nts330 wk8-9 Stardotstar 2 0

StarDotStar 1
Reconnaissance Report
Honeywell
V 2.0
July 25, 2016
This Report was Prepared by:

StarDotStar
Robert Thompson Penetration Tester
Vance Jones Penetration Tester
Tyler Weiss Penetration Tester
This report was created for educational purposes and is entirely fictional. The
systems herein have been created and maintained by this team in a virtual
environment. All information in this document is confidential and may not be
disclosed to unauthorized personnel.
StarDotStar 2
Document Properties
Title Reconnaissance Report Honeywell
Version 2.0
Authors Robert Thompson, Vance Jones, Tyler Weiss
Pen-Testers Robert Thompson, Vance Jones, Tyler Weiss
Reviewed By Robert Thompson, Vance Jones, Tyler Weiss
Approved By Robert Thompson, Vance Jones, Tyler Weiss
Classification Confidential
Version Control | | |
Version Date Author Description
2.0 July 11, 2016 Vance Jones, Draft

Robert
Thompson
1.9 July 11, 2016 Vance Jones Draft
1.8 June 25, 2016 Robert Draft

Thompson,
Vance Jones

Thompson
1.3 1.6 June 24, 2016 Vance Jones Draft

Thompson
1.1 June 10, 2016 Robert First Draft
Thompson
1.0 May 28, 2016 Robert Template
Thompson
StarDotStar 3
Executive Summary
asdf
StarDotStar 4
Contents
1.2 Objective ..................................................................................... 8
1.3 Timeline ...................................................................................... 8
1.4 Summary of Findings .................................................................... 9
2. Recon Lab 1 ................................................................................... 10
2.1 Summary of Findings .................................................................. 10
2.2 Recommendations ...................................................................... 10
2.3 Detail of Findings........................................................................ 10
3. Recon Lab 2 ................................................................................... 12
4. Recon Lab 3 ................................................................................... 15
5. Scanning Lab 1 ............................................................................... 18
6. Scanning Lab 2 ............................................................................... 22
6.2 Recommendation........................................................................ 22
7. Penetration Lab .............................................................................. 25
7.2 Recommendation........................................................................ 25
7.3.1 Windows XP.......................................................................... 25
7.3.2 Windows Server 2003 ............................................................ 27
7.3.3 Ubuntu (pWnOS)................................................................... 29
StarDotStar 5
7.3.4 Slax (Hackerdemia) ............................................................... 29

7.4 Tools Used ................................................................................. 30
7.4.1 Metasploit Framework ............................................................ 30
7.4.2 SQLMap ............................................................................... 30
7.4.3 Burp Suite ............................................................................ 30
7.4.4 Hashcat ............................................................................... 31
7.4.5 Hydra .................................................................................. 31
7.4.6 BEEF XSS Framework ............................................................ 31
Appendix A ........................................................................................ 32
People Searching websites used ...................................................... 32
Tools used .................................................................................... 32
Appendix B ........................................................................................ 33
Employee and Executive Information ............................................... 33
ARIN network details ..................................................................... 35
Appendix C ........................................................................................ 38
poc.sh & poc.py full raw output file contents: .................................... 38
Appendix D ........................................................................................ 42
Ping Sweep Results (From Section 5.3.1): ........................................ 42
TCP Port Scan Results (From Section 5.3.2):..................................... 43
UDP Port Scan Results (From Section 5.3.2): .................................... 44
Web Port Scan Results (From Section 5.3.4): .................................... 45
Scan Report with Reason for state (From Section 5.3.5): ................... 46
OS Scan Result (From Section 5.3.9): .............................................. 48
Appendix E ........................................................................................ 49
Nessus MyPolicy.txt ....................................................................... 49
Appendix F ........................................................................................ 79
Windows XP Hashes ....................................................................... 79
Windows 2003 Hashes ................................................................... 79
Windows Web App Database Dump.................................................. 80
Ubuntu (pWnOS) Web App Database Dump ...................................... 80
References ........................................................................................ 81
StarDotStar 6
StarDotStar 7
List of Figures
No table of figures entries found.
StarDotStar 8
1.2 Objective
The goal of this assessment is to determine how much information is

publicly available that could help an attacker in exploiting the company's
internal network, as well as figuring out what information is available that
should not be public and includes sensitive internal information.
1.3 Timeline
Penetration Test Phase Start Date End Date
Recon 5/23/2016 6/10/2016
Scanning 6/13/2016 6/24/2016
Penetration 6/27/2016 7/11/2016

