web viewthe finds from this security assessment reveal important information regarding the security...
TRANSCRIPT
CIT 480
CIT 480 Network Security Assessment
By: Greg Vestring4/28/2016
Summary
The finds from this security assessment reveal important information regarding the security and vulnerability of each of the target systems. The server with the IP address of 10.2.243.52 reported the fewest number of total vulnerabilities followed by 10.2.243.51 and 10.2.243.53.
The .51 server is utilizing a Linux 2.6.32 - 2.6.39 kernel. The server has several services running including: echo, discard, daytime, chargen, ftp, ssh, time, http, netbios-ssn, time, netbios-ns, and mdns. The purpose of this server appears to be as a web server, since it is operating Apache and has Simple PHP Blog running. This server is in the middle in terms of vulnerabilities when compared to the other 2 servers. This server is in the middle in terms of susceptibility to attack. It is in the middle in terms of the amount of vulnerabilities and validated vulnerabilities. This server also had only 5 items of medium or higher level of severity in the Nessus scan, including 1 item of critical nature.
The .52 server is utilizing Microsoft Windows Server 2003 as its operating system. This server has the following services running: http, msrpc, netbios-ssn, tcpwrapped, dhcps, dhcpc, ntp, netbios-ns, netbios-dgm, isakmp, and nat-t-ike. The purpose of this server appears to be as a web server, since it is running IIS. The server also may serve as a dhcp server since it has this service running. This server appears to be the least susceptible to attack due to the fact that it has both the least amount of vulnerabilities and the least amount of validated vulnerabilities. This server also had only 5 items of medium or higher level of severity in the Nessus scan, including 3 items of critical nature.
The .53 server is utilizing both a Microsoft Windows XP and Microsoft Windows Server 2003 operating system. This server has the following services running: ftp, smtp, http, msrpc, netbios-ssn, ris, ssl/http, microsoft-ds, mysql, ntp, netbios-ns, netbios-dgm, snmp, isakmp, blackjack, ms-sql, upnp, and nat-t-ike. This server appears to be the most susceptible to attack. This is due to the fact that it has the most amounts of vulnerabilities and the most amount of validated vulnerabilities. This server had 79 items of medium or higher level of severity reported from the Nessus scan, including 10 items of critical nature.
IP Address
MAC Address
Operating System
Total Vulnerabilities
Scanned Vulnerabilities
10.2.243.51
00:50:56:B1:7B:AA (VMware)
Linux 2.6.32 - 2.6.39 Vulnerability Scan reveals Ubuntu 11.04
Linux 2.6.32 - 2.6.39 10
Ubuntu 11.04 - 3
5
10.2.243.52
00:50:56:B1:5C:EA (VMware)
Microsoft Windows 2003
18
5
10.2.243.53
00:50:56:b1:1a:33 (VMware)
Microsoft Windows XP|2003
Microsoft Windows XP SP2 - 6
Microsoft Windows Server 2003 - 18
79
Procedure
The procedure used in the security assessment included network scanning and enumeration, vulnerability research and vulnerability scanning. Each server was scanned using nmap. The following scan was used: nmap -A -sS -sU -PN -p 1-65535 -oN [file name] [IP Address]. The scan verified that the system was available and also provided the operating systems and names and versions of the services running on the system. All TCP and UDP ports were also scanned. The results were output to a file.
Second, research was conducted utilizing the CVE Details website. All operating systems and services reported by nmap were analyzed to find vulnerabilities. Vulnerabilies with CVSS scores below 7 were ignored.
Third, Nessus was used to scan each system utilizing an advanced network scan. Each target was verified to be operating before the scan was started by utilizing a ping.
Next, DirBuster was used to identify the URLs on each server and to allow for further exploration. DirBuster was run on the following addresses: http://10.2.243.51:80, http://10.2.243.52:80, http://10.2.243.52:9223, https://10.2.243.52:9223, http://10.2.243.53:80, http://10.2.243.53:443, https://10.2.243.53:443. This process revealed additional software and services, which were not found in the first few methods. This software and services were researched further and vulnerabilities were identified.
Lastly, vulnerabilities were validated. The top 15 vulnerability levels of critical and high reported by Nessus were validated as well as all vulnerabilities found in the second part of the procedure (research utilizing CVE Details). All vulnerabilities that did not have a Metasploit exploit were searched utilizing http://www.exploit-db.com. If an exploit was not found utilizing http://www.exploit-db.com, then the vulnerability was researched further utilizing the CVE Details web site. If the vulnerability was verified using this database it was considered validated.
