CIT 480

CIT 480 Network Security Assessment

By: Greg Vestring4/28/2016

Summary

The finds from this security assessment reveal important information regarding the security and vulnerability of each of the target systems. The server with the IP address of 10.2.243.52 reported the fewest number of total vulnerabilities followed by 10.2.243.51 and 10.2.243.53.

The .51 server is utilizing a Linux 2.6.32 - 2.6.39 kernel. The server has several services running including: echo, discard, daytime, chargen, ftp, ssh, time, http, netbios-ssn, time, netbios-ns, and mdns. The purpose of this server appears to be as a web server, since it is operating Apache and has Simple PHP Blog running. This server is in the middle in terms of vulnerabilities when compared to the other 2 servers. This server is in the middle in terms of susceptibility to attack. It is in the middle in terms of the amount of vulnerabilities and validated vulnerabilities. This server also had only 5 items of medium or higher level of severity in the Nessus scan, including 1 item of critical nature.

The .52 server is utilizing Microsoft Windows Server 2003 as its operating system. This server has the following services running: http, msrpc, netbios-ssn, tcpwrapped, dhcps, dhcpc, ntp, netbios-ns, netbios-dgm, isakmp, and nat-t-ike. The purpose of this server appears to be as a web server, since it is running IIS. The server also may serve as a dhcp server since it has this service running. This server appears to be the least susceptible to attack due to the fact that it has both the least amount of vulnerabilities and the least amount of validated vulnerabilities. This server also had only 5 items of medium or higher level of severity in the Nessus scan, including 3 items of critical nature.

The .53 server is utilizing both a Microsoft Windows XP and Microsoft Windows Server 2003 operating system. This server has the following services running: ftp, smtp, http, msrpc, netbios-ssn, ris, ssl/http, microsoft-ds, mysql, ntp, netbios-ns, netbios-dgm, snmp, isakmp, blackjack, ms-sql, upnp, and nat-t-ike. This server appears to be the most susceptible to attack. This is due to the fact that it has the most amounts of vulnerabilities and the most amount of validated vulnerabilities. This server had 79 items of medium or higher level of severity reported from the Nessus scan, including 10 items of critical nature.

IP Address

MAC Address

Operating System

Total Vulnerabilities

Scanned Vulnerabilities

10.2.243.51

00:50:56:B1:7B:AA (VMware)

Linux 2.6.32 - 2.6.39 Vulnerability Scan reveals Ubuntu 11.04

Linux 2.6.32 - 2.6.39 10

Ubuntu 11.04 - 3

5

10.2.243.52

00:50:56:B1:5C:EA (VMware)

Microsoft Windows 2003

18

5

10.2.243.53

00:50:56:b1:1a:33 (VMware)

Microsoft Windows XP|2003

Microsoft Windows XP SP2 - 6

Microsoft Windows Server 2003 - 18

79

Procedure

The procedure used in the security assessment included network scanning and enumeration, vulnerability research and vulnerability scanning. Each server was scanned using nmap. The following scan was used: nmap -A -sS -sU -PN -p 1-65535 -oN [file name] [IP Address]. The scan verified that the system was available and also provided the operating systems and names and versions of the services running on the system. All TCP and UDP ports were also scanned. The results were output to a file.

Second, research was conducted utilizing the CVE Details website. All operating systems and services reported by nmap were analyzed to find vulnerabilities. Vulnerabilies with CVSS scores below 7 were ignored.

Third, Nessus was used to scan each system utilizing an advanced network scan. Each target was verified to be operating before the scan was started by utilizing a ping.

Next, DirBuster was used to identify the URLs on each server and to allow for further exploration. DirBuster was run on the following addresses: http://10.2.243.51:80, http://10.2.243.52:80, http://10.2.243.52:9223, https://10.2.243.52:9223, http://10.2.243.53:80, http://10.2.243.53:443, https://10.2.243.53:443. This process revealed additional software and services, which were not found in the first few methods. This software and services were researched further and vulnerabilities were identified.

Lastly, vulnerabilities were validated. The top 15 vulnerability levels of critical and high reported by Nessus were validated as well as all vulnerabilities found in the second part of the procedure (research utilizing CVE Details). All vulnerabilities that did not have a Metasploit exploit were searched utilizing http://www.exploit-db.com. If an exploit was not found utilizing http://www.exploit-db.com, then the vulnerability was researched further utilizing the CVE Details web site. If the vulnerability was verified using this database it was considered validated.

