised, this will show if the system is secure or not.

• So the attacker would start from the outside to gain access to the inner network. As seen from the attack steps in the diagram.

1. Wi-Fi

2. Network

3. Workstation

Risk strategyTo cover the risks of, performing a penetration test. For example the network going down after a test is performed. There will be some measures added to prevent any unforeseen circumstances, from occurring. The measures will be shown below:

• A message given to the employees of the company that there will be testing on the network at a certain time, so they can prepare for any unsuspecting event that may arise.

• Tell the network/system administrators to create a backup of the server before the tests have started.

Penetration testing analysis structure So how will the data be presented after the analysis of the Payland mining Co’s systems and networks has been tested?

Payland mining Co will be notified about the network tests and will be given a table of changes that could be made within the network.

The main structure that is used is below:

• Risk report on vulnerability’s found.

• Report on any problems that came up during the testing.

• Report on improvements that can be made to the network.

• Report on workstation improvements.

Wi-Fi security

This penetration test is going to test the wireless access points to see how secure they are using the scenario of what an attacker would do to gain access to the network.

The main tools that are going to be used for these sets of test’s are:

• Aircrack-ng, this is used in cracking the network and used in the capture of data packets that will then be cracked to gain access to the inner network.

• MacChanger, this is used to hide the mac address of the attacker’s machine, this is a must to hide the identity of the attacker.

Wi-Fi security – Mac Changer • The first step is to change the MAC address of the attackers

computer e.g. the penetration testing machine, so that it will make the attacker harder to be traced. This is used in the keeping with the attacker scenario.

• The next slide will show of a screenshot of the changed MAC address.

Wi-Fi security – Mac Changer

Image. [1]. MAC Changer.

Wi-Fi security – Wireless penetration test• As you saw in image [1]. That the MAC address has now been

changed, now the wireless tests can begin.

• The next stage is to start up and run a program called Aircrack-ng this will be used to collect packets targeted wireless access point. To later be cracked.

Wi-Fi security – Wireless penetration test

• As seen in the image [2]. above that the Payland mining .Co’s network, has been found but is using an unsecure encryption algorithm WEP.

• The next stage is to try and collect the networks packets and try and brute force the password, using the Aircrack-ng’s own rainbow tables of common passwords.

Image. [2]. Aircrack-ng

Wi-Fi security – Wireless penetration test

• As seen in the image [3]. above that the Payland mining Co’s Wi-Fi is using a very weak password. Without the use of numbers or higher case letters.

Image. [3]. Aircrack-ng cracking

Network security

Since gaining access to the network from breaking into the wireless router, the network testing can begin, these tests will be split into two parts, showing the correct steps needed in collecting information about the network and also what sort of data is currently running on it.

Test 1 - Network Reconnaissance and Footprinting

Test 2 - Network Man-in-the-middle attack (MITMA)

Network security - Network Reconnaissance and Footprinting

• The first task that would need to be done is to find out what is currently connected to the network, also is the system secure and all ports locked down.

• The tool that is going to be used for this test, is “Zenmap” this is the same as “Nmap” but the GUI version, it is used to scan the network to find information about what is attached, to it and what the connected machines or devices are running on the network.

Network security - Network Reconnaissance and FootprintingAs seen from Image [4]. below that Zenmap has been run and has found a number of open ports.• The NetBIOS

port is open.

• Possible the system is Windows XP SP2.

• IP address of a possible target. 172.16.0.105Image. [4].

Showing the Zenmap scan.

Network security - Network Reconnaissance and FootprintingFrom Image [5]. It has a network location from the router.

Image. [5]. Showing the network location.

Network security - Network Reconnaissance and FootprintingThe below image [6]. is an overview of the full Zenmap scan, also showing it’s accuracy.

Image. [6]. Showing the Zenmap scan overview.

Network security - Network Reconnaissance and FootprintingThe below image [7]. is a screenshot of the Payland workstation, that is now the targeted victim.

Image. [7]. Screenshot of the workstation. IP: 172.16.0.105.

• This shows that Zenmap was correct in defining the system.

• Now that a workstation has been found it’s time to start the (MITMA).

Network security - Network Man-in-the-middle attack• The man in the middle attack using ARP Poisoning will be testing

how secure the network itself is and is it locked down e.g. using static ARP table enters to stop ARP spoofing on the network, if so this should also be implemented in all connected workstations to prevent this type of attack.

• The first step of this attack is to implement SSL striping this will be used to strip the HTTPS on the victim so that it only uses the unsecure HTTP protocol. You can see SSL strip running in Image [8].

Image [8]. Showing SSL Strip running.

Network security - Network Man-in-the-middle attack• Now the tool Ettercap, is used to start the Arp poisoning on the

network and sniff the data from the Payland Co network.

Image [10]. Arp poisoning has been started on the workstation. IP: 172.16.0.105.

