Securities Report

BBT INC.

Eric Gibson JrJoseph PavlikRajani Gunda

R.E.J.4/26/2012

Vulnerability Assessment &Penetration Test Report

Table of Contents

1 - EXECUTIVE SUMMARY 31.1 - Project Objective 31.2 - Scope 41.3 - Target Systems 41.4 - Network Testing Methodology 51.5 - Tools 51.6 - Network Diagram 61.7 - Network Diagram (DNS Resolution) 71.8 - Network Vulnerability Assessment (Authenticated) 81.9 - Network Vulnerability Assessment (Unauthenticated) 8

2 - FINDINGS2.1 - 70.61.60.122

2.1.1 - Target Analysis 92.1.2 - Vulnerabilities 9

2.2 - 70.61.60.125

2.2.1 - Target Analysis 10-112.2.2 - Vulnerabilities 10-11

2.3 - 70.61.60.123


2.4 - 70.61.60.124


2.5 - 70.61.60.126


3 - RECOMMENDATIONS3.1 - Software 153.2 - 70.61.60.122 163.3 - 70.61.60.125 16-17

4 - CONCLUSION 18

5 - PENETRATION TESTING LOG 19-20

R.E.J. | BBT Penetration Test 2012 2

1.0- Executive Summary

BBT, Inc. requested the services of R.E.J to conduct their bi-annual penetration testing. This executive summary contains the results of the PENTEST that was performed during the time period of April 5th 2012 through May 1st of 2012.

This report contains confidential information surrounding the amount of security risk within the BBT, Inc. network infrastructure.

At the request of BBT Inc., R.E.J analysts have conducted authorized reconnaissance, network mapping and vulnerability testing in an effort to report findings to BBT, Inc. The results are intended to be an overall assessment of the conditions at the time of testing and do not necessarily reflect current conditions.

1.1 Project Objective

The objective of BBT Inc.’s network assessment is to determine the overall security of the network by analyzing all IPs given to R.E.J analysts. For testing, R.E.J analyst performed a number of tests as authenticated users (with log-in supplied credentials), as well as unauthenticated users.


1.2 ScopeAttack Systems

Description IP Address

Target Environment(include any 3rd party systems/networks – written permission must have been obtained in advance by the

target organization)Description IP Address(es) Scan?

70.61.60.122-126 Yes

Assessment TypeWill any part of the assessment be performed against a live production environment?

YES

Assessment Timeline May 1st 2012List any black-out dates or times. April 3rd 2012

April 4rd 2012

Is this a “black box” vulnerability scan NO - GreyboxIf not, what are the approved login credentials for an authenticated scan? Both (ask on April 17th)

Local Admin accountsTesting Techniques

Ping sweep of network ranges YESDangerous/Unsafe checks allowed YESInternal reconnaissance activities requested YESExternal reconnaissance activities requested YES

GovernanceWhat is the policy regarding viewing data (including potentially sensitive/confidential data)?

Notify of any sensitive information found.

Will target organization personnel observe the testing team?

NO

1.3 Target Systems

Target Environment(include any 3rd party systems/networks – written permission must have been obtained in advance by the

target organization)Description IP Address(es) Scan?

70.61.60.122 Yes70.61.60.123 Yes70.61.60.124 Yes70.61.60.125 Yes70.61.60.126 Yes


1.4 Network Testing Methodology

Conduct reconnaissance Scanning & enumeration Identify all points of access within the network infrastructure Report findings Present recommendations

The following diagram illustrates the process used for performing the network assessment:

1.5 Tools

Activity ToolPort Scanning & Footprinting Nmap, Netcat, googleWeb Application EnumerationVulnerability Assessment Nessus, QualysNetwork Penetration Test HydraGTK, Metasploit, Cain & Abel, MedusaVulnerability Research & Verification www.metasploit.com, cve.miter.org, www.uscert.gov


http://www.metasploit.com/

1.6 Network Diagram

70.61.60.122 70.61.60.123

70.61.60.12470.61.60.125

70.61.60.126 70.61.60.121

Internet


1.7 Network Diagram (DNS Resolution)

70.61.60.122rrcs-70-61-60- 122.central.biz.rr.com

70.61.60.123

70.61.60.124

70.61.60.125rrcs-70-61-60- 125.central.biz.rr.com .

