Vulncorp Inc Pivot Point Security

Summary

VulnCorp, Inc

EXTERNAL VULNERABILITY ASSESSMENT AND PENETRATION TEST
AUGUST 1, 2016
PPS Consultant
Project Lead
[email protected]
CONFIDENTIAL – DO NOT DISTRIBUTE
NOTE: The data in this sample report was manufactured to highlight different areas of the report

The conclusions and recommendations in this report represent the opinions of
Pivot Point Security. Determinations of appropriate corrective action(s) are the
responsibility of the entity receiving the report

This report and/or any other materials furnished by Pivot Point Security in
connection with this engagement is confidential and may not be duplicated,
modified or otherwise reproduced and distributed without the express prior
written consent of Pivot Point Security or VulnCorp, Inc. Because this work may
contain copyrighted images or other material, permission from the copyright
holder may also be necessary if you wish to reproduce

Prepared exclusively for VulnCorp, Inc Page |2
CONFIDENTIAL – DO NOT DISTRIBUTE
Table of Contents
SCOPE OF ENGAGEMENT ....................................................................................................................................... 4
METHODOLOGY ..................................................................................................................................................... 5
TESTING METHODOLOGY .................................................................................................................................................5
SCORING METHODOLOGY ................................................................................................................................................6
VULNERABILITY BENCHMARKING .......................................................................................................................... 7
VULNERABILITY VS. RISK ........................................................................................................................................ 8
HOST RELATIVE VIEW........................................................................................................................................... 10
MOST VULNERABLE HOSTS (TOP 10) ...............................................................................................................................10
MOST AT RISK HOSTS (TOP 10) ......................................................................................................................................10
PENETRATION TESTING ........................................................................................................................................ 11
MANUAL EXPLOITATION EFFORTS (HUMAN-BASED) ............................................................................................................11
CONCLUSION ....................................................................................................................................................... 20
REMEDIATION ..................................................................................................................................................... 21
SCOPE LIMITATIONS ............................................................................................................................................ 22
ARTIFACT REMOVAL ............................................................................................................................................ 23
Prepared exclusively for VulnCorp, Inc Page |3
CONFIDENTIAL – DO NOT DISTRIBUTE
Scope of Engagement
VulnCorp, Inc. engaged Pivot Point Security (PPS) to conduct a network vulnerability
assessment and penetration test against its external Information Technology infrastructure on
or about June 17, 2016. The objective of the test was to identify any information system
vulnerabilities that may allow levels of un-intended access and provide a measure of the
probability that an attacker could exploit these vulnerabilities, and if so, what the impact would
be to VulnCorp, Inc. To achieve VulnCorp, Inc.’s requirement for third party attestation of their
information security posture, VulnCorp, Inc. determined that the services PPS defines as a Tier
2 Assess level external vulnerability assessment and penetration test would best achieve their
requirements

A "Results Details" spreadsheet accompanies this report, which includes the vulnerability
details that this report summarizes

Prepared exclusively for VulnCorp, Inc Page |4
CONFIDENTIAL – DO NOT DISTRIBUTE
Methodology
Testing Methodology
PPS has developed a proven Vulnerability Assessment/Penetration Testing Methodology
(illustrated below) from best practices including the Open Source Security Testing Methodology
Manual (OSSTMM), the Council for Registered Ethical Security Testers (CREST), the Penetration
Testing Execution Standard (PTES), and our 15 plus years of experience. We have also scaled
the methodology to account for differing risks and preferred engagement modalities to ensure
that we can provide the right testing and assurance at the right cost

Prepared exclusively for VulnCorp, Inc Page |5
CONFIDENTIAL – DO NOT DISTRIBUTE
Scoring Methodology
It is important to note that PPS utilizes the Common Vulnerability Scoring System, an open trusted
framework that standardizes vulnerability reporting across all major software and hardware platforms

This provides a consistent view of your vulnerability level independent of the company and tools used to
perform the assessment

Our testing reports on both the base score and the temporal score. The base (vulnerability) score does
not change and references the specific issue discovered; a missing patch for example. The temporal
(risk) score can change over time. For example, the temporal score may change if an exploit is released,
an official patch becomes available, etc. The third branch (environmental) requires a great deal of
business context and is not part of this report

Prepared exclusively for VulnCorp, Inc Page |6
CONFIDENTIAL – DO NOT DISTRIBUTE
Vulnerability Benchmarking
Pivot Point Security provides a relative benchmark of your vulnerability and risk to other organizations
that we have tested at the time of the scan. To derive the score, PPS averages the vulnerability score for
each host and then averages all the host scores. For comparison purposes, PPS assigned VulnCorp, Inc

to the "Technical Services" industry, which rolls up into the "Software as a Service" Meta Industry

