16/07/2020
Melnichenko Ilya Alexandrovich 1984
Pe*******on test
For the commercial and industrial company it was necessary to check the level of efficiency of cyber security and to assess economic losses in the case of a hacker attack. The company was going to implement web applications and provide the necessary level of protection. It was chosen to do the pe*******on test for these issues. This procedure allows you to make real conclusions on how much the company's IT- infrastructure may be vulnerable.
In this case, an integration test was conducted, including a technical test and a method of social engineering. The technical test includes an external and internal pe*******on tests.
The purpose of external testing was to pe*****te the organization's local network from the Internet and objectively assess the system's security from external attacks. Also the goal was to check the security level of web applications that the company was going to post on the Internet. In internal testing, the goal was to get the largest amount of possible privileges in the company's IT-infrastructure.
Conducting the pe*******on test, we used our own methodology, taking into account the approaches of leading standards. Pe*******on tester acted within the law.
The list of all attacked nodes and performed checks were coordinated with the representative of the customer company.
External test
As a result of the analysis of the infrastructure scope with the customer, detailed parameters of the external pe*******on test were agreed, including the "grey box" and "black box" modes.
Also, a list of targets, such as services and web applications were posted on the Internet. The analysis of site and customer’s website was conducted on the base of OWASP TOP 10.
Using automated utilities and by means of manual methods, the following vulnerabilities were found:
SQL-code injection. It turned out to be an unsuccessful design solution in web applications that interact with the database. It was managed to find out and exploit SQL injection and to get private information from the database.
• Ex*****on of Cross-Site Scripting. There were identified some vulnerabilities that allow an attack on a session that an attacker could conduct like a cross-site script ex*****on attack to intercept the user’s ID session to do various actions in the app on behalf of the user's session.
• Direct links to objects. Links to DB entries were found, due to which the attacker could connect a file from their server and execute arbitrary code on the victim's server.
• Configuration of the web server by default. CGI scripts were discovered by default settings that are not used by a website that could have been launched by an attacker to get access to the system.
* Errors in the code of one of the web applications.
* Vulnerabilities connected with incorrect configuration of authentication and authorization. Among the vulnerabilities there were also identified: the ability to identify registered users; execute attacks on users’ passwords; receive unauthorized access to files uploaded by other users. To select users’IDs of web-applications, for which domain authentication is used, it was used the Autodiscover service .
If there is an ID in the system in the case of authorization in a web application, the server response time should not exceed threshold value. The vulnerability CVE2018-15473 in an outdated version was also used.
OpenSSH. The security flaws were simple dictionary passwords for users. The weak passwords have been identified, such as passwords in the [month-Year] format in the Latin layout, passwords by default, passwords that include the use of neighboring keys. Getting the password for one domain account, the pe*******on tester was able to determine the IDs of the other users. It was enough to download the Offline Address Book with users ' email addresses. It was also possible to use the services remote access and execute OS commands. When you get access to your email, an attacker can read confidential correspondence and send emails on behalf of any company’s user.
The lack of multi-factor authentication has been shown to be an information security threat . Insecure authorization in the web application allowed to change content of the administrator profile. By replacing your email address with your own and using the standard password recovery procedure, the attacker gets access to the application with administrator rights.
Authentication flaws were also found in the web application, which can be seen in incorrectly assigned number of failed authentication attempts. As a result exploiting this vulnerability makes it easier for a fraudster to gain access to the account user or administrator.
During checking malicious links were also identified on the official website and the web shells on the resources of the network perimeter. This indicates that attacks have already been carried out and the ability to control the infrastructure by hackers.
Internal test
Modeling of attacks was done on the channel layer protocols STP, VTP, CDP, ARP. During testing, it turned out that level 2 of the OSI model was not included in the security plan.
An attempt was successfully modeled to change the operation of the STP and affect network traffic. When address resolution Protocol (ARP) attack simulation demonstrated interception traffic from one of the LAN devices and getting access to confidential information. Simulating an attack on the Cisco discovery Protocol (CDP), there were links and sufficient information about connected devices was obtained. Result the following types of threats can be successful attacks: denial of service of system resources, unauthorized access to sections of the network, disruption of the network and its sections, spoofing.
In the pe*******on test the attacks were used in order to select credentials, as well as actions in
systems that allow to gain unauthorized access or required data.
For example, if you make a process dump lsass.exe in Windows, you can later use this dump to restore the OS user credentials of the attacked node. Also requests were made to the domain controller, obtaining passwords of local administrators from
LAPS and other actions. Antivirus protection systems installed on workstations and servers, did not prevent the creation of process dumps or the launch of such specialized services utilities, such as secretsdump.
During testing, weak passwords were detected in active network hardware.
In this way, unauthorized access to network hardware was simulated.
Vulnerabilities were found, such as deficiencies in event monitoring processes and response to security incidents (lack of intrusion prevention measures and incident recovery), configuration management flaws (uncontrolled test and guest nodes in the corporate domain), auto-detection of proxy for SOFTWARE is allowed.
It is shown that the identified vulnerabilities that are encountered on the way to obtain a full control over the infrastructure victims can lead to the implementation of significant business benefits risks.
When you do pe*******on test exploit vulnerabilities has been passed to prevent the damage to the infrastructure of the customer.
The testing method of social engineering
In contrast to a real attack, where the goal of attackers is to pe*****te the internal infrastructure and obtaining confidential information during testing using social engineering, it was important to find out how the user reacts to a particular attack. To do this, target groups of users were selected and testing methods were defined for each of the groups.
In the course of testing, mail messages were sent out on behalf of anonymous users and employees of the customer who contain links to web resources where they should have been located executable code containing executable code in the body of the message, the request to change passwords, forward passwords or your personal information, etc. In the workplace employees were selectively checked for compliance with the "clean table" policy; (available on office desks of employees’ records with passwords, confidential documentation, personal gadgets). Calls were also made to company employees on behalf of IT and IB personnel with requests to change your password or send confidential documents.
Test results
Based on the results of the pe*******on test, a report was compiled containing the methodology of testing, the overall assessment of the level of security of the infrastructure. All identified vulnerabilities in the cyber security system, description of the testing process, recommendations to eliminate identified vulnerabilities.
The Common Vulnerability Scoring System (CVSS) method was used to evaluate criticality of the identified vulnerabilities, which allows you to evaluate the results of testing on the base of various qualitative and quantitative criteria.
The pe*******on test showed that the level of information security of the customer is low. The customer received the necessary information about vulnerabilities and recommendations on how to strengthen the security of the company's IT infrastructure.
