SecurScan Internal Penetration Test Exposure Resolution Checklist 1st Sample Bank
SecurScan Internal Penetration Test Exposure Resolution Checklist 1st Sample Bank Wed Jul 20 14:19:12 2011 1st Sample Bank 1/17 Exposure Resolution Checklist The purpose of this document is to provide 1st Sample Bank with a printable document that can be used to document responses to the discovered exposures found in this report. Each exposure is listed, along with any applicable host IP addresses associated with the exposure. Areas are provided that enable administrators and IT staff to initial when items are responded to. Also there is a manager signoff for oversight verification. This document can be useful when demonstrating to internal or 3rd party auditors 1st Sample Bank's response to the discovered exposures. 1st Sample Bank 2/17 MS-SQL-S Default SA Account Password Section Severity Level Results (Critical) Microsoft's SQL Server & Open Sourced SQL Servers provide a client/server based network database query structure. When SQL is initially loaded on a Microsoft Windows 2000/NT server, it requires the setup of a SA (System Account). This account often has the rights of the local server administrator. The SA account at least has complete access rights to all data stored in the SQL Vulnerability databases. The default SA credentials have SA as the username with a blank password. This Description password combination is common knowledge throughout the hacking community. Being able to authenticate to the SQL server as the SA account provides many unlimited rights to the local SQL databases, as well as many needed rights to control the OS (Operating System) that drives SQL. Given the common knowledge of the default SA account and the associated rights this receives a critical security threat status. Address Yes No Staff Intials Verification 10.0.0.186 ____________ of Resolved Hosts 10.0.0.206 ____________ Manager Signature: ____________________________________________ Date: _________________ 1st Sample Bank 3/17 MS-SQL-S SQLExec Code Exploit Section Severity Level Vulnerability Description Verification of Resolved Hosts Results (Critical) Microsoft's SQL Server provides a client/server based network database query structure. When SQL is initially loaded on a Microsoft Windows 2000/NT server, it requires the setup of a SA (System Account). This account often has the rights of the local server administrator. The SA account at least has complete access rights to all data stored in the SQL databases. A default install of SQL server will create standard default databases, known as samples. These sample databases allow knowledgeable intruders to execute arbitrary code on the SQL server, if SA credentials are obtained. Being able to authenticate to the SQL server as the SA account provides many unlimited rights to the local SQL databases, as well as many needed rights to control the OS (Operating System) that drives SQL. Given the common knowledge of the default SA account, the default SQL databases and the associated rights this receives a critical security threat status. Address Yes No Staff Intials 10.0.0.186 ____________ 10.0.0.206 ____________ Manager Signature: ____________________________________________ Date: _________________ 1st Sample Bank 4/17 FTP Anonymous READ/WRITE Access Section Severity Level Vulnerability Description Verification of Resolved Hosts Results (High) FTP (File Transfer Protocol) is a protocol that allows uploading & downloading of data between network devices. Some network print servers use this protocol to submit print jobs by uploading the file that needs printing. Anonymous access to such a service could pose as an opportunity for an intruder to flood the print server with garbage print jobs. This could not only tie up network resources for quite some time, but also waste precious paper resources. Since the FTP service allows anonymous access, an intruder does not need a user account or password to launch such an attack. When anonymous FTP access is present, you may be prone to a Denial of Service attack on the FTP service itself. Most network print-servers function correctly without hosting a FTP service. If this service is hosted on another device besides a printer, such as a networked file server, this could allow the intruder to upload malicious programs such as Trojans, as well as steal information anonymously. This security violation receives a High status. Address Yes No Staff Intials 10.0.0.4 ____________ 10.0.0.64 ____________ 10.0.0.224 ____________ 