Penetration Testing Report of Windows Desktop and CentOS Server
Setting up the Environment
The two machines were opened in VMWare. The Desktop machine appears to be a Windows-7 based system while the Server machine is a CentOS system as shown in the image below.
Scanning Phase
Tool Used: Angry IP Scanner
Scanning is a phase where we look for open ports in a system or a network. For this exercise, we scanned the entire network and found the CentOS server on IP address 192.168.10.10 along with its open ports. It is clearly evident that port 80 (for HTTP), port 22 (for SSH) and port 445 (for SMB) are open in the CentOS server. This means that a web application might be running on the server.
Checking the Server Web Application on Port 80
Since port 80 was open on the CentOS server as highlighted in the scanning phase, we therefore accessed the web application running there as shown in the image below. We made use of Firefox browser as it allows modifying the HTTP Requests which will be helpful in later stages.
Moreover, we inspected the page source in order to capture the POST request by supplying dummy data to the website. As depicted in the image below, we entered mbrown in the username field and sdsda in the password field. Although the password is wrong but capturing the POST request is important for launching further attacks.
Running SQLMap on Captured Post Requests
After capturing the POST Request, we launched SQLMap tool on that in order to harvest details about database, its tables, columns and fields as shown in the image below. SQL Map basically finds SQL injection vulnerabilities in web pages whereby a malicious SQL query when inserted on any user input field is passed on to the database and it fetches further information for the attacker. The web service running on CentOS server was found to be vulnerable for SQL injection attacks.
After getting the table details, SQLMap then shows the credentials as shown below.
Here, we can see that passwords for two accounts (Lora Brown and Matt Brown) are stored in an unencrypted form in the back-end database. Storing passwords in plaintext is not a recommended approach. They should be stored in the form of hashes. Moreover, the credentials for the Windows system are also stored here. Both machines got logged in using these credentials as shown below. This shows that the web application running on CentOS server is wide open for SQL injection attacks
Another utility of SQL injection attack is that that they do not generate persistence related issues in the victim system. Even in this case, the attack is persistent and stealthy because we are way above the Network layer of the TCP/IP protocol and no antivirus and firewall (if present) can guard against attacks on the Application layer of the TCP/IP protocol. That is the reason we chose such a persistent attack in order to get into the system, in the first place. This also speaks about the vulnerability in the implemented web application which should be patched to curtail injection attacks. Moreover, since the web application is running on port 80 and not 443, the entire session is insecure making the entire correspondence with the web application open for sniffers and eavesdroppers.
Issue with the Windows Operating System
While logging into the Windows machine, we found out that it is not running a genuine copy of the Operating System.
This means that the machine will not receive any official update, security patch or service pack update/upgrade, making it vulnerable to a wide variety of attacks. Moreover, using a counterfeit copy of a commercially licensed Operating System is not an acceptable act in many parts of the world.
HTTP TRACE Request on CentOS Web Server
Since attackers make use of TRACE Request method in HTTP requests in order to enumerate the website(s), therefore they should not be allowed. But that is not the case with the web service running on CentOS as it accepts the TRACE HTTP Request type. While using the Mozilla Firefox operating system, we first modified our HTTP request to the web service and replaced the GET Request Type with TRACE Request Type in order to see the website’s response, as shown in the figure below.
We noticed that the website gave some response to our TRACE request which was in ASCII as shown below.
When we converted this ASCII back into a readable form, we got the actual response website generated as a result of our TRACE request. Ideally, the website should block TRACE but it does not and that’s a vulnerability which would help any attacker fingerprint and/or enumerate the website.
HTTP TRACK Request on CentOS Web Server
Similarly, the website also responds to the TRACK HTTP Request method which is used by the attackers to debug the webserver connections. Ideally, it should be blocked but the web application does not block it and rather responds to such requests. The image below shows the HTTP 200 OK response to the TRACK Request. We again made use of Mozilla Firefox browser to modify the GET HTTP Request Type with TRACK HTTP Request Type.
Anonymous READ/WRITE in CentOS (SMB Vulnerability)
The SMB (Service Message Block) service on the CentOS server requires no authentication and anyone, even anonymous users can get Read and/or Write access on the remote machine as shown in the image below. The administrator has not set any security whatsoever in this regard. This vulnerability can lead to man in the middle attacks on the CentOS machine.
SMB Vulnerability in Windows Desktop Machine
Like the CentOS machine, the Windows machine was also vulnerable to the SMB vulnerability. The Windows machine is on the IP Address 192.168.10.20 and after scanning it was found out that the machine also has a remote code execution vulnerability in the SMB service as it is using the older version of SMB which has not been updated or patched and is hence vulnerable.
Eternal Blue Vulnerability in Windows Desktop
Due to the SMB vulnerability, the Windows system was exploited using the Eternal Blue exploit. Metasploit Framework was used on a Kali Linux machine for exploitation purpose as shown in the figures below. Metasploit is framework built-in the Kali Linux Operating System which contains all the payloads and exploit codes which are known and published. It can be used for learning and educational purposes. In the image below, we have set the target IP to that of the Windows machine (192.168.10.25) and the remote port to 445 on which the vulnerable SMB service is listening. This would build a persistent connection and presence on the victim system because it has the vulnerable version of SMB installed which would be unable to detect the payload as vulnerable.
The meterpreter session has opened which shows that the exploit has successfully executed on the remote Windows machine without getting detected, as shown below. Now since the session has been established, the remote system can be probed or fingerprinting in whatever way by providing commands from the Meterpreter terminal in Kali Linux.
Moreover, the following security policies need to be implemented on both systems.
Password Security and Management Policy to ensure that the passwords meet the minimum complexity criteria and are properly managed and secured and are not stored anywhere in plaintext.
Security Patching and Update Policy to ensure that the version of Operating System and other applications running on the system are updated and patched against known security vulnerabilities. This would evade all possibilities of attacks with known CVE numbers that are launched on vulnerable applications and services.
Web Security Policy to ensure that the web applications running on the system are secure, sanitize and validate incoming requests and do not make the backend database and host system vulnerable to malicious attackers who try compromising the website through crafted HTTP requests and injections
Software Procurement and Licensing Policy to ensure that the system is not running a counterfeit operating system but a genuine and licensed version of Windows.
Access Control and Authentication Policy to ensure that anonymous and un-privileged users do not get the admin or root privileges in the system and access levels are properly well defined and thoroughly implemented.
Top comments (1)
Cool