70.61.60.126rrcs-70-61-60- 126.central.biz.rr.com .

70.61.60.121

Internet


1.8 Network Vulnerability Assessment - Authenticated

1.9 Network Vulnerability Assessment - Unauthenticated

1.9 Network Vulnerability Assessment - Unauthenticated


Nessus Network ScanNessus Network Scan

1 Critical vulnerability was discovered1 Critical vulnerability was discovered1 High vulnerability was discovered1 High vulnerability was discovered3 Medium vulnerabilities were discovered3 Medium vulnerabilities were discovered1 Low vulnerability was discovered1 Low vulnerability was discovered

Qualys Application ScanQualys Application Scan

7 Application Vulnerabilities7 Application Vulnerabilities

2.0 - FINDINGS2.1 Target IP: 70.61.60.122

Operating System: Linux (Backtrack)Total Open Ports: 9

Attacks AttemptedHydraGTK: Brute force attack used to gain access to the ssh server. This program uses a

password list to guess the username and password and manually tries combinations to gain access to the machine. Our attempts were unsuccessful.

Medusa: Another brute force attack used to gain access to the ssh server. This program also uses a password list to guess the username and password and manually tries combinations to gain access to the machine. Our attempts were unsuccessful.

DoS Attack: We were able to find a Denial of Service Exploit that coincided with the version of OpenSSH this server was running. This exploit was called “OpenSSH <= 4.3 p1 (Duplicate Block) Remote Denial of Service Exploit.” Our attempts were questionable. We received a IP “cookie” but were unclear of the next steps.

VulnerabilitiesPort 22 Synopsis: The remote service offers an insecure cryptographic protocol.

Description: The remote SSH daemon supports connections made using the version 1.33 and/or 1.5 of the SSH protocol.Risk Factor: Medium

Port 22 Synopsis: The remote service uses the default username for authentication.Description: The remote service utilizes the default username ‘root’ for authentication. A remote user can login as the root user to the SSH server.

Risk Factor: Medium


2.2 Target IP: 70.61.60.125

Operating System: WindowsTotal Open Ports: 4

Attacks AttemptedMS12-020: We attempted to exploit the recently discovered vulnerability in Microsoft RDP

using RDPKill and a python script found in the Exploit Database. Exploit appeared successful. We could not connect to the server after running the attack. Server may have gone down or denied access to us at that point.

VulnerabilitiesPort 69 Synopsis: The remote host has probably been compromised.

Description: A TFTP server is running on this port. However, while trying to fetch "/etc/passwd", we got an MS executable file. Many worms are known to propagate through TFTP. This is probably a backdoor.

Risk Factor: CriticalPort 3389 Synopsis: The remote Windows host could allow arbitrary code execution.

Description: Arbitrary remote code vulnerability exists in the implementation of the Remote Desktop Protocol (RDP) on the remote Windows host. The vulnerability is due to the way that RDP accesses an object in memory that has been improperly initialized or has been deleted. If RDP has been enabled on the affected system, an unauthenticated, remote attacker could leverage this vulnerability to cause the system to execute arbitrary code by sending a sequence of specially crafted RDP packets to it. This plugin also checks for a denial of service vulnerability in Microsoft Terminal Server.Note that this script does not detect the vulnerability if the 'Allow connections only from computers running Remote Desktop with Network Level Authentication' setting is enabled or the security layer is set to 'SSL (TLS 1.0)' on the remote host.

Risk Factor: High

Port 3389 Synopsis: It may be possible to get access to the remote host.Description: The remote version of the Remote Desktop Protocol Server (Terminal Service) is vulnerable to a man-in-the-middle (MiTM) attack. The RDP client makes no effort to validate the identity of the server when setting up


encryption. An attacker with the ability to intercept traffic from the RDP server can establish encryption with the client and server without being detected. A MiTM attack of this nature would allow the attacker to obtain any sensitive information transmitted, including authentication credentials. This flaw exists because the RDP server stores a hardcoded RSA private key in the mstlsapi.dll library. Any local user with access to this file (on any Windows system) can retrieve the key and use it for this attack.