Assessment of System at IP 10.2.243.51

This server reported only 1 critical level alert from the Nessus scan (severity level of critical). This server also reported the fewest level of operating system vulnerabilities (Ubuntu Linux 11.04). The server has 19 open ports and is running one web server (Apache) on port 80. The nmap scan revealed an unknown service running on port udp port 50866. The server has 38 total vulnerabilities. Of these vulnerabilities, 33 were validated. The server also allows anonymous FTP access. This can create security issues such as reading and writing confidential information, depending on the level of access in directories. In addition, the version of Samba on the server has many security holes as documented below. Lastly, the version of Linux Ubuntu (11.04) is no longer supported. This creates a system that is vulnerable to current and future security problems.

Port

Service

Version

Reported Vulnerabilities

Validated Vulnerabilities

7/tcp

echo

9/tcp

discard?

13/tcp

daytime

19/tcp

chargen

xinetd chargen

CVE-2013-4342, CVE-2001-0825, CVE-2000-0536

yes

yes

yes

21/tcp

ftp

vsftpd 2.3.2

22/tcp

ssh

OpenSSH 5.8p1 Debian 1ubuntu3 (Ubuntu Linux; protocol 2.0)

37/tcp

time

80/tcp

http

Apache httpd 2.2.17 ((Ubuntu))

CVE-2013-2249, CVE-2006-1243, CVE-2005-2733,

yes

yes

no

139/tcp

netbios-ssn

Samba smbd 3.X (workgroup: WORKGROUP)

CVE-2015-0240, CVE-2013-4408, CVE-2012-1182, CVE-2011-2411,

CVE-2007-2446

yes

yes

no

no

yes

445/tcp

netbios-ssn

Samba smbd 3.X (workgroup: WORKGROUP)

CVE-2015-0240, CVE-2013-4408, CVE-2012-1182, CVE-2011-2411,

CVE-2007-2446

yes

yes

no

no

no

7/udp

echo

9/udp

discard

13/udp

daytime

19/udp

chargen

37/udp

time

137/udp

netbios-ns

Samba nmbd (workgroup: WORKGROUP)

CVE-2015-0240, CVE-2013-4408, CVE-2012-1182, CVE-2011-2411,

CVE-2007-2446

yes

yes

no

no

no

138/udp

netbios-dgm

5353/udp

mdns

50866/udp

unknown

xinetd chargen

CVE-2013-4342

Validated

Description:

The services are run as root because xinetd does not enforce the user and group configuration for TCPMUX services. This makes it easier for remote attackers to gain privleges by leveraging another vulnerability in a service.

Validation

Verified in CVE Details at https://www.cvedetails.com/cve/CVE-2013-4342/

CVE-2001-0825

Validated

Description:

Remote attackers are able to execute arbitrary commands via a length argument of zero or less, which disables the length check.

Validation

Verified in CVE Details at https://www.cvedetails.com/cve/CVE-2001-0825/

CVE-2000-0536

Validated

Description:

Connections are not properly restricted if hostnames are used for access control and the connecting host does not have a reverse DNS entry.

Validation

Verified in CVE Details at https://www.cvedetails.com/cve/CVE-2000-0536/

Apache httpd 2.2.17 ((Ubuntu))

CVE-2013-2249

Validated

Description:

Save operations for a session proceed without considering the dirty flag and the requirement for a new session ID. This has an unspecified impact and remote attack vectors.

Validation

Verified in CVE Details at https://www.cvedetails.com/cve/CVE-2013-2249/

Simple PHP Blog 0.4.0

CVE-2006-1243

Validated

Description:

A directory traversal vulnerability that allows remote attackers to include and execute arbitrary local files via directory traversal sequences.

Validation

Verified that vulnerability affects this version at https://www.exploit-db.com/exploits/1581/ and https://www.cvedetails.com/cve/CVE-2006-1243/

CVE-2005-2733

Not Validated

Description:

Allows remote attackers to execute arbitrary code because file extensions are not properly restricted

Validation

Samba smbd 3.X (version determined to be 3.5.8)

CVE-2015-0240

Validated

Description:

Allows remote attackers to execute arbitrary code via crafted Netlogon packets that use the ServerPasswordSet RPC API.Performs a free operation on an uninitialized stack pointer.

Validation

CVE-2013-4408

Valid