Image [9]. Is showing the Ettercap running on wlan0.

Network security - Network Man-in-the-middle attack• Now that the (MITMA), has started. The data from the Ettercap

needs to be put in to a more readable form. As Ettercap only outputs the data to the terminal. To put the data in a more readable form the tool Xplico is used by collecting the data from Ettercap.

Image [11]. Creating a session on Xplico to capture the data sent from Ettercap.

Network security - Network Man-in-the-middle attack• As you can see from image [12]. That Xplico has been started. It will

now be waiting for some incoming data packets.

Image [12]. Awaiting data packets.

Network security - Network Man-in-the-middle attack• Now the Payland Mining Co’s workstation .e.g. the victim machine is

started to create data by doing a quick web search.

Image [13]. Workstation performing a web search.

Network security - Network Man-in-the-middle attack• As seen in image [14]. Xplico has now started to receive data from the

Ettercap captured session, as seen on the previous slide that showed a simple web search.

Image [14]. Showing collected Data.

Network security - Network Man-in-the-middle attack• This is the image tab within Xplico, that is showing the images that

were searched from the Payland workstation.

Image [15]. Showing image collected Data.

Network security - Network Man-in-the-middle attack• The two images below show the different types of network data that can be

filtered and collected by Ettercap, this can then be used to get more information of the activity on the Payland workstation.

Image [16]. Showing UR’L’s that were searched. Image [17]. Showing the workstations connections.

Network security - Network Man-in-the-middle attack

• So what has been found in this test?

• The network has no static ARP table set up. This would of prevented Arp Poisoning.

• There is no user software set up. Which shows any network unwanted activity is happening and letting the user know something is wrong.

Workstation (System) security• The next stage is to test the workstation, now there is gained access to

the network from breaking into the Wi-Fi router.

• This will be done by testing out some known exploits on the windows XP SP2 system, the tool that is going to be used to perform this is called “Metasploit” this tool will execute exploits on the windows system from its vast attack library.

• The exploit that is going to be tested to gain access to the system, is called “MS08-067” this Vulnerability allows remote code execution and also works on Windows XP Service Pack 3. If it has not been manually patched by the system owner. To view more information about this exploit view reference [34] and [35].

Workstation (System) security• This is a screenshot of the Payland mining Co's workstation, as you can see

that there is a file that is named “Important document.txt” that the user has left on the desktop. This is unsafe the data is also unencrypted.

Image [18]. Workstation desktop.

Workstation (System) security• Now lets start a penetration test on the system to see if it is manually

patched for the “MS08-067” this Vulnerability. This will be done by starting up the tool Metasploit and using the exploit.

Image [19]. Metasploit starting up.

Workstation (System) security• As seen from the bottom image that Metasploit was successful in

executing its payload and gaining assess to the system!

Image [20]. Metasploit executed its payload on the workstation. IP Address: 172.16.0.105.

• Now let’s find that unsecure file and read it’s data.

Workstation (System) security• As you can see that important

document.txt has been found. To view the contents of this file, you would have to use the windows type command.

• But this only works if the file name has no spaces, to get around this the windows “ren” command was used e.g. rename. To change the name to one word e.g. “importantdocument.txt”. As Linux had a problem reading in the double quotes “” when using the type command.

Image [21]. File found.

Image [22]. File contents.

Workstation (System) security• Now the attacker can be given full system privileges and can then read

the system processes as seen in the images below.

Image [23]. Getting full system privileges. Image [24]. System processes.

Workstation (System) security

The end results of the system tests.

• The system is not fully patched and updated. System is vulnerable.

• No anti-virus program running on the system.

• No software firewall running

• Discontinued operating system.

• Storing sensitive files on the user desktop. Also unencrypted.

Results – Wi-Fi securityType Of Tests Performed Results Recommended Fix

Wi-Fi security1. Wireless cracking

Test (1) Poor encryption algorithm

e.g. the use of WEP. [32].

A very weak password. Without the use of numbers or higher case letters.

Use a more secure encrypting algorithm. [15].

Could use a radius server for login details.

Results –Networksecurity

Type Of Tests Performed Results Recommended Fix

Network security1. Network Reconnaissance

and Foot printing

2. Network Man-in-the-middle attack (Test)

Test (1) Un-updated and patched

system. Running windows XP SP2.

The Net bios port is open also some other ports, this is unsecure and could be exploited in a hacking attempt.

Test (2)

The network has no static ARP table set up.

There is no user software set up, that shows any network unwanted activity is happening letting the user know something is wrong

No firewall running on the system or network.

Lock down un-used ports.

Could use some sort of ARP Gard that analyses live network traffic. [23].

Could do with some firewall protection. [10].

Could also use a VPN to tunnel a secure internet connection, to encapsulate and encrypt all of the network data.