StarDotStar 9
1.4 Summary of Findings
Recon
o Company email addresses
o Employee personal information
Position
Address
Phone number
Salary
o Physical facility locations and security
o IP address ranges and domains owned
o Website setup
Languages
Frameworks
Software
o Social media accounts:
Facebook
LinkedIn
o Confidential Documents
Letters
Spreadsheets
StarDotStar 10
2. Recon Lab 1
We found out software being run of the Honeywell web servers, frameworks
used, net ranges, and other services hosted by Honeywell. We also found a
handful of confidential documents containing personal information for
employees and executives.
2.2 Recommendations
Updating all IIS 7.5 servers to 8.0. Searching for and removing any
potentially harmful documents posted publicly.
2.3 Detail of Findings
1. What is the name of the organization you chose? What do they do?
a. Honeywell Aerospace is a company that develops and sells
aerospace technology for commercial and military use.
2. What operating systems do they use on their web server? Why?
a. Most of their web servers are running windows, which we are
able to tell by the fact that they are using IIS, which shows in
their headers.
3. What web server are they using (Apache, IIS, etc.)? What version is
it?
a. IIS version 7.5 & 8.0.
4. Does it appear they are hosting their own web server?
a. Yes, they own their own net range and have a large selection of
servers.
5. What programming languages are used on the site?
a. HTML, CSS, Javascript, JQuery
6. What are the networks in use by the organization? List Ranges?
a. 129.30.0.0/16
7. Does it appear they are hosting any other services from their network
ranges? (Do Not Scan network segments)
a. Yes, Shodan told us they have their own DNS servers, as well as
IKE (Internet Key Exchange) VPN servers.
StarDotStar 11
8. What type of information did you turn up using search engines?

a. Company email format, high level executives, social media
accounts, and some documents.
b. This letter gave us their presidents personal address and
salary!
StarDotStar 12
3. Recon Lab 2
We found company social media accounts and documents. These gave us

employee emails, phone numbers, and LinkedIn accounts, which could then
use in our searches to find more information.
3.2 Recommendations
Searching for and removing confidential files posted publicly on the internet.
Educating employees about using their company email for non-company
activities, such as at conferences.
StarDotStar 13
1. Identify key employees. Get names, positions, salary, phone #, and

e-mail addresses.
a. This page on their main site got us the top level executives.
From there we focused in and found contact information, emails,

and phone numbers (See Appendix B)
2. Do they participate in any professional organizations?
a. We found out their email format (for names) from a EnergyStar
attendance list from an event (URL Below)
i. https://www.energystar.gov/ia/partners/prod_developmen
t/.../Attendee_%20list.xls
3. Do they participate in any professional social media sites?
a. A lot of them have LinkedIn accounts, which we found. (See
Appendix B)
4. Is anyone looking for a job?
a. All the LinkedIn pages we checked were private.
5. Can you locate interesting corporate documentation, passwords,
etc...?
StarDotStar 14
a. The list of emails from the attendance list and letter helped us
immensely.
6. Does your target company have any associations with other
companies? e.g.partners
a. Honeywell has dozens of other areas of business, including
appliances, housing, and technology.
7. Enumerate your targets Domain Name. Document all additional IP
addresses that you have discovered. (Add them to your current list)
a. See Appendix C for DNS enumeration results.
8. Use Maltego to search your company's domain, e-mail, social media,
etc....
a. See Appendix B for some of the information we pulled from
Maltego.
9. Create a visual map of your selected target's discovered systems.
Identify network address ranges, possible target systems and their
purpose, routers, switches, etc...... Is this their DMZ?
10. Document your advanced Google search strings and their
results.
a. Here are some of our searches:
i. Inurl:@honeywell.com filetype:xls (gave us the
attendance list)
ii. Intext:Tim Mahoney intext:Confidentual (gave us the
letter)
iii. Site:Honeywell.com (Helped start DNS enumeration)
iv. Intext:carey.smith@honeywell.com (Gave us another
attendance spreadsheet)
StarDotStar 15
4. Recon Lab 3
We found out physical location information, including side geo-locations and

employee campus. We also gathered wireless intelligence including finding a
badly secured break room WiFi network, as well as several open wireless
networks.
4.2 Recommendations
Upgrading the wireless router for better encryption, and ensure employees
understand the risk of connecting to open wireless network.
1. Using Recon-NG perform a full recon on your target company.