10
9
8
7
6 5.3
5 4.6 4.4 4.5 4.3
4
3
2
1
0
All-Average Technology Services Provider Technology Services SaaS VulnCorp
Historical Vulnerability/Risk
Pivot Point Security provides a historical view (if available) of vulnerability & risk to gauge the
effectiveness of your vulnerability/configuration management practices over time

10
9
8
7
6
5
4
3
2
1
0
2013-03-02 2014-02-17 2015-04-18 2016-06-19
Vulnerability Risk
Prepared exclusively for VulnCorp, Inc Page |7
CONFIDENTIAL – DO NOT DISTRIBUTE
Vulnerability vs. Risk
This host vulnerability chart shows the risk category distribution based on the vulnerability score

Vulnerability Based View (CVSS Base Score)
Host Vulnerability (%)
Critical(293) 23%
High(148) 10%
Medium(1453) 60%
Low(10276) 8%
The count is based on Vulnerability x Affected Hosts
Critical High Med Low
This risk level chart takes the temporal score and shows the effective risk level at the time of the testing

Risk Based View (CVSS Temporal Score)
Host Risk (%)
Critical(15) 1%
High(355) 26%
Medium(915) 46%
Low(10885) 27%
The count is based on Vulnerability x Affected
Critical High Med Low
Prepared exclusively for VulnCorp, Inc Page |8
CONFIDENTIAL – DO NOT DISTRIBUTE
Host Relative View
Most Vulnerable Hosts (Top 10)
This shows hosts that have the highest level of vulnerability to assist in prioritizing remediation activities
(Host Vulnerability = cumulative CVSS Base Score.):
IP Address Hostname Host Critical High Medium/Low % of Org
Vulnerability Vulnerability
10.1.1.60 267.3 5 18 13 18%
10.1.1.70 267.3 5 18 13 18%
10.1.1.80 stc-x3650-03.vulncorp.com 267.3 5 18 13 18%
10.1.1.90 267.3 5 18 13 18%
10.1.1.81 stc-x3650.vulncorp.com 144.1 3 6 13 10%
10.1.1.161 stc-vcs-01vulncorp.com 98.4 2 3 11 7%
10.1.1.151 stc-dc-01.vulncorp.com 68.8 2 1 8 5%
10.1.1.153 stc-dc-02.vulncorp.com 54.5 1 1 7 4%
10.1.1.1 35.4 0 0 7 2%
10.1.1.11 5.8 0 0 1 0%
Total 100%
Most at Risk Hosts (Top 10)
This shows hosts that have the highest level of risk (vulnerability + exploitability + fix ability) to assist in
prioritizing remediation activities (Host Risk = cumulative CVSS Temporal Score.):
IP Address Hostname Host Risk Critical High Medium/Low % of Org Risk
10.1.1.60 225.0 1 10 25 15%
10.1.1.70 225.0 1 10 25 15%
10.1.1.80 stc-x3650-03.vulncorp.com 225.0 1 10 25 15%
10.1.1.90 225.0 1 10 25 15%
10.2.1.100 225.0 1 10 25 15%
10.1.1.81 stc-x3650-04.vulncorp.com 124.9 1 4 17 8%
10.1.1.161 stc-vcs-01.vulncorp.com 87.5 0 3 13 5%
10.1.1.165 view-mgr-01.vulncorp.com 70.1 1 1 11 4%
10.1.1.151 stc-dc-01.vulncorp.com 63.7 0 3 8 3%
10.1.1.162 sugarcrm.vulncorp.com 53.7 0 0 11 3%
Total 98%
Prepared exclusively for VulnCorp, Inc Page |9
CONFIDENTIAL – DO NOT DISTRIBUTE
Penetration Testing
Full data, for all issues and hosts referenced in this narrative, is available in the spreadsheet delivered as
part of our reporting. To identify a particular host in the spreadsheet, use the filter/sort/search using the
host data referenced in this narrative (e.g., IP Address, Host Name, Host Type, etc.)

Manual Exploitation Efforts (human-based)
On manual review of the vulnerabilities, we found that there were two systems with highly vulnerable
web applications running

Potential Breach Detected
The app1.vulncorp.com (1.2.3.4) host requires special attention because the web application
manager running on it still has the default administrative password configured. A number of
currently deployed applications on this host lead to the suspicion that it was previously
compromised. If those applications do not have a legitimate use it is highly recommended to
rebuild the system. This will help to ensure that any remnant tools, which could be used to
access the system or other network devices, are eliminated. The list of potentially rogue
applications has been listed below, as well as the evidence section of the Apache Tomcat
Manager Common Administrative Credentials vulnerability (page 11)