Risk Factor: Medium

Port 3389 Synopsis: The remote host is using weak cryptography.Description: The remote Terminal Services service is not configured to use strong cryptography. Using weak cryptography with this service may allow an attacker to eavesdrop on the communications more easily and obtain screenshots and/or keystrokes.

Risk Factor: MediumPort 3389 Synopsis: The remote host is not FIPS-140 compliant.

Description: The encryption setting used by the remote Terminal Services service is not FIPS-140 compliant.

Risk Factor: Low

Software Vulnerabilities (Authenticated Scan)Windows Firewall – DisabledWindows XP Professional Service Pack 1 - Support retiredInternet Explorer 6.0.2800.1106 – Insecure VersionAdobe Flash Player 10.0.22.87 – Insecure VersionAdobe Reader 9.3.0.148 – Insecure VersionWindows Media Player 9.0.0.2980 – Insecure VersionApple QuickTime 6.5.1.0 – Insecure Version


2.3 Target IP: 70.61.60.123

Operating System: N/ATotal Open Ports: 5

VulnerabilitiesN/A


2.4 Target IP: 70.61.60.124


VulnerabilitiesN/A


2.5 Target IP: 70.61.60.126


Attacks AttemptedVNC: At one point during our reconnaissance, we found that a port running VNC was

open. However, after returning to the server we could not get consistent nMap scans because the server appeared to go down several times. Need to investigate more at a future time to establish which VNC service was running. We have several exploits waiting to run pending more information.

VulnerabilitiesN/A


3.0 - RECOMMENDATIONS

Software Recommendations

During target analysis of host 70.61.60.126, there were a number of applications that pose a risk to the machine and could make it possible for an attacker to compromise the host via the insecure application. Below is a list of the unsecure applications complete with recommendations on how to resolve each issue.

Windows Firewall – DisabledEnable the Windows firewall on the host machine.

Windows XP Professional Service Pack 1 - Support retiredInstall Windows 7 and perform all MS required updates.

Internet Explorer 6.0.2800.1106 – Insecure VersionUpgrade IE browser to latest compatible version which is 9.0

Adobe Flash Player 10.0.22.87 – Insecure VersionUpgrade to the latest Flash Player version which is 11.2

Adobe Reader 9.3.0.148 – Insecure VersionUpgrade to latest Adobe Reader X version 10.1.2

Windows Media Player 9.0.0.2980 – Insecure VersionUpgrade to latest Windows Media Player which is version 12.0

Apple QuickTime 6.5.1.0 – Insecure VersionUpgrade to latest QuickTime version which is 7.7.1


Host-Specific Recommendations

Target IP: 70.61.60.122

Port- 22: MediumAttack: The remote service offers an insecure and cryptographic protocol.Recommendation: Disable compatibility with version 1 of the protocol.

Port- 22: MediumAttack: The remote service utilizes the default username ‘root’ for authentication. A remote user can login as the root user to the SSH server.Recommendation: Many brute force attacks use the ‘root’ username to try and gain access to the target host machine. Disable remote login as the root user. Before disabling this option, you may want to setup another account with root privileges.

Target IP: 70.61.60.125

Port-69: CriticalAttack: The remote host is compromised. TFTP Backdoor detection.Recommendation: TFTP uses UDP on port 69, and since TFTP is insecure and should never be used across the internet anyway that’s compelling reason to block egressing UDP traffic on that port.

Port- 3389: HighAttack: The remote windows host could allow arbitrary code execution.Recommendation: Apply appropriate patches provided by Microsoft to vulnerable systems immediately after appropriate testing. Block the TCP port 3389 at the network perimeter. Disable the Terminal Services, Remote Desktop, Remote Assistance, and Windows Small Business Server 2003 Remote Web Workplace features if not required. Enable Network Level authentication on systems running supported version of Windows, Vista, Windows 7, Windows Server 2008 and Windows Server 2008 and Windows Server R2.