10.0.0.230 ____________ 10.0.0.231 ____________ 10.0.0.232 ____________ 10.0.0.233 ____________ 10.0.0.234 ____________ 10.0.0.235 ____________ 10.0.0.237 ____________ 10.0.0.238 ____________ 10.0.0.244 ____________ 10.0.0.246 ____________ 10.0.0.247 ____________ 10.0.0.248 ____________ 10.0.0.249 ____________ Manager Signature: ____________________________________________ Date: _________________ 1st Sample Bank 5/17 Telnet Anonymous Access Section Severity Level Vulnerability Description Verification of Resolved Hosts Results (High) TELNET is the protocol that allows remote configuration of a network device in a shell or DOS screen. This is not typically a concern, but when it's accessible anonymously it can become a severe security violation. Since it can be accessed anonymously, a potential intruder does not need a valid user account or password to configure the network device in any desirable fashion. This receives a High security violation status. Address Yes No Staff Intials 10.0.0.64 ____________ 10.0.0.224 ____________ 10.0.0.232 ____________ 10.0.0.233 ____________ 10.0.0.234 ____________ 10.0.0.237 ____________ 10.0.0.238 ____________ 10.0.0.239 ____________ 10.0.0.242 ____________ 10.0.0.246 ____________ 10.0.0.247 ____________ 10.0.0.248 ____________ 10.0.0.249 ____________ Manager Signature: ____________________________________________ Date: _________________ 1st Sample Bank 6/17 NetBIOS Anonymous Enumeration of Users Section Severity Level Vulnerability Description Verification of Resolved Hosts Results (High) Microsoft Windows 2003/2000/NT and Unix variants running Samba permit Anonymous (NULL) sessions to the NetBIOS (Network Basic Input/Output System) service. The NULL user account was originally intended for backward compatibilty for legacy Windows operating systems as well as one-way trust relationships between domains residing in different forests requiring user and share listings. An attacker can leverage this feature by querying for all available users using a technique called "Sid2User/User2Sid Walking". A SID (Security Identifier) is an alphanumeric character string used during the authentication process to identify an user or group of users. An attcker in possession of an user list for a device or domain can now attempt to brute force the user accounts or launch social engineering attacks. Address Yes No Staff Intials 10.0.0.36 ____________ 10.0.0.95 ____________ 10.0.0.106 ____________ 10.0.0.171 ____________ 10.0.0.174 ____________ 10.0.0.180 ____________ 10.0.0.199 ____________ 10.0.0.206 ____________ Manager Signature: ____________________________________________ Date: _________________ 1st Sample Bank 7/17 NetBIOS-DS Anonymous Enumeration of Users Section Severity Level Vulnerability Description Verification of Resolved Hosts Results (High) Microsoft Windows 2003/2000/NT and Unix variants running Samba permit Anonymous (NULL) sessions to the NetBIOS (Network Basic Input/Output System) service. The NULL user account was originally intended for backward compatibilty for legacy Windows operating systems as well as one-way trust relationships between domains residing in different forests requiring user and share listings. An attacker can leverage this feature by querying for all available users using a technique called "Sid2User/User2Sid Walking". A SID (Security Identifier) is an alphanumeric character string used during the authentication process to identify an user or group of users. An attcker in possession of an user list for a device or domain can now attempt to brute force the user accounts or launch social engineering attacks. Address Yes No Staff Intials 10.0.0.36 ____________ 10.0.0.95 ____________ 10.0.0.106 ____________ 10.0.0.171 ____________ 10.0.0.174 ____________ 10.0.0.180 ____________ 10.0.0.199 ____________ 10.0.0.206 ____________ Manager Signature: ____________________________________________ Date: _________________ 1st Sample Bank 8/17 Telnet Blank Password Section Severity Level Results (High) Communications devices often offer Telnet services to allow remote clients to configure the device remotely. Sometimes Telnet is protected with a password only pass phrase. With this type of authentication only one network credential is needed to log in, the password. Most forms of authentication use username and password combinations credentials to grant or deny access. Vulnerability When a communications device is using a password only authentication mechanism, the password Description should be formatted to meet a strong password