Assessment of System at IP 10.2.243.51
This server reported only 1 critical level alert from the Nessus scan (severity level of critical). This server also reported the fewest level of operating system vulnerabilities (Ubuntu Linux 11.04). The server has 19 open ports and is running one web server (Apache) on port 80. The nmap scan revealed an unknown service running on port udp port 50866. The server has 38 total vulnerabilities. Of these vulnerabilities, 33 were validated. The server also allows anonymous FTP access. This can create security issues such as reading and writing confidential information, depending on the level of access in directories. In addition, the version of Samba on the server has many security holes as documented below. Lastly, the version of Linux Ubuntu (11.04) is no longer supported. This creates a system that is vulnerable to current and future security problems.
Port
Service
Version
Reported Vulnerabilities
Validated Vulnerabilities
7/tcp
echo
9/tcp
discard?
13/tcp
daytime
19/tcp
chargen
xinetd chargen
CVE-2013-4342, CVE-2001-0825, CVE-2000-0536
yes
yes
yes
21/tcp
ftp
vsftpd 2.3.2
22/tcp
ssh
OpenSSH 5.8p1 Debian 1ubuntu3 (Ubuntu Linux; protocol 2.0)
37/tcp
time
80/tcp
http
Apache httpd 2.2.17 ((Ubuntu))
CVE-2013-2249, CVE-2006-1243, CVE-2005-2733,
yes
yes
no
139/tcp
netbios-ssn
Samba smbd 3.X (workgroup: WORKGROUP)
CVE-2015-0240, CVE-2013-4408, CVE-2012-1182, CVE-2011-2411,
CVE-2007-2446
yes
yes
no
no
yes
445/tcp
netbios-ssn
Samba smbd 3.X (workgroup: WORKGROUP)
CVE-2015-0240, CVE-2013-4408, CVE-2012-1182, CVE-2011-2411,
CVE-2007-2446
yes
yes
no
no
no
7/udp
echo
9/udp
discard
13/udp
daytime
19/udp
chargen
37/udp
time
137/udp
netbios-ns
Samba nmbd (workgroup: WORKGROUP)
CVE-2015-0240, CVE-2013-4408, CVE-2012-1182, CVE-2011-2411,
CVE-2007-2446
yes
yes
no
no
no
138/udp
netbios-dgm
5353/udp
mdns
50866/udp
unknown
xinetd chargen
CVE-2013-4342
Validated
Description:
The services are run as root because xinetd does not enforce the user and group configuration for TCPMUX services. This makes it easier for remote attackers to gain privleges by leveraging another vulnerability in a service.
Validation
Verified in CVE Details at https://www.cvedetails.com/cve/CVE-2013-4342/
CVE-2001-0825
Validated
Description:
Remote attackers are able to execute arbitrary commands via a length argument of zero or less, which disables the length check.
Validation
Verified in CVE Details at https://www.cvedetails.com/cve/CVE-2001-0825/
CVE-2000-0536
Validated
Description:
Connections are not properly restricted if hostnames are used for access control and the connecting host does not have a reverse DNS entry.
Validation
Verified in CVE Details at https://www.cvedetails.com/cve/CVE-2000-0536/
Apache httpd 2.2.17 ((Ubuntu))
CVE-2013-2249
Validated
Description:
Save operations for a session proceed without considering the dirty flag and the requirement for a new session ID. This has an unspecified impact and remote attack vectors.
Validation
Verified in CVE Details at https://www.cvedetails.com/cve/CVE-2013-2249/
Simple PHP Blog 0.4.0
CVE-2006-1243
Validated
Description:
A directory traversal vulnerability that allows remote attackers to include and execute arbitrary local files via directory traversal sequences.
Validation
Verified that vulnerability affects this version at https://www.exploit-db.com/exploits/1581/ and https://www.cvedetails.com/cve/CVE-2006-1243/
CVE-2005-2733
Not Validated
Description:
Allows remote attackers to execute arbitrary code because file extensions are not properly restricted
Validation
Samba smbd 3.X (version determined to be 3.5.8)
CVE-2015-0240
Validated
Description:
Allows remote attackers to execute arbitrary code via crafted Netlogon packets that use the ServerPasswordSet RPC API.Performs a free operation on an uninitialized stack pointer.
Validation
CVE-2013-4408
Valid