Penetration Test Debrief Ted Vera & Mark Trynor November 30, 2010 Confidential and Proprietary Gamers First Information

Confidential and Proprietary Gamers First Information Agenda Pen Test Review Recommendations NOTE: All trademarks referenced in this presentation are property of their respective owners. Confidential and Proprietary Gamers First Information

Confidential and Proprietary Gamers First Information Overview During the test we enumerated 302 hosts running 1174 services on the target netblocks as discovered by nmap. Nessus identified 346 vulnerabilities broken out as follows: 3 High, 6 Medium, and the remainder Low severity. Of these, 0 were successfully compromised and 1 password was obtained (anonymous ftp server). NOTE: All trademarks referenced in this presentation are property of their respective owners. Confidential and Proprietary Gamers First Information

Confidential and Proprietary Gamers First Information Pen Test Review: Day 1 Kick-off Meeting Reviewed customer ROE Installed pen test tools on attack VMs Performed automated port and vulnerability scans against target systems NOTE: All trademarks referenced in this presentation are property of their respective owners. Confidential and Proprietary Gamers First Information

Confidential and Proprietary Gamers First Information Pen Test Review: Day 2 Started comprehensive Nessus scan against the target IP addresses. Nessus is a vulnerability-scanning program that targets remote access vulnerabilities, misconfigurations, default passwords, and utilizes mangled packets for possible Denial of Service (DoS) attacks. Identified one high-risk vulnerability and relayed information to Phil: Microsoft IIS WebDav ntdll.dll Remote Overflow (MS03-007) NOTE: All trademarks referenced in this presentation are property of their respective owners. Confidential and Proprietary Gamers First Information

Confidential and Proprietary Gamers First Information Pen Test Review: Day 3 Performed automated attacks against enumerated hosts/services using Metasploit with over 900 exploit modules. Completed brute-force attacks against open authentication services. Identified one anonymous ftp user account. Completed automated cross-site-scripting attacks against all http servers. NOTE: All trademarks referenced in this presentation are property of their respective owners. Confidential and Proprietary Gamers First Information

Confidential and Proprietary Gamers First Information Pen Test Review: Day 3 Brute-force attacks against web login pages are currently underway. Rescanning ports based on Chris's findings.  Scanning is still underway. Performed manual custom XSS attacks against four HTTP servers. Performed automated cross-site scripting attacks using XSSer (Table 6. XSSer Output). Cross Site Scripting (XSS) allows code injection by bypassing web browser client-side security measures. NOTE: All trademarks referenced in this presentation are property of their respective owners. Confidential and Proprietary Gamers First Information

Confidential and Proprietary Gamers First Information Pen Test Review: Day 4 Manually verified numerous Nessus false positives. Ran Nikto web application scanner. Nikto is a web application scanner that checks for over 9000 potentially dangerous files/CGIs, version specific problems, and server configuration issues. NOTE: All trademarks referenced in this presentation are property of their respective owners. Confidential and Proprietary Gamers First Information

Confidential and Proprietary Gamers First Information Pen Test Review: Day 5 Day 5 of the test focused on manually validating false positives reported by automated tools, running automated attack tools, and performing custom exploit development and attacks. NOTE: All trademarks referenced in this presentation are property of their respective owners. Confidential and Proprietary Gamers First Information

Confidential and Proprietary Gamers First Information Pen Test Review: Day 6-10 Day 6-10 consisted of running intensive nmap port scan of target netblocks. Identified numerous additional ports/services and updated excel spreadsheet with results. Compiled final reports and presentation. NOTE: All trademarks referenced in this presentation are property of their respective owners. Confidential and Proprietary Gamers First Information

Vulnerabilities: High Priority Severity IP Description High 173.195.33.145 Microsoft IIS WebDAV ntdll.dll Remote Overflow (MS03-007) 173.195.37.2 Web Server Incomplete Basic Authentication DoS 207.38.96.60 Unsupported Unix Operating System Confidential and Proprietary Gamers First Information

Vulnerabilities: Med Priority Severity IP Description Medium 173.195.37.2 Novell GroupWise Enhancement Pack Java Server URL Handling Overflow DoS SWS Web Server Unfinished Line Remote DoS NETGEAR ProSafe VPN Firewall Web Server Malformed Basic Authorization Header Remote DoS Confidential and Proprietary Gamers First Information

Vulnerabilities: Med Priority Severity IP Description Medium 207.38.96.60 HTTP TRACE / TRACK Methods Allowed 207.38.96.57 Web Server Uses Plain Text Authentication PHP Potential Information Disclosure Confidential and Proprietary Gamers First Information

Confidential and Proprietary Gamers First Information Recommendations: Manually Verify Medium & High Severity Vulnerabilities Disable Unnecessary Services Enforce strong user passwords Ensure passwords at least 8 characters in length, use a combination of uppercase and lowercase letters (Aa–Zz), numbers (0–9), and symbols ( @ # $ % ^ & * ( ) _ + | ~ - = { } [ ] : ; < > ? , . /). To prevent injection attacks, do not allow passwords to use symbols \ (back slash) or ' ” (quotes). Patch Management  Install operating system and application patches in a timely manner. NOTE: All trademarks referenced in this presentation are property of their respective owners. Confidential and Proprietary Gamers First Information