policy, such as referenced in the Password Strength Guide. This vulnerability is triggered when there is a blank password set on the communications device. Since this allows anyone, a valid user or an intruder, to configure the device remotely it receives a high threat status. Address Yes No Staff Intials Verification of Resolved Hosts 10.0.0.4 ____________ 10.0.0.230 ____________ 10.0.0.231 ____________ 10.0.0.235 ____________ 10.0.0.244 ____________ Manager Signature: ____________________________________________ Date: _________________ 1st Sample Bank 9/17 Telnet Anonymous Access (TCP 9999) Section Severity Level Vulnerability Description Verification of Resolved Hosts Results (High) TELNET is the protocol that allows remote configuration of a network device in a shell or DOS screen. This is not typically a concern, but when it's accessible anonymously it can become a severe security violation. Since it can be accessed anonymously, a potential intruder does not need a valid user account or password to configure the network device in any desirable fashion. This receives a High security violation status. Address Yes No Staff Intials 10.0.0.51 ____________ 10.0.0.52 ____________ Manager Signature: ____________________________________________ Date: _________________ 1st Sample Bank 10/17 SNMP PRIVATE Community String Section Severity Level Results (High) SNMP is a network management protocol used to gather statistical data on network resources. When a networked device has SNMP enabled it can send performance data to a management station. SNMP provides the ability to configure a network device remotely. The community string on an SNMP device can be looked at as the password that allows such access to information and Vulnerability configuration abilities over the network. With the proper community string any management Description station, authorized or unauthorized can view and perhaps configure the network device. The most common or default community string for SNMP devices in the networking industry is "PRIVATE". Usually the private community string allows read and write access. This upgrades the threat to a high level status the configuration or uptime of the device could be compromised. Address Yes No Staff Intials Verification of 10.0.0.97 ____________ Resolved Hosts 10.0.0.99 ____________ Manager Signature: ____________________________________________ Date: _________________ 1st Sample Bank 11/17 FTP Anonymous READ Access Section Severity Level Vulnerability Description Verification of Resolved Hosts Results (Medium) FTP (File Transfer Protocol) is a protocol that allows uploading & downloading of data between network devices. When a FTP service allows anonymous access, an intruder does not require a username or password to access the FTP server. This could lead to information stealing from the FTP server without any authentication necessary. Since this FTP Server allows read access only, the intruder is limited to only retrieving information from the FTP server. This information could possibly be confidential information. Since that does not directly lead to system compromise, but could possibly it receives a medium threat status. Address Yes No Staff Intials 10.0.0.4 ____________ 10.0.0.64 ____________ 10.0.0.224 ____________ 10.0.0.230 ____________ 10.0.0.231 ____________ 10.0.0.232 ____________ 10.0.0.233 ____________ 10.0.0.234 ____________ 10.0.0.235 ____________ 10.0.0.237 ____________ 10.0.0.238 ____________ 10.0.0.242 ____________ 10.0.0.244 ____________ 10.0.0.246 ____________ 10.0.0.247 ____________ 10.0.0.248 ____________ 10.0.0.249 ____________ Manager Signature: ____________________________________________ Date: _________________ 1st Sample Bank 12/17 SNMP PUBLIC Community String Section Severity Level Results (Medium) SNMP is a network management protocol used to gather statistical data on network resources. When a networked device has SNMP enabled it can send performance data to a management station. SNMP provides the ability to configure a network device remotely. The community string Vulnerability on an SNMP device can be viewed as the password that allows such access to information and Description configuration abilities over the network. With the proper community string any management station, authorized or unauthorized can view and perhaps configure the network device. The most common or default community string for SNMP devices is PUBLIC. Usually the public community string allows read-only access, but in some cases will grant full access to the