Document your results. Did you find any additional useful or
interesting info.
a. See Appendix C for our scripts results, which included custom
Recon-NG queries.
2. You need to research information that would be helpful for the social
engineering phase of your penetration test.
a. Physical layout of the company.

i. Back of facility has locked fence gates, from is open
parking lot with lobby.
b. Security doors, guards, cameras, etc.....
i. Multiple cameras on building corners, with pan-tilt-zoom
cameras over doors.
c. Badges?
i. Yes, RFID most likely due to being carried on lanyards,
since magstripe badges are difficult to scan when their on
lanyards.
d. Vehicle passes?
StarDotStar 16
i. No
e. Web Cams?
i. Shodan returned no results.
f. Digital dumpster diving.
i. Several dumpsters around the back near the fence, which
is only a couple feet high.
g. How does the typical employee dress? Dress code?
i. Some business casual, workers in jeans with hard hats.
3. Wireless recon. (note: this will be perform on the university's

campus.)
a. Using a wireless sniffing program such as Kismet, map the
university's wireless network. What IP address ranges did you
discover? Number, type, location of wireless APs.
i. UAT has several nodes running the Scytale network. These
are on a /24 subnet and are located both on the campus
and throughout the dorms. I managed to find three unique
MAC addresses for the APs.
b. Are there open AP's?
i. Yes, plenty including student APs and UATs Scytale
wireless network.
c. What methods do they use to secure APs?
i. Consumer wireless uses various encryption techniques
such as WPA and WEP, while enterprises use WPA-
Enterprise and RADIUS servers to ensure traffic is
authenticated and cant be spoofed to cause denial of
service or force reconnections.
d. What is wardriving?
i. Physically enumerating and assessing the layout of
wireless networks in an area by driving around with a
wireless device running a wireless enumeration tool, such
as Kismet.
e. Name two tools you can use to detect the presence of wireless
networks?
i. Kismet and Airodump-ng.
f. How can you find out the BSSID of an access point?
i. Wireless access points broadcast their BSSID in order to
let host know they are available. You can find the BSSID of
StarDotStar 17
an AP using any wireless devices, or a tool such as Kismet

or Airodump-ng.
g. Why is the BSSID of an access point important to know?
i. The BSSID is used in generating the transient key during
the 5-way WPA and WEP handshakes, along with the
Anouce and Snounce values.
h. The FMS attack is an attack that is used against WEP. What does
FMS stand for?
i. Fluhrer, Mantin and Shamir
i. Crack the WEP key provided in the WeakIVs.zip file under the
Doc Sharing section of the course shell. The MD5 file is included
just to make sure the compressing / uncompressing of the file
with the weak IVs is the same. Particulars of the access point
from which the IVs were collected are: It is a 128 bit WEP key.
The BSSID of the access point is: 00:1E:52:F6:A0:9B Given this
information what is the WEP key?
i. 0B:4E:D3:F6:7C:C5:40:FE:98:36:BA:A6:52
StarDotStar 18
5. Scanning Lab 1

For full details, refer to Appendix D.
5.2 Recommendations
5.3.1 Perform a ping sweep of your network to identify live hosts

with Nmap.
a. Using the command nmap sn 172.16.112.0/24 oN
networkhost.txt we enumerated all the host on the network
that responded to ICMP packets using a ping sweep, and
output that to a normal text file. The ping sweep resulted in
the addresses for gateway, our three attack machines and
two other, unidentified, hosts.
5.3.2 Port scan the hosts on your network range with Nmap. If
you have more than 10 hosts, only provide the results of the 10
with the most ports open.
a. We used the command nmap sS -iL networkhosts.txt using
the text file containing the host from the ping sweep. This
scan uses partial TCP handshakes to determine which ports
are open on those hosts (the ones that respond to the SYN
packet), which were possibly filtered by a firewall (no
response), and which were closed (responded with RST
packet). In addition to this command, more precise scans
were performed with the commands nmap sS T2
172.16.112.20,25 v (TCP Port scan), nmap sU T2
172.16.112.20,25 v (UDP Port Scan).
5.3.3 Scan a host adjusting the timing of requests with Nmap.

a. For the web server scan (see 5.3.4) we used the T2 (polite)
scanning option; because we were only scanning two ports,
the scanning surface is narrower allowing us to take more
StarDotStar 19
time, reducing network traffic that could be detected by an

