Network Penetration Testing Results - CSI World Headquarters

aurorabellyΔίκτυα και Επικοινωνίες

21 Νοε 2013 (πριν από 3 χρόνια και 6 μήνες)

171 εμφανίσεις



Service Provider Logo



To:

Company


Manager of Network Operations


Re:


Network Penetration Testing

Results






Dear
,


Thank you for
choosing
Service Provider

to conduct “
Full System Knowledge


network security
assessment
.

As requested in the Security

Scanning Authorization Agreement Exhibit A, Our
security assessment

was
services were
conducted against the following networks & systems
between
START DATE
and
END DATE
:


Los Angles
192.168.
0.0
/24

Boston
192.168.0
.0/24

Atlanta
192.168.
0.0/24

Dallas
192.16
8.
0.0/24

New York
192.168.
0.0/24

Chicago
192.168.
0.0/24




EXECUTIVE SUMMARY


Security assessment services provided by
Service Provider

included

Network Scanning, Exploit
Planning Penetration Testing

of
Customer Company

data networks with the ultimate goal

of
identifying security related vulnerabilities on the networks. The findings in this report represent
the state of the network security at the time the testing assessment was provided.



RECOMMENDATIONS


By requesting Security Assessment Services
,
Cust
omer Company

management and network
administrators have demonstrated a commitment to improving network security. A continued
commitment to enhanced security posture will increase
Customer Company
’s

confidence in the
security of its data. The following
gene
ral
changes are recommended to improve network
security:




Remove all desktop dial
-
in modems and provide users with secure, monitored dial
-
in
access through a centralized modem pool.



Disable all services that are not required to perform a device's stated
task.



Implement password selection and control to minimize the hazards of poor or nonexistent
passwords. Train users and system administrators on proper password usage for a secure
operating environment.



Change default configurations as appropriate for e
ach system. See the Detailed
Vulnerability Appendix for specific recommendations.





Install appropriate tools to facilitate automation of security monitoring, intrusion
detection, and recurring network vulnerability assessment.



Use RFC 1918 nonroutable add
ress block 172.16.0.0 for the internal networks. RFC 1918
addresses are designated as "internal only" addresses and cannot be routed across the
Internet.



Experience has shown that a focused effort to address the problems outlined in this report
can result

in dramatic security improvements. Most of the identified problems do not
require high
-
tech solutions, just knowledge of and commitment to good practices.



Conduct extensive employee training in methods to limit, detect and report social
engineering.


For

systems to remain secure, however, security posture must be evaluated and improved
continuously. Establishing the organizational
structure that will support these

ongoing
improvements is essential in order to maintain control of corporate information syst
ems.



SCOPE


The purpose of a “Full System Knowledge” Network Security Assessment is to identify
vulnerabilities in an enterprise's network assets. The assessment can identify routers, switches,
firewalls, hubs, print and file servers, and hosts. It can

also identify operating systems and
network services running on identified network devices. This information constitutes an effective
electronic map from which the user can easily base exploitation to confirm vulnerabilities and
should therefore be protec
ted accordingly.


For the address spaces analyzed, the
Service Provider

discovered a total of
12

live hosts. The
following section summarizes live hosts, potentially vulnerable hosts, and confirmed vulnerable
hosts:


During the Host Discovery phase,
Serv
ice Provider

Network Security Assessment gathers
information on all reachable hosts on the scanned address spaces, including responding ports,
detected services, and operating systems. The Security Assessment uses active and passive
analysis techniques, in
cluding comparing this data against a current set of rules to determine
potential vulnerabilities.


The system information compiled in this section provides details on the security states on
Customer Company
's network environment.


NOTE:

Exploitation att
empts can fail for a variety of reasons:




A particular vulnerability may not be present



Network delays



Unforseen equipment and software configurations



Packet filtering

and reactive firewalling

anomalies



Despite risk factor rating or
failure to exploit

vulnerability
, the fundamental
vulnerability may still exist. For this reason,
Service Provider

strongly advises that


even low risk factor vulnerabilities

be treate
d with the same seriousness as

serious or
high risk factor vulnerabilities
.


HOST SPECIFIC

FINDINGS


Many
of the
vulnerabilities
listed below
will include a CVE (Common Vulnerabilities and
Exposures) or BID
(Bugtraq ID) reference number which can be researched online

at the
following URLs
.