device. Address Yes No Staff Intials Verification of Resolved Hosts 10.0.0.4 ____________ 10.0.0.51 ____________ 10.0.0.52 ____________ 10.0.0.64 ____________ 10.0.0.75 ____________ 10.0.0.97 ____________ 10.0.0.99 ____________ 10.0.0.216 ____________ 10.0.0.224 ____________ 10.0.0.230 ____________ 10.0.0.231 ____________ 10.0.0.234 ____________ 10.0.0.235 ____________ 10.0.0.244 ____________ 10.0.0.246 ____________ Manager Signature: ____________________________________________ Date: _________________ 1st Sample Bank 13/17 NetBIOS Anonymous Enumeration of Shares Section Results Severity Level (Medium) Microsoft Windows 2003/2000/NT and Unix variants running Samba permit Anonymous (NULL) sessions to the NetBIOS (Network Basic Input/Output System) service. The NULL user account Vulnerability was originally intended for backward compatibilty for legacy Windows operating systems as well as one-way trust relationships between domains residing in different forests requiring user and Description share listings. An attacker can leverage this feature by querying for all available shares and potentially access or modify the data within. Address Yes No Staff Intials Verification of Resolved Hosts 10.0.0.4 ____________ 10.0.0.36 ____________ 10.0.0.95 ____________ 10.0.0.106 ____________ 10.0.0.171 ____________ 10.0.0.174 ____________ 10.0.0.180 ____________ 10.0.0.199 ____________ 10.0.0.206 ____________ 10.0.0.230 ____________ 10.0.0.231 ____________ 10.0.0.235 ____________ 10.0.0.244 ____________ Manager Signature: ____________________________________________ Date: _________________ 1st Sample Bank 14/17 NetBIOS-DS Anonymous Enumeration of Shares Section Results Severity Level (Medium) Microsoft Windows 2003/2000/NT and Unix variants running Samba permit Anonymous (NULL) sessions to the NetBIOS (Network Basic Input/Output System) service. The NULL user account Vulnerability was originally intended for backward compatibilty for legacy Windows operating systems as well as one-way trust relationships between domains residing in different forests requiring user and Description share listings. An attacker can leverage this feature by querying for all available shares and potentially access or modify the data within. Address Yes No Staff Intials Verification of Resolved Hosts 10.0.0.36 ____________ 10.0.0.95 ____________ 10.0.0.106 ____________ 10.0.0.171 ____________ 10.0.0.174 ____________ 10.0.0.180 ____________ 10.0.0.199 ____________ 10.0.0.206 ____________ Manager Signature: ____________________________________________ Date: _________________ 1st Sample Bank 15/17 HTTP Anonymous READ Access Section Results Severity Level (Low) HTTP (Hyper Text Transfer Protocol) is the network language which allows for viewing websites on the Internet and on intranets. Internal websites sometimes are intended to be viewed Vulnerability anonymously, thus letting every user on the network view the contents freely. If this is not the Description intended use of the web site, measures should be taken to secure the HTTP service. Address Yes No Staff Intials Verification of Resolved Hosts 10.0.0.4 ____________ 10.0.0.11 ____________ 10.0.0.41 ____________ 10.0.0.64 ____________ 10.0.0.66 ____________ 10.0.0.71 ____________ 10.0.0.73 ____________ 10.0.0.186 ____________ 10.0.0.201 ____________ 10.0.0.206 ____________ 10.0.0.210 ____________ 10.0.0.230 ____________ 10.0.0.231 ____________ 10.0.0.233 ____________ 10.0.0.235 ____________ 10.0.0.237 ____________ 10.0.0.238 ____________ 10.0.0.239 ____________ 10.0.0.242 ____________ 10.0.0.244 ____________ 10.0.0.247 ____________ 10.0.0.249 ____________ Manager Signature: ____________________________________________ Date: _________________ 1st Sample Bank 16/17 HTTP Active on Switch/Router Section Results Severity Level (Low) Switches and routers can host network services known as HTTP services. These services generally provide internal and external websites. Routers/Switches use these services to provide Vulnerability a GUI (Graphical User Interface) for administrators to remotely configure the device. Several Description known vulnerabilities exist in devices running HTTP services that are easy to exploit. It is best practice to disable HTTP services on all network communications devices in an environment. Address Yes No Staff Intials Verification of 10.0.0.80 ____________ Resolved 10.0.0.81 ____________ Hosts 10.0.0.82 ____________ Manager Signature: ____________________________________________ Date: _________________ 1st Sample Bank 17/17
© Copyright 2024