IDS/IPS.
5.3.4 Use Nmap to sweep your network for systems running web
servers on port 80 and port 443.
a. Using the command nmap sS T2 -iL networkhosts.txt -
p80,433 we scanned all the hosts on port 80 and 443 to try
and discover which host were running web services on default
ports.
5.3.5 Run a scan on a host and tell Nmap to display the reason it
finds the port in the state it does.
a. Adding double verbosity to command gives the reason for
state; --reason after the host/range address also works for
improved output regarding open ports; example: nmap -sS -
sU -T2 172.16.112.1.20,25 --reason
b. No-response from an open port represents the presence of a
firewall.
5.3.6 Scan a system with Nmap and output the results to a

Normal File. Just provide the command you would use, you do not
have to append the results or the file.
a. This was done during our ping sweep command (see 5.3.1).
5.3.7 Scan a host as if it where denying ICMP (ping).

a. To enumerate host denying ICMP packets, we ran a SYN ping
sweep using the command nmap PS 172.16.112.0/24 which
sent SYN packets to the default port of 80 on all host. A RST
or ACK packet determined if the host was up or not.
5.3.8 Port scan on a host for open ports 1 through 500 with
Netcat. Yes, Netcat. When do you think you might use Netcat vs
Nmap?
a. nc -z -v 172.16.112.20 1-500 attempts a TCP handshake with
the given port numbers, in this case 1-500.
i. Netcat is used to create a connection and move data
across that connection.
ii. Nmap is used to map networks and scan address
ranges and ports.
StarDotStar 20
1. NSE scripts can also be used for bypassing and

vulnerability scanning
5.3.9 Perform Operating System identification on one of the hosts

on your network. You can use either Nmap or Xprobe2. How
accurate was the guess by the tool?
a. Using the command nmap O iL networkhosts.txt we asked
nmap to try to best determine the OS of each host. The tool
is great on zeroing on the type of operating system but not
the version or specific distribution. Caution, some results may
be false positives because of setting on target hosts.
5.3.10 Perform application fingerprinting on a host with Nmap. In

your estimation did Nmap properly identify the services running on
the machine? Were there unknown application fingerprints? If Nmap
doesnt know what a service is, what steps could you take to
determine what the service is?
a. Running the command nmap sV iL networkhosts.txt we did
full service identification in order to determine if the services
found by earlier scans were accurate and what versions those
services were running. The results had no unknown
fingerprints.
b. Services were identified properly but some of the versions
were ambiguous.
c. Unknown service discovered on port 443 for 172.16.112.20
d. In order to determine the service for this port, we pointed a
web browser at the address:port
i. Netcat to port of the unknown service
1. We attempted to retrieve a GET request from the
given IP:port, it responded with nothing.
ii. Point a web browser at the service
1. Visiting the IP address:port failed to connect,
however it works on normal HTTP.
iii. Nmap specific port scan
1. Focusing the scan on just the specific port still
yielded no information, we are unable to get the
port to respond with any information, and
therefore we cannot acquire relevant information
from the port.
StarDotStar 21
5.3.11 You are on a penetration test. Your customer asks you to

identify all of the hosts in a given network range. You notice that
they are filtering ICMP so you cant ping hosts to determine if they
are alive. How would you determine which hosts in the network
range are actually up?
a. Earlier we did a host enumeration using a SYN host discovery
scan. (See 5.3.7).
5.3.12 Which flags does a Xmas scan (-sX) set in Nmap?

a. The Xmas scan set the FIN, URG, and PSH flags on.
5.3.13 Take a couple of the hosts from your network and put them
in a plain text file. Put the IP addresses in the file so there is only
one per line. Name this file networkhosts.txt Use Nmap with the
appropriate command line argument to import this file and scan the
contents.
a. nmap -sS -sU iL networkhosts.txt
i. [-iL] is used to specify a list of hosts, from file, for
input.
b. We utilized this technique in an earlier portion of this section.
(See 5.3.2)
StarDotStar 22
6. Scanning Lab 2
We found several vulnerabilities using both OpenVas and Nessus. This

included several critical vulnerabilities for SMB, and several potential web
application attack vectors.
6.2 Recommendation
Patching SMB on all machines is highly recommended as they could

allow remote code execution and several loss of data and availability. Doing
code review and pen testing on all web applications is also highly
recommended if these applications are publicly accessible.
6.3.1 Download and install the Nessus Vulnerability Scanner on