CVE reference numbers can
be looked up on line at:
ht
tp://www.cve.mitre.org/cve/refs/refkey.html

BID references can be looked up on line at
http://www.securityfocus.com/bid/bugtraqid/


Host:
192.168.0.1


Service:

general/udp


It was possible to crash the
remote server using the linux 'zero fragment' bug.

An

attacker
may use this flaw to prevent your

network from working properly.


Solution : if the remote host is a Linux server, then install

a newer kernel (2.2.4). If it is
not, then contact your vendor

for a patch.


Risk factor : High

CVE : CAN
-
1999
-
0431

BI
D : 2247



Service:

ntp (123/udp)


It is possible to determine a lot of information about the remote host by querying the NTP
variables
-

these include OS descriptor, and time settings.

Theoretically one could work
out the NTP peer relationships and track
back

network settings from this.


Quickfix: Set NTP to restrict default access to ignore all info packets:

Risk factor : Low





Host:
192.168.0.2


Service:

general/tcp


The remote host is running knfsd, a kernel NFS daemon.

There is a bug in this version
which may allow an attacker to disable the remote host by sending a malformed
GETATTR request

with an invalid length field.

An attacker may exploit this flaw to
prevent this host from working

correctly.




Solution : Upgrade to the latest version of Linux 2.
4, or do not use knfsd.

Risk Factor : High

BID : 8298





Host:
192.168.0.3


Service:

general/tcp


It was possible to crash the remote host by sending a specially

crafted IP packet with a
null length for IP option #0xE4

An attacker may use this flaw to pre
vent the remote host
from

accomplishing its job properly.


Risk factor : High

BID : 7175




WAR DIALING

RESULTS



Dialing all listed phone lines to determine network access terminals found the following lines
with FAX machines in auto
-
answer:


111
-
555
-
5555


222
-
555
-
5555

333
-
555
-
5555



Network access terminals were found at:


111
-
555
-
5555

222
-
555
-
5555

333
-
555
-
5555


Each network access terminal displayed the following banner:


User Access Verification

Username:

PASSCODE:


Due to the banner and PASSCODE promp
t suspect
CISCO
IOS based
Terminal Server

and
SecureID tokens are being utilized. All login attempts were unsuccessful.



CONCLUSION




Security is an iterative process



Service Provider

views security
as in iterative process requiring continuous improveme
nt rather
than a
one
-
time implementation of products
.
Components of
corporation’s

continuous security
process include planning, securing
, monitor
ing, responding,

test
ing, and process management to

improve

the overall security posture. E
ach

component plays
an
integral role in maintaining an
effective security posture.
Service Provider

Security Assessment Services
fall in the Test &

Manage
ment area

of a corporation’s continuous security process.

Penetration tests help

to
measure security, manage risk, and eli
minate vulnerabilities

which provide a
foundation for
overall improvement of

network security.





The
iterative security process includes

the following seven
steps:


Develop a comprehensive

corporate security policy.

A comprehensive

corporate security p
olicy provides the foundation for an effective
security program.

Corporate security policies should include coverage for design,
implementation and acceptable use as well as guidance for incident response, forensics
and the testing and review process.



S
ecure the hosts.

Secure your hosts by using a hardware and/or software point products.

Establish host focused configuration management and auditing process so that you can
measure the state of network security.


Secure the network.

Secure your network b
y using
hardware and/or software

point products. Establish
network focused
configuration
management and auditing process

so that you can measure
the state of
network
security.


Monitor hosts and respond to attacks.

Continuously monitor your hosts using h
ost based intrusion detection and integrity
verification tools. Collect data and establish attack metrics so that you can perform trend
analysis.


Monitor the network and respond to attacks.

Continuously monitor your network using network based intrusion

detection and integrity
verification tools. Collect data and establish attack metrics so that you can perform trend
analysis.


Test existing security safeguards.

Using
manual and automated penetration tests and security configuration management
verifica
tion

regularly test the configurations
of all of the components of the environment

to ensure that they are secure.


Manage and improve corporate security.



Use trend analysis to determine which of the host and network components are most
vulnerable and re
commend methods for component and process improvement.





Thank you for the opportunity to
provide these penetration test services for

Customer Company
.
Please feel free to contact me at
888
-
555
-
5555

or via email if you have any questions or
comments.



Sincerely,



Service Provider
,

practice manager