Team LabRat Penetration Testing Report



Team LabRat Penetration Testing ReportSarah Labbad, David Ward, Nathan WhitneyExecutive SummaryTo gain access to our target machine, we employed several techniques including cracking users’ passwords and scanning for weak security spots that we could take advantage of. We were able to discover several user account passwords and use these to read private files. We also found many potential entries to open ports. Our biggest success was cracking Tyler’s password to discover a file containing directions to encrypted passwords. We were able to crack these passwords quite easily and are now in possession of this sensitive data.Our recommendations to maintain a secure server overall are to update all software and refrain from displaying user info on web-facing ports. Also, we recommend installing a firewall for open ports and setting up a tracker to show any attack attempts. Finally, it is extremely important to encrypt all files on users’ accounts, especially those containing sensitive information. These files should be protected with very strong passwords as should the users’ accounts.Project Scope Our scope included a virtual server with an IP address of 172.32.24.205, and the agenda was limited to any associated ports within the system. We began an outsider attack without any privileges or insider information. Our focus was on finding a path to enter the server by figuring out user passwords and finding vulnerabilities that can be exploited.1.1 Objectives1. Document vulnerabilities that you are able to successfully exploit on the server. Describe in detail what you did and what level of access you were able to obtain. If you obtain a user account with limited privileges, document whether you were able to escalate the privileges to root. Document each exploit that you are able to successfully launch. 2. Document potentially sensitive information that you are able to obtain from the server. These could include user files or web, database, or other server files. 3. For both 1 and 2 above, suggest ways that vulnerabilities exploited or sensitive information obtained could be protected. These are our objectives for exploiting the server:Scan for open ports and potential vulnerabilitiesUse nmap command to find any open portsFound 21, 22, and 80This server should be protected by a firewall to hide these open ports and restrict access by outside usersSearched IP on machineFound a company website that listed user accountsRefrain from posting user information on public-facing websitesRan Nessus scan to find critical exploitsFound several potential exploits that could be used to gain root privileges if time allowedRun attacks to figure out user passwordsCracked three user passwords with limited privileges: mmoxie, tyler, and jcomeyThese users should have password requirements set by their organizationPotential to crack more passwords if time allowedLog in as users to explore privileges and documents held on their accountsFound several documents including one on Tyler’s account with instructions to access a large number of password hashes through a SQL databaseFiles with sensitive information like this should be hidden, encrypted, or password protectedAuthorizationWe received authorization from Dr. Vance, owner of the Equihax server to break into the Equihax server located at 172.32.24.205. See below for proof of authorization:Target of AssessmentIP Address: 172.32.24.205MAC Address: 06:8c:65:84:1f:58OS Version:Ubuntu 14.04.5 LTS, Trusty TahrMajor Applications:ProFTPD 1.3.5rc3OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.7 (Ubuntu Linux; protocol 2.0)Apache httpd 2.4.7 ((Ubuntu))Websites Hosted: 172.32.24.205 → Equihax Company SiteServices Running: ProFTPD 1.3.5rc3OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.7 (Ubuntu Linux; protocol 2.0)Apache httpd 2.4.7 ((Ubuntu))Databases:MySQL 5.5.57-0ubuntu0.14.04.1 (Ubuntu) Database containing a list of unsalted hashesRelevant Findings Our group set out to fulfil the objectives specified in the scope of our project. Our first focus was to gain access to the system through cracking user accounts. We leveraged these accounts to obtain sensitive data and modify documents. 