Port-3389:MediumAttack: The remote host is using weak cryptography. Terminal Services Encryption level is medium.Recommendation: Administrator of windows 2000 servers and Windows XP servers who have enabled the Remote desktop should apply the Patch. Block port 3389 at the firewall would be protected against this attack.

Port -3389: MediumAttack: It may be possible to get access to the remote host.Recommendation: Force the use of SSL as a transport layer for this service if supported, or/and select the Allow connections only from computers running Remote Desktop with Network Level Authentication setting if it is available.


Port -3389: LowAttack: The remote host is not FIPS-140 compliant. Recommendation: Change RDP encryption level: to 4 FIPS compliant.


4.0 - Conclusion

Outlined above you will see several security issues that could have devastating impacts for your company, if exploited. A few of the risks are critical and severe; these should be addressed in a timely manner. Other risks are not as severe, but should be looked into none the less. If the issues are confronted, your company should see a substantial increase in security.

That said, an organization’s information and confidentiality is imparity to its success and survival. Several policies should to put into place to maintain your company’s data integrity and security. Security flaws will continue to develop as exploits are discovered. With this, your company should continue to make improvements and policies to address future issues.

We have enjoyed working with BBT evaluate your information technology security. If there should be any questions or you require further information, please contact any of the agents that worked with your company.


5.0 – Penetration Testing Log

Target Date Attempt result Other Information Analyst

70.61.60.122 5-Apr Nessus Scan Host Up9 Ports up - Vulnerabilities found EGJ

70.61.60.123 5-Apr Nessus Scan Host Down 5 Ports up EGJ70.61.60.124 5-Apr Nessus Scan Host Down 6 Ports up EGJ



70.61.60.122 5-Apr Nmap Scan Host Up 9 Ports up EGJ70.61.60.123 5-Apr Nmap Scan Host Down 5 Ports up EGJ70.61.60.124 5-Apr Nmap Scan Host Down 6 Ports up EGJ70.61.60.125 5-Apr Nmap Scan Host Up 4 Ports up EGJ70.61.60.126 5-Apr Nmap Scan Host Up 7 Ports up EGJ

70.61.60.122 10-AprHydraGTK Brute Force Attack Unsuccessful

need to put together a better password list file EGJ, JP, RG

70.61.60.122 10-Apr Nessus Scan Host Up9 Ports up - Vulnerabilities found RG

70.61.60.123 10-Apr Nessus Scan Host Down 5 Ports up RG70.61.60.124 10-Apr Nessus Scan Host Down 6 Ports up RG



70.61.60.122 10-Apr Nmap Scan Host Up 9 Ports up RG70.61.60.123 10-Apr Nmap Scan Host Down 5 Ports up RG70.61.60.124 10-Apr Nmap Scan Host Down 6 Ports up RG70.61.60.125 10-Apr Nmap Scan Host Up 4 Ports up EGJ70.61.60.126 10-Apr Nmap Scan Host Up 7 Ports up EGJ

70.61.60.122 17-Apr RDPKill Exploit SuccessfulCan no longer connect to server JP

70.61.60.122 17-AprMedusa Brute Force Attack Unsuccessful Used new password list EGJ

70.61.60.125 17-Apr Qualys Scan Successful 7 Vulnerabilities found EGJ70.61.60.125 24-Apr Cain & Abel Exploit Unsuccessful JP70.61.60.122 24-Apr DoS Exploit Unsuccessful Next steps unknown JP70.61.60.122 24-Apr Nessus Scan Successful Final scan - 9 ports up EGJ, RG70.61.60.123 24-Apr Nessus Scan Successful Final scan - 5 ports up EGJ, RG70.61.60.124 24-Apr Nessus Scan Successful Final scan - 6 ports up EGJ, RG


70.61.60.125 24-Apr Nessus Scan Successful Final scan - 4 ports up EGJ, RG70.61.60.126 24-Apr Nessus Scan Successful Final scan - 7 ports up EGJ, RG


Securities Report

Documents

Transcript of Securities Report