your attack platform.
a. Downloaded from tenable.com
b. Nessus.org redirects to tenable.com. Products > Nessus > Try
Nessus > under Vulnerability Scanning Try Now
c. Registered using uat.edu e-mail address.
d. Nessus installed with no issues, plug-ins updated and
installed automatically when ran for the first time.
6.3.2 Fire up one of your vulnerable VMs (target) that you have
been working with so you can scan it.
a. VMs are up and ready to scan.
6.3.2 Enter the IP address of the target system into Nessus and
Scan it.
a. First scan performed was against the whole range,
172.16.112.0/24 using the Basic Network Scan. It
immediately started populating the Hosts section with
results; it appears that Nessus does host discovery on its own
StarDotStar 23
when performing this type of scan. Lots of vulnerabilities were

detected across all hosts, including out attack platforms.
6.3.3 Create a new custom scan policy in Nessus and name it

MyPolicy. In this new policy trim down the vulnerability checks so
that they are more relevant to the operating system you are
scanning. Give a few examples of checks that you removed. Give a
few examples of checks that you kept.
a. While creating MyPolicy, we removed the several different
linux vulnerability plug-ins, including CentOS Local Security,
Fedora Local Security, Debian Local Security, FreeBSD Local
Security, and Gentoo Local Security among many others. We
also removed MacOS X Local Security, Mobile Devices, and
Palo Alto Local Security.
b. Some examples of plug-ins we kept were Windows: Microsoft
Bulletins, Windows: User management, Peer-to-Peer file
sharing, Web Servers, and FTP.
6.3.4 Scan the IP address of the target system again using the
new MyPolicy that you created.
a. We scanned specific addresses the second time using
MyPolicy, 172.16.112.20, 172.16.112.25; WINVUL and the
2003 Server respectively.
6.3.5 Do you see any items you suspect as false positives? Why do
you believe them to be false?
a. There are several items that only appear in either Nessus or
OpenVas.
i. MS08-067: Microsoft Windows Server Service Crafted
RPC Request Handling Remote Code Execution
(958644) (uncredentialed check)
ii. Web Application Potentially Vulnerable to Clickjacking
iii. Web Server Transmits Clear-text Credentials
b. These are the most likely candidates of being false positive,
however several of them are easily validated. Clear-text
credentials for example is due to the site using unencrypted
http. The clickjacking one is probably due to the many web
vulnerabilities that show up, including XSS and SQLi. However
the RPC vulnerability only turned up in OpenVas and therefore
is most suspect of being a false positive. Further testing such
as exploitation is required to determine accuracy.
StarDotStar 24
c. There are many other vulnerabilities that show up in either

scanner but not both, however the majority of these are for
the same application, suggesting they are much more likely
to exist and the scanner simply doesnt check every
vulnerability for the application. Outdated apps often have
many vulnerabilities, so discovering all of them is challenging
for any single vulnerability scanner.
6.3.6 Do you believe that there are vulnerabilities on the system

that the vulnerability scanner didnt find? Why do you believe so?
a. I do think there are likely other vulnerabilities, since there are
only so many things a vulnerability scanner can check. In
particular, web app vulnerabilities are often missed by
vulnerability scanners due to requiring some creativity in their
creation and usage. It already found XSS vulnerabilities, and
generally web app vulnerabilities allow for further and more
advanced attacks.
6.3.7 Export the data from the scan in NBE format.

a. .NBE format is no longer supported with the newer versions of
Nessus, it has been supplanted by the .nessus format;
.nessus document with scan results enclosed in zip file.
6.3.8 Create a zip file containing your lab memo documentation

and the NBE file and submit that in the dropbox for this
assignment.
StarDotStar 25
7. Penetration Lab
We found several remote, web, and client side attacks on two Windows
computers on the company network. Using these, we were able to view
sensitive information such as password hashes and database entries, as well
as install a python backdoor on the network. These could result in loss of
sensitive information and/or business operations. See Appendix F for
discovered sensitive information.
7.2 Recommendation
Upgrading all Windows computers to an operating system still under

support from Microsoft and setting up a regular patching cycle to ensure
security vulnerabilities are patched in a timely manner. Hiring a security
engineer to fix web based vulnerabilities and doing third party code review
on future web based projects. If databases are crucial to business continuity,
consider migrating to a different database management software, or update
the present software.
7.3.1 Windows XP
a. IP: 172.16.112.20
i. CVE-2008-4250
1. Severity: HIGH
2. This vulnerability allows remote code execution
via a crafted RPC request to the SMB NetBIOS
service running on port 445. Worse, this
vulnerability grants full System access if
exploited.
3. Microsoft has released a patch for the
vulnerability. It is recommended to patch to the
latest version of XP. If that is not possible,
StarDotStar 26
blocking external connections over port 445 on

the firewall is recommended.
ii. Weak MS SQL Credentials (No CVE)