3.1 User Data BreachTyler’s account had access to the SQL database that was stored on the SSH port. After cracking his account, we found credentials to log into the SQL database and view the user data stored there. After copying the data to our machine, we searched the internet for any solved hashes. We unhashed a handful of passwords from the SQL table on Tyler’s account. We obtained over a million passwords that you can view in the video found in the appendix. The information for these is listed on table 3.1, seen on the next page. Table 3.1HashPasswordd79eb5b7e2fef4dadae44c85591385eb8HALLELUJAHcd25c09f1a71dfb41fc07aeb2eeea1e1KAYLA80407ffacefb43b14d3e7aa206b82130b63BYWALEC18b1ee264ff992eaefb5f76953d7f94a8SITHE302120b99ea8b1306913bdebb246f24abBMW1963e9e3eafe158d2414a276502d61914a57ENFAMILY1c87d55d9c27540637dc36f9c1118b7dTRICKMASTER3.2 Access to Internal AccountsUser accounts on the server were not protected beyond weak passwords so we were able to easily crack some passwords of users we found. Please see section 3.1.1 for a list of user accounts and their passwords. We were then able to log in as these users to view their files that were unencrypted. Through Tyler’s account, we found a document detailing steps to access over a million password hashes. Please see section 4.2 for more details on this issue and section 5 for our security recommendations.Attempting to crack all accounts with Hydra on Port 22 (SSH)hydra –V –l bcurtis –P /usr/share/wordlists/rockyou.txt.gz 172.32.24.205 sshhydra –V –l bschneier –P /usr/share/wordlists/rockyou.txt.gz 172.32.24.205 sshhydra –V –l Cincinnatus –P /usr/share/wordlists/rockyou.txt.gz 172.32.24.205 sshhydra –V –l comedy –P /usr/share/wordlists/rockyou.txt.gz 172.32.24.205 sshhydra –V –l Justin –P /usr/share/wordlists/rockyou.txt.gz 172.32.24.205 sshhydra –V –l pzimm –P /usr/share/wordlists/rockyou.txt.gz 172.32.24.205 sshhydra –V –l tyler –P /usr/share/wordlists/rockyou.txt.gz 172.32.24.205 sshGiven our time constraints, we were not able to brute force all of the accounts, but we obtained the login credentials of three user accounts with relatively weak passwords. The information for these is listed on table 3.2, seen on the next page.Table 3.2Usernames:PasswordsMmoxieMmoxieJcomeycheekymonkeyTylerhellokitty!Supporting Details After completing our objectives and collecting our findings, we condensed the list of issues on this server into three major groups.4.1 - No Firewall/Listener on Open Ports4.2 - Inadequate Authentication Processes4.3 - Poor Encryption PracticesPlease Cross-reference sections 3 & 5 to check the relevant findings and remediation strategies related to each issue.4.1 Issue 1: No Firewall/Listener on Open PortsRiskHighOpen network ports are prone to sharing and exchanging unwanted data, files, viruses, etc. Anytime this server is online, these ports are at risk. ComplexityMediumNeglecting to use a firewall for the open ports on this server makes it easy for anyone to access its potentially sensitive information. Potential threats with entry-level knowledge of Linux could break into this system. Summary: There are three open ports on the server: 21, 22, and 80. Open ports are necessary for users to interact with servers but must be closely monitored since they can be exploited by hackers fairly easily. We were able to scan for vulnerabilities and attempt to target these specifically by using Nessus and researching how to exploit the specific vulnerabilities detected.Demonstration of Vulnerability Discovery:Run a Nmap scan on the server (172.32.24.205)Using -sV tag allows us to see additional information about open portsComplete a Nessus scan for the serverCreate a scan in NessusUnder Targets, enter the IP address of the systemRun the scanReview the vulnerabilities for further exploitation purposesWe can see which ports are open since no Firewall is protecting this.The remote host is running an outdated version of ProFTPD and there is little to no encryption used for the SSH port.Details: When a scan of this virtual server is performed using Nmap commands and Nessus’ service, the open ports are listed. This type of surveillance can be done by any hacker with malicious intent and it shows them which ports they could potentially exploit. This remote server is running the FTP client ProFTPD 1.3.5, which contains a vulnerability that allows unauthorized hackers to read and write files on accessible paths to the host. This vulnerability is classified as a critical vulnerability by Nessus. The scan also shows that SSH is a vulnerable target for potential attackers. Despite this, attempts to breach the server using the ProFTPD 1.3.5 Exploit remained largely unsuccessful. Although our group found this to be unsuccessful, we believe a seasoned cyber attacker could utilize this exploit effectively. A monitoring service for the server would better protect data on open ports and it could notify system administrators of any type of scan performed on their network. Flagging IP’s of devices that try to scan the networks and perform other types of attacks would help stop cyberattacks before they happen. Please view section 5 for an extended look on remediation4.2 Issue 2: Inadequate Authentication ProcessesRiskHighPoor authentication processes make it easy for an attacker to crack a user’s password, as a user or system would not be notified of an attacker’s attempt to break in. ComplexityLowTo crack a password with 1-step authentication - an attacker can use a wide variety of tools from phishing, password cracking, social engineering, and