Attack Process
One system brought about the disclosure of a misconfigured DNS server that permitted a DNS zone exchange. The outcomes gave a posting of particular hosts to focus for this appraisal. An examination of these hosts uncovered a password-protected administrative web server interface. After making a custom wordlist utilizing terms distinguished on the UltraCorp’s website, access could be gained into this interface by revealing the password through brute- force.
Further examination of the administrative interface revealed its weakness against a remote SQL code injection used to acquire access into the identified operating system (Weidman, 2014). This underlying trade-off was heightened to administrative access because of an absence of fitting framework reports on the web server. After a nearer examination, we found that the bargained web server uses a Java applet for authoritative clients. We added a noxious payload to this applet, which gave us intuitive access to workstations utilized by UltraCorp’s administrators.
Using the compromised web server as a turning point alongside passwords recuperated from it, it was used to target inner assets. Successful use of the passwords obtained enabled Local Administrator access to various Windows clients and complete control of the Windows Active Directory framework. Existing system traffic controls were bypassed through encapsulation of pernicious traffic into permitted protocols.
While trying to distinguish the potential assault surface, we analyzed the name servers of the ultraacorp.com area name using the nslookup command run from the terminal of a Kali Linux desktop. The nslookup command was done to identify the name of the server and their respective IP addresses.A ping sweep command was also done to see if the IP addresses were responding.
There was also an intrusive target search using Nmap (Lyon , 2008) to identify more information regarding the target . The Nmap tool was used to do port scanning: a technique used to determine the way a computer responds to requests to make connections. Port scanning was done to identify the open ports which could be manipulated to gain entry into the network of UltraCorp.
The admin.ultraacorp.com web server was observed to be running an Apache web server on port 83. Getting to the root URL of this site brought about the show of a clear page. We next led a brisk list output of the framework searching for regular registries and documents. The scan results uncovered that alongside regular Apache default documents, there was a “/admin” catalog that could only be opened after validation.
Admin Web Server Interface Compromise
To set up a focus on brute-force attack against this framework, a custom word was aggregated about the document in light of the substance of the www.ultracorp.com site. The underlying lexicon comprised of 351 custom words, which were then put through a few rounds of stages and substitutions to create the last Lexicon record of 16,440 words. This lexicon record was utilized alongside the username “admin” against the secured area of the site.This brute-force attack revealed a secret key of “nanotechnology1” for the administrator client. We could use these qualifications to effectively increase unapproved access to the secure segment of the website.The managerial bit of the site contained the SQLite Manager Web interface, which was open with no extra certifications. Using this interface, it was observed that all the earmarks of the database that bolstered an example of phpSQLiteCMS2.The interface gave a guided access to the information and the capacity to extricate a rundown of clients on the framework with the related secret word hash values. After examination of the qualities, it was found that the hashes did not fit in with any standard configuration.
Utilizing a duplicate of the “phpselitecms” programming, the source code was inspected to decide precisely how this esteem is produced. With the recently gained information of the administrative hashing group and the utilization of a haphazardly created ten character salt esteem, the recouped hashes could be undoubtedly changed into their salted SHA1 proportionate and lead a brute-force attack. This exertion brought about the recuperation of two plaintext passwords. In spite of the fact that these values were not quickly valuable, they were held with the expectation that they may have been re-utilized on different frameworks inside the association.
With interactive access to the underlying operating system of the administrative web server acquired, the examination of the system was proceeded with to identify other ways of raising the administrative privileges. The system was found to be helpless against a local privilege escalation exploit, which was utilized successfully. The utilization of this exploit was made conceivable because of the incorporation of developer tools on the vulnerable system. On the off chance that these devices were absent on the framework, it would have still been conceivable to effectively misuse, in spite of the fact that the trouble in doing as such would have been expanded. In its present setup, the web server speaks to an inward assault stage for a noxious gathering. With the capacity to increase full regulatory get to, a malicious entity could use this vulnerable system for a large number of purposes, going from assaults against UltraCorp itself to attacks against its clients. It’s exceptionally likely that the assailants would use this framework for both purposes.
Administrative Privilege Escalation
The access provided by the Java applet assault was constrained to the level of a standard client. To amplify the effect of the vulnerability, there was the need to heighten access to the level of Domain Administrator. As the initial step, it was expected to get nearby regulatory access. With an end goal to achieve this, the traded off framework was analyzed to distinguish how it could be utilized. Using this approach, a Group Policy Preferences record was found on the framework that enabled the decoding of the local administrator password (Henry, 2012). Using the recovered plaintext password, it was possible to gain local administrative access to the compromised client.