1. Severity: HIGH
2. The database running on this server has default
credentials of sa:(no password). This can be
leveraged to compromise sensitive database
information, as well as get remote code execution
via an uploaded shell.
3. Setting a strong password on the MS SQL
database to prevent possible brute force attempts
and data compromise.
iii. SQL Injection Web Vulnerability (No CVE)

1. Severity: HIGH
2. This vulnerability allows any remote attacker with
access to the web login page to retrieve database
information as well as upload an interactive shell.
3. This has to do with improper input sanitization
and variable handling. Revising the code on the
site to use prepared statements and sanitize input
will remedy this vulnerability.
iv. CVE-2006-0003
1. Severity: MEDIUM
2. This vulnerability in the Internet Explorer program
is leveraged when the user visits an attackers
specially created web server, which then exploits
a vulnerability in ActiveX data object.
latest version of XP.
v. Guest Account with blank password (No CVE)

1. Severity: LOW
2. There is a deactivated guest account with blank
credentials.
3. This should be removed if it is no longer in use.
StarDotStar 27
7.3.2 Windows Server 2003

a. IP: 172.16.112.25
i. CVE-2008-4250
1. Severity: HIGH
2. This vulnerability allows remote code execution
via a crafted RPC request to the SMB NetBIOS
service running on port 445. Worse, this vulnerability
grants full System access if exploited.
latest version of XP. If that is not possible, blocking
external connections over port 445 on the firewall is
recommended.
ii. Weak MS SQL Credentials (No CVE)

1. Severity: HIGH
2. The database running on this server has default
credentials of sa:(no password). This can be
leverages to compromise sensitive database
information, as well as get remote code execution
via an uploaded shell.
3. Setting a strong password on the MS SQL
database to prevent possible brute force attempts
and data compromise.
iii. SQL Injection Web Vulnerability (No CVE)
1. Severity: HIGH
StarDotStar 28

and variable handling. Revising the code on the site
to use prepared statements and sanitize input will
remedy this vulnerability.
vi. Guest Account with blank password (No CVE)

1. Severity: LOW
2. There is a deactivated guest account with blank
credentials.
3. This should be removed if it is no longer in use.
StarDotStar 29
7.3.3 Ubuntu (pWnOS)

a. IP: 10.10.10.100
i. SQL Injection Web Vulnerability (No CVE)
1. Severity: HIGH
and variable handling. Revising the code on the site
to use prepared statements and sanitize input will
remedy this vulnerability.
7.3.4 Slax (Hackerdemia)

a. IP: 192.168.1.123
i. Directory Listing
1. Severity: LOW
2. The /inc folder in the web root is viewable,
giving the viewer access to see all the .php files
(cannot actually view due to being backend) and
gain information on the structure of the web
server.
3. Adding rules to the .htaccess file regarding the
/inc folder to prevent browsing is recommended.
ii. SMTP Enumeration

1. Severity: LOW
2. The smtp mail server is able to be enumerated
using the Metasploit module
auxiliary/scanner/smtp/smtp_enum. This
provided a list of email accounts stored by the
server.
3. Updating the sendmail configuration to not
allow for enumeration is recommended.
StarDotStar 30
7.4 Tools Used
7.4.1 Metasploit Framework
We used the Metasploit framework to launch both the MS08-067 and

IE Create Object attacks, as well as gain a shell using the default MS SQL
credentials. Once in, Metasploits meterpreter shell let us dump user hashes
and upload/download files.
One of the files uploaded was a backdoor that we wrote. This was written in
Python 2.7, and performs a reverse connection to our attack platform and
provides access to the system whenever wanted. The source code of this
script is included in the zipfile with this report.
Name: pythonBD.py (Note: The entire code is commented out to negate
risk during code-review)
7.4.2 SQLMap
To dump the databases, we used manual and automated SQL

injections. For the automation we used SQLMap, a Python based tool that,
once it knows the database type, can traverse tables and reveal database
information.
7.4.3 Burp Suite
In order to find out potential injectable fields, we used Burp Suite to

capture Post-requests with parameters which could be injectable. SQLMap
then would replay those saved request while testing the injectable field with
SQL queries.