many others. This makes it easy for anyone to perform this kind of attack.Summary: Authentication of users starts with using passwords. One-Factor authentication only requires that users enter the password which they have created. Two-Factor requires a user to validate their identity by another medium. This system only required one-factor authentication which makes brute-force password attacks a possibility for an attacker. Lack of proper password management at an internal level can make this port a vulnerable exploit for potential threats. Gaining access to users on this port can also allow users to transfer files to other machines. This SSH port’s one-factor authentication process makes it simple for attackers to exploit weak passwords and gain access to the account. Our demonstration will illustrate the ease with which this attack can be conducted. Demo:Identify an open secure shell (SSH) portNavigate in a web browser to 172.32.24.205See list of usernames from on the siteCreate text file from usernamesVi usernames.txt Mmoxie Pzimm JustinHydra –L usernames.txt –e s 172.32.24.205 sshSuccess! Username: mmoxie, Password: mmoxieConnect to the Equihax server as mmoxiessh mmoxie@173.32.24.205cd .. to view all users in the home directoryDetails: After completing a Nessus and nmap scan of the server, we discovered user information on a port that handled web traffic. The site displayed the emails of three users. We processed this information into a text file and successfully cracked one password to a user account. We exploited the information housed on this account to break into other accounts with more valuable information. Passwords with single form authentication are limited to the strength of a user’s password, and statistically speaking, most users will not have strong enough passwords to eliminate the plausibility of a hydra attack. In addition to mmoxie’s account, we were able to crack two other user accounts with a password dictionary. The system administrator's password was too strong to crack with this methodology within a reasonable amount of time. Although we did not gain root privileges with these accounts, there was valuable information stored on them, which could have led to a large-scale password breach if this were a real attack. Upgrading authentication to a multi-form process or a key-based system could mitigate the threat of a brute force or dictionary password attack. Please view section 5 for an extended look on remediation.4.3 Issue 3: Poor Encryption PracticesRiskHighFailure to encrypt documents puts the data on a server at high risk. Our group’s scope was more narrow than what can be expected in reality. There are many ways an attacker - insider or outsider - could gain access to an account with important information. Therefore, these unencrypted documents stored on this account are highly vulnerable to attackers. ComplexityMediumStealing files that are not encrypted is not a complex task. However, for an attacker to breach sensitive data on this server, they would have to first crack multiple passwords for users that housed important documents or had privileges. Summary: The purpose of encryption on Secure Shell Ports is to protect the stored data from unwanted access. The version of SSH on this server was outdated - a quick vulnerability scan told us that it either had no cipher or a very weak one. This leaves all of the responsibility of protecting files onto the internal users on the system. The poor authentication processes on the SSH port makes accessing user accounts easy. While a user could exploit this vulnerability, proper use of encryption could prevent an attacker from leveraging information on any accounts they had access to. The responsibility of protecting files with encryption is left on the users, and they fail to fulfil it. This makes users with privileged data on this system a major target. Gaining access to these accounts gives an attacker free reign with the user’s personal data. Our demonstration illustrates how easily an attacker that has obtained a user login can exploit the information on the server. Demo:Gain access to a user account with sensitive information stored on their accountcd into all directories to find users with filesbcurtis → go-away.txtbscheier → note-about-salaries.txt, salary_dec2016.csv encPermission denied when trying to open these filestyler → note-to-self.txtmmoxie → note-to-moxie.txtLog in as Tylerssh tyler@172.32.24.205PW: hellokitty!Gain access to the MySQL monitor with information from note-to-self.txt that was on Tyler’s accountMySQL –u root –pPW: geometry.geisha.vamooseSelect all files from the user_accounts table of the important_things schemaSELECT * FROM important_things.user_accounts;Create a .txt file containing all password hashesvi hash.txt“+pReview the list of unsalted hashes and google them for potential matchesAlternatively, use and