Penetration Test Case Study ExampleThe client requested that 7Safe conduct a penetration test including exploitation (where possible) of discovered vulnerabilities against some of their public facing IP addresses as well as the internal UK network. In addition, the company requested 7Safe review their wireless network security. Analysis of the public facing network revealed that the majority of accessible devices were reasonably well configured; however, two of the devices exhibited high-risk vulnerabilities. One device contained copies of the Windows Command Interpreter in the /scripts folder. These files acted as a functional back door and could be used to execute a wide range of commands. As a demonstration, 7Safe created a folder called C:\7Safe on the server. The fact that these files existed on the server may have indicated that the server had been compromised in the past by an attacker or other malicious software (such as a worm). 7Safe recommended that an investigation be conducted as to how these files came to exist on the server and advised a complete rebuild of the server from clean media may be required. During this assignment, it was also found that the customer’s web server suffered from a SQL Injection flaw. This flaw was caused by poor validation of input accepted by the web server application. The application took the input from the end user and passed it to the backend SQL server without validation. It was also possible for an attacker to login as any user in the database, or worse, to obtain any information contained within the database, including all user transactions, contact details and more. The web application operated with an account that had too many privileges on the SQL server; when this flaw was combined with the SQL Injection flaw it was possible for an attacker to execute any commands on the server. A complete application test was not completed against this server as this was out of scope, but it was recommended that a complete review of the application be conducted. The internal network analysis revealed several vulnerabilities; they were predominantly caused by default, weak or missing passwords and the fact that numerous critical security patches were not installed. These weaknesses made it possible for 7Safe consultants to obtain access to sensitive data and information, including passwords for all services on the network. We recommended that strong passwords be in place for all services and that all devices be properly hardened, regardless of whether they were public facing or not. Both of the wireless networks found implemented WEP encryption. Unfortunately, weaknesses in the WEP implementation made it possible for an attacker to execute an attack that revealed the key (password). 7Safe demonstrated this fact and retrieved the key in under an hour. Both wireless networks broadcasted their identifier. 7Safe recommended that all devices utilise WPA encryption (preferably coupled with access control mechanisms like 802.1X with PEAP) and that the identifier broadcast be disabled.  |