By NIST SP 800-30, exploited vulnerabilities are ranked based upon likelihood and impact to determine overall risk.The overall risk identified to UltraCorp as a result of the penetration test is High. It was established that an external attacker could compromise the system using the vulnerabilities discovered. It is reasonable to believe that a malicious entity would be able to successfully execute an attack against UltraCorp through targeted attacks.
Conclusion
UltraCorp suffered a series of control failure which led to a compromise of critical organizational assets. These failures would lead to a drastic effect on UltraCorp if successfully exploited by a malicious entity. Current policies regarding password reuse and deployment of the access controls are not sufficient in mitigating the impact of the identified vulnerabilities. The goal of the pentest was to identify if a remote attacker could penetrate UltraCorp’s defenses and determine the impact of the breach on the confidentiality, integrity and availability of UltraCorp’s network and information systems.
The set objectives of the penetration test were met. A targeted attack against UltraCorp resulted in the breach of their company assets. Different issues that would ordinarily be viewed as minor were utilized in show, bringing about an aggregate bargain of the UltraCorp data frameworks. Note that this fall of the whole UltraCorp security framework can be significantly credited to deficient get to controls at both the system limit and host levels. Fitting endeavors ought to be embraced to present compelling network segmentation, which could help alleviate the impact of falling security disappointments all through the UltraCorp infrastructure.
Recommendations
Because of the effect on the general association as revealed by this infiltration test, fitting assets ought to be dispensed to guarantee that remediation endeavors are refined in an opportune way. While a thorough rundown of things that ought to be actualized is past the extent of this engagement, some abnormal state things are vital to say I suggest the accompanying:
Escalation to Local Administrator
(i.) Ensure that solid credentials are utilized wherever in the organization. The compromise of UltraCorp system was primarily due to the utilization of feeble passwords. In addition to weak passwords, there was the reuse of passwords across systems with varying security levels. NIST SP 800-119 is prescribed for rules on working on an organizations’ password policy.
(ii.) Set up trust boundaries. Make sensible limits of trust fitting for the interior network. Each coherent trust segment ought to be independent of the attack from another segment i.e. an attack on one segment should not easily cascade to other segments.
(iii.) Execute and authorize usage of change control over all systems: Misconfiguration and uncertain deployment issues were found over the different systems. The vulnerabilities that emerged can be moderated using change control forms on all server frameworks.
(iv.) Actualize a patch management program: Operating a reliable patch management program per the rules sketched out in NIST SP 800-4010 is a vital segment in keeping up great security defense. This will confine the assault surface that outcomes from running unpatched internal applications and services.
(v.) Conduct general vulnerability evaluations. As a feature of a powerful hierarchical hazard administration procedure, vulnerability assessments ought to be done on a regular basis (Ali & Heriyanto, 2011). Doing so will help the organization determine whether the defense and mitigation mechanisms put in place are serving their purpose as expected.
References
Agarwal, M., & Singh, A. (2013). Metasploit Penetration Testing Cookbook: Over 80 Recipes to Master the Most Widely Used Penetration Testing Framework. Birmingham, UK: Packt Publishing.
Ali, S., & Heriyanto, T. (2011). BackTrack 4: Assuring security by penetration testing : master the art of penetration testing with BackTrack. Birmingham, U.K: Packt Open Source.
Allsopp, W., & Looy, H. . (2017). Advanced penetration testing: Hacking the world’s most secure networks.
EC-Council Press. (2011). Procedures and methodologies. Clifton Park, NY: Course Technology Cengage Learning.
Engebretson, P. (2013). The basics of hacking and penetration testing: Ethical hacking and penetration testing made easy.
Fadyushin, V. (2013). Instant penetration testing: Setting up a test lab how-to : set up your own penetration testing lab using practical and precise recipes. Birmingham [England: Packt Pub.
Henry, K. M. (2012). Penetration testing: Protecting networks and systems. Ely, Cambridgeshire, U.K: IT Governance Pub.
International Council of E-Commerce Consultants. (2009). Penetration Testing: Network Threat Testing Procedures in Security. Clifton Park, New York: Course Technology.
Lyon, G. F. (2008). Nmap network scanning: Official Nmap project guide to network discovery and security scanning. Sunnyvale, CA: Insecure.Com, LLC.
Muniz, J., & Lakhani, A. (2013). Web Penetration Testing with Kali Linux: A Practical Guide to Implementing Penetration Testing Strategies on Websites, Web Applications, and Standard Web Protocols with Kali Linux. Birmingham: Packt Publishing.
Prasad, P. (2016). Mastering modern web penetration testing: Master the art of conducting modern pen testing attacks and techniques on your web application before the hacker does!.
Weidman, G. (2014). Penetration testing: A hands-on introduction to hacking.
Wilhelm, T. (2013). Professional penetration testing.
Order an Essay Now & Get These Features For Free:
Turnitin Report
Formatting
Title Page
Citation
Outline