enter 20 hashes at a time.Figure 4.3.3: Gaining Access to MySQL MonitorDetails: From earlier scans of this port, we were aware that the use of encryption was little to none. This meant that once we cracked the password of the correct user account, we would have almost no issue stealing their important documents. Failure to encrypt files stored on this port gave first gave us the file on mmoxie’s account which led us to focus on Tyler as a target of interest. We cracked Tyler’s user account with the same practice of others - a password dictionary with rockyou.txt.Cracking Tyler’s password lead us right to his document that held login credentials for the SQL server and the process which he uses to extract the tables into a text file. Following these commands lead us to over a million unsalted hashed passwords that were easy to unhash. One simple precaution - encryption - could prevent an attack which we conducted on this server. Even if someone could gain access to Tyler’s account due to a poor password or one-factor authentication, they couldn’t access the file which hosts over a million user accounts and passwords. Please view section 5 for an extended look on remediationVulnerability Remediation Below are our recommendations for protecting this server from the discovered vulnerabilities.DescriptionRisk RatingPage Reference5.1Patch Vulnerabilities on Network/Network ScanningEquihax’s network contains a litany of known vulnerabilities, ranging in severity from Mild to Critical, and in order to secure its network, Equihax must update and patch all software on its network to ameliorate this glaring security hole. The most critical security vulnerability on Equihax’s network is the ProFTPD 1.3.5. ModCopy exploit. This Exploit has been published and openly known since 16 June, 2015, and is classed as a Critical Vulnerability. This means that there has been a glaring hole in Equihax’s network that anyone with a basic network scanner and an internet connection could have found. Updated version of ProFTPD may be found at , Equihax needs to do a better job scanning their network for known vulnerabilities. An example network scanner is Nessus, and it is available for download at . HIGHPage 65.2Password AuthenticationUsers should have two-factor authentication set up. This way, even if their passwords are cracked, a hacker can not access their accounts without the second level of authentication.Examples of two-factor authentication include Verification codes sent through an app or text messagePersonal information questions such as asking for a user’s zip code, pin, or a previously answered personal preferenceHardware tokens are given to each employeeHIGHPage 85.3More secure encryption for sensitive informationFiles on all user accounts must be protected by encryption or another level of authentication. This can be done by encouraging or requiring users to password-protect their documents. HIGHPage 115.4Require users to set stronger passwordsUsers must be required to set strong passwords that are difficult to crack. Users need education on password security techniques. Employees should be required to use a password manager so they can set very secure passwords without having to remember them.A password manager such as LastPass can be used by employees to save their passwords. When users create their passwords for their accounts, they should be restricted to a minimum length requirement and forced to include special characters before the system will accept the password.MEDIUMPage 85.5Data management on ports that handle web trafficRefrain from posting sensitive information such as user account logins on public websites, especially if these users have access to important and unencrypted documents.MEDIUMPage 6GlossaryOutsider Attack - Attacks perpetrated by adversaries that do not have direct access to any of the authorized nodes in a network.Nmap - (Network Mapper) - A free, open-source network scanner used to discover hosts and services on a computer network by sending packets to a target and analyzing the responses.Encryption - The practice of encoding a message or information in such a way that only authorized parties can access it, while those who are not authorized to view it cannot.Hashing - The practice of using an algorithm (MD5, RSA, SHA1, etc.) to map data of any size to a fixed length. hashing is a one-way function.Salt - Random data that is used as an additional input to a one-way function that hashes data, such as a password or passphrase.One-way function - A function that is easy to compute on every input, but difficult to revert back to the way it started.Password Dictionary - A list of passwords that someone uses to attack a user’s account. Appendix ADemonstration of exploiting Tyler’s account and breaching his list of passwords for users on the system: ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download