Prepared exclusively for VulnCorp, Inc P a g e | 10
CONFIDENTIAL – DO NOT DISTRIBUTE
Critical Risk Vulnerabilities
Vulnerability Count
Unix Operating System on Extended Support 1
Apache Tomcat Manager Common Administrative Credentials 1
Microsoft Windows Server 2003 Unsupported Installation Detection 8
Critical Risk Exploits
Unix Operating System on Extended Support (CVSS: 10)
According to its version, the remote host uses a Unix or Unix-like operating system that has reached its
end of life. There will be no new security updates issued for this operating system leaving it vulnerable
to vulnerabilities discovered after 2016-02-15

Evidence:
Debian 6.0 support ends on 2014-05-31 end of regular support / 2016-02-15 (end
of extended support for Squeeze-LTS)

Affected Hosts:
103.192.88.183
Remediation:
Update the host to ensure that the host subscribes to the vendor's extended support plan and continues
to receive security updates

Apache Tomcat Manager Common Administrative Credentials (CVSS: 10.0)
We were able to gain access to the Manager web application for the remote Tomcat server using a
known set of credentials. A remote attacker can exploit this issue to install a malicious application on
the affected server and run arbitrary code with Tomcat's privileges (usually SYSTEM on Windows, or the
unprivileged tomcat account on Unix). Worms are known to propagate this way

Evidence:
It was possible to log into the Tomcat Manager web application using the default username and
password. This account had access and privileges to start, stop, and un-deploy all of the running web
applications. The account also has permissions to deploy new applications, including those which may
contain malicious code. During the investigation, a number of active applications were found that may
indicate that the server may have already been compromised (see Suspicious Web Applications below)

Prepared exclusively for VulnCorp, Inc P a g e | 11
CONFIDENTIAL – DO NOT DISTRIBUTE
The server is also hosting a known-malware web application called "JSP RAT by Jeroy" which allows the
user to graphically navigate the servers’ filesystem. Other features include file uploads, downloads,
editing, and a limited command line access. Read, write, and execute permissions for all functions are
limited to the "tomcat" user which does not have administrative access, but can still be very dangerous

Attempts were made to gain deeper access into the system but were unsuccessful. Even so, the ability
to view, upload, and execute files means that there is a high risk of privilege escalation

Suspicious Web Applications
http:// app1.vulncorp.com:9090/18/
http:// app1.vulncorp.com:9090/rarr/
http://app1.vulncorp.com:9090/syadmin/
The screenshot below shows the Tomcat Web Application manager, after logging in using well-known
administrative credentials

Screenshot 1 - Tomcat Web Application Manager (post-login)
Prepared exclusively for VulnCorp, Inc P a g e | 12

WebNOTE: The data in this sample report was manufactured to highlight different areas of the report. The conclusions and recommendations in this report represent the opinions of …

Download Now

Documemt Updated

Popular Download

• › V 32 March 2020 Amazon Web Services
• › Volkswagen Of America 2022 Taos Auto Brochures
• › Visuplan 500 From Zeiss Non Contact Tonometer
• › Volume 1 Of 2 Cutting Parts Catalog Agco Parts And Service
• › Version 10 This Document Describes The Email Message
• › Vintage Greeting Card Templates Hoover Web Design
• › Victorias Secret Job Application Thevorhcom
• › Vocational Firm Quality Assurance Plan Washington State
• › Vegetable Planting Guide Po Box 739 Garner Nc 27529
• › Volets Roulants Portes De Garage Brise Soleil
• › View And Update Your Personal Info In Employee
• › Verint Experience Management For Web And Mobile
• › Vpn Policy Template National Cybersecurity Society
• › Vegetable Varieties For Travis County
• › Varieties Of Heirloom Seeds And Roots For The 1812
• › V Design Program Space Program Room Data Sheets
• › Vcs Project Description Template Verra
• › Vegetable Garden Guide Countryside
• › Vima Tunes Player Crack With Serial Key Free Download
• › Version Classic Economy 204 Efm

Frequently Asked Questions

What happened to vulncorps security posture?

There were a number of issues identified that negatively impact the security posture of VulnCorp Inc. For example; Services with default credentials and unsupported operating systems were discovered, as well as a number of machines with insecure configurations and/or missing patches.

What is the objective of the vulncorp vulnerability assessment?

The objective of the test was to identify any information system vulnerabilities that may allow levels of un-intended access and provide a measure of the probability that an attacker could exploit these vulnerabilities, and if so, what the impact would be to VulnCorp, Inc.

Is your vulncorp host compromised?

Potential Breach Detected The app1.vulncorp.com (1.2.3.4)host requires special attention because the web application manager running on it still has the default administrative password configured. A number of currently deployed applications on this host lead to the suspicion that it was previously compromised.