Results –Workstation(System)security

Type Of Tests Performed Results Recommended Fix

Workstation (System) security1. Exploiting system

Vulnerability’s

Test (1) The system is not patched

or updated. Using an out of date

operating system. No anti-virus running.

The system needs to be fully patched and updated.

Needs an anti-virus program running on the system.

The system needs a software firewall. [7].

The operating system needs an update to a newer version of windows.

Taking up a user policy so private data is secure .e.g. not storing sensitive files on the user desktop.

Taking up ISO 27001 certification. [36].

Any Questions?

Log File.

References[1]. CHIANG, J.T., J.J. HAAS, YIH-CHUN HU, P.R. KUMAR and J. CHOI, 2009. Fundamental Limits on Secure Clock Synchronization and Man-In-The-Middle Detection in Fixed Wireless Networks. INFOCOM 2009, IEEE, 1962-1970.

[2]. GLASS, S.M., V. MUTHUKKUMARASAMY and M. PORTMANN, 2009. Detecting Man-in-the-Middle and Wormhole Attacks in Wireless Mesh Networks. Advanced Information Networking and Applications, 2009.AINA '09.International Conference on, 530-538.

[3]. TRABELSI, Z. and K. SHUAIB, 2006. NIS04-4: Man in the Middle Intrusion Detection. Global Telecommunications Conference, 2006.GLOBECOM '06.IEEE, 1-6.

[4]. ATAULLAH, M. and N. CHAUHAN, 2012. ES-ARP: An efficient and secure Address Resolution Protocol. Electrical, Electronics and Computer Science (SCEECS), 2012 IEEE Students' Conference on, 1-5.

[5]. SALIM, H., Z. LI, H. TU and Z. GUO, 2012. Preventing ARP Spoofing Attacks through Gratuitous Decision Packet. Distributed Computing and Applications to Business, Engineering & Science (DCABES), 2012 11th International Symposium on, 295-300.

References[6]. PANDEY, P., 2013. Prevention of ARP spoofing: A probe packet based technique. Advance Computing Conference (IACC), 2013 IEEE 3rd International, 147-153.

[7]. GUANGJIA, S. and J. ZHENZHOU, 2013. Review of Address Resolution Process Attacks and Prevention Research. Instrumentation, Measurement, Computer, Communication and Control (IMCCC), 2013 Third International Conference on, 994-998.

[8]. CALLEGATI, F., W. CERRONI and M. RAMILLI, 2009. Man-in-the-Middle Attack to the HTTPS Protocol. Security & Privacy, IEEE 7(1), 78-81.

[9]. JANBEGLOU, M., M. ZAMANI and S. IBRAHIM, 2010. Redirecting network traffic toward a fake DNS server on a LAN. Computer Science and Information Technology (ICCSIT), 2010 3rd IEEE International Conference on 2, 429-433.

[10]. BELENGUER, J. and C.T. CALAFATE, 2007. A low-cost embedded IDS to monitor and prevent Man-in-the-Middle attacks on wired LAN environments. Emerging Security Information, Systems, and Technologies, 2007.SecureWare 2007.The International Conference on, 122-127.

[11]. FAYYAZ, F. and H. RASHEED, 2012. Using JPCAP to Prevent Man-in-the-Middle Attacks in a Local Area Network Environment. Potentials, IEEE 31(4), 35-37.

References[12]. KIRAVUO, T., M. SARELA and J. MANNER, 2013. A Survey of Ethernet LAN Security. Communications Surveys & Tutorials, IEEE 15(3), 1477-1491.

[13]. MOHAMMED, L.A. and B. ISSAC, 2005. DoS attacks and defence mechanisms in wireless networks. Mobile Technology, Applications and Systems, 2005 2nd International Conference on, 8 pp.-8.

[14]. KOWALSKI, M.B., K.D. BERTOLINO and S. BASAGNI, 2006. Hack Boston: Monitoring Wireless Security Awareness in an Urban Setting. Electrical and Computer Engineering, 2006.CCECE '06.Canadian Conference on, 1308-1311.

[15]. ZHANG, L., J. YU, Z. DENG and R. ZHANG, 2012. The security analysis of WPA encryption in wireless network. Consumer Electronics, Communications and Networks (CECNet), 2012 2nd International Conference on, 1563-1567.

[16]. HUNT, R. and S. ZEADALLY, 2012. Network Forensics: An Analysis of Techniques, Tools, and Trends. Computer 45(12), 36-43.

[17]. GHANEM, W.A.H.M. and B. BELATON, 2013. Improving accuracy of applications fingerprinting on local networks using NMAP-AMAP-ETTERCAP as a hybrid framework. Control System, Computing and Engineering (ICCSCE), 2013 IEEE International Conference on, 403-407.

References[18]. KOCHER, J.E. and D.P. GILLIAM, 2005. Self-port scanning tool: providing a more secure computing environment through the use of proactive port scanning. Enabling Technologies: Infrastructure for Collaborative Enterprise, 2005.14th IEEE International Workshops on, 139-143.

[19]. LIMMANEEWICHID, P. and W. LILAKIATSAKUN, 2011. The cryptographic trailer based authentication scheme for ARP. Electrical Engineering/Electronics, Computer, Telecommunications and Information Technology (ECTI-CON), 2011 8th International Conference on, 280-283.

[20]. FAN, H., Y. DONG, M. YU and L. TUNG, 2013. Security Threats against the Communication Networks for Traffic Control Systems. Systems, Man, and Cybernetics (SMC), 2013 IEEE International Conference on, 4783-4788.

[21]. BIN, M.N., K.A. JALIL and J.-.A. MANAN, 2012. An enhanced remote authentication scheme to mitigate man-in-the-browser attacks. Cyber Security, Cyber Warfare and Digital Forensic (CyberSec), 2012 International Conference on, 271-276.

[22]. YANG, Y., K. MCLAUGHLIN, T. LITTLER, S. SEZER, G.I. EUL, Z.Q. YAO, B. PRANGGONO and H.F. WANG, 2012. Man-in-the-middle attack test-bed investigating cyber-security vulnerabilities in Smart Grid SCADA systems. Sustainable Power Generation and Supply (SUPERGEN 2012), International Conference on, 1-8.

References[23]. SHIKHA, V. KAUSHIK and S. GAUTAM, 2013. Wireless LAN (WLAN) spoofing detection methods - Analysis and the victim Silent case. Signal Processing and Communication (ICSC), 2013 International Conference on, 155-160.

[24]. Aircrack-ng.org, (2014). Aircrack-ng. [online] Available at: http://www.aircrack-ng.org/ [Accessed 30 Oct. 2014].

[25]. Nmap.org, (2014). Nmap - Free Security Scanner For Network Exploration & Security Audits. [online] Available at: http://nmap.org/ [Accessed 30 Oct. 2014].

[26]. Kali.org, (2014). Kali Linux is an open source project that is maintained and funded by Offensive Security. [online] Available at: http://www.kali.org/ [Accessed 30 Oct. 2014].

[27]. Linux.com, (2012). Linux.com | The source for Linux information. [online] Available at: http://www.linux.com/ [Accessed 30 Oct. 2014].

[28]. Lifehacker UK, (2012). How to Crack a Wi-Fi Network's WPA Password with Reaver. [online] Available at: http://www.lifehacker.co.uk/2012/01/09/crack-wi-fi-networks-wpa-password-reaver [Accessed 30 Oct. 2014].

References[29]. Pen-testing.sans.org, (2013). SANS Penetration Testing | Nmap Cheat Sheet 1.0 | SANS Institute. [online] Available at: http://pen-testing.sans.org/blog/pen-testing/2013/10/08/nmap-cheat-sheet-1-0 [Accessed 30 Oct. 2014].

[30]. Dalziel, H. (2013). Top ten penetration testing tools. [online] Concise-courses.com. Available at: http://www.concise-courses.com/security/top-ten-pentesting-tools/ [Accessed 30 Oct. 2014].

[31]. IFSEC Global, (2012). Negligent WiFi Brits at serious risk of ID theft - IFSEC Global. [online] Available at: http://www.ifsecglobal.com/negligent-wifi-brits-at-serious-risk-of-id-theft/ [Accessed 25 Jan. 2015].

[32]. Jackson, M. (2013). Study Finds 36% of WiFi Hotspots in London are Completely Unsecured - ISPreview UK. [online] Ispreview.co.uk. Available at: http://www.ispreview.co.uk/index.php/2013/08/study-finds-36-wifi-hotspots-london-completely-unsecured.html [Accessed 25 Jan. 2015].

[33]. Graphs.net, (2014). Graphs, Infographics. [online] Available at: http://graphs.net/wifi-stats.html [Accessed 25 Jan. 2015].https://wiki.archlinux.org/index.php/MAC_address_spoofing

References[34]. Technet.microsoft.com, (2008). Microsoft Security Bulletin MS08-067 - Critical. [online] Available at: https://technet.microsoft.com/en-us/library/security/ms08-067.aspx [Accessed 25 Jan. 2015].

[35]. Rapid7.com, (2014). CVE-2008-4250 MS08-067 Microsoft Server Service Relative Path Stack Corruption | Rapid7. [online] Available at: http://www.rapid7.com/db/modules/exploit/windows/smb/ms08_067_netapi [Accessed 25 Jan. 2015].

[36]. Iso.org, (2014). 'ISO 27001 - Information Security Management'. [online] Available at: http://www.iso.org/iso/home/standards/management-standards/iso27001.htm, [Accessed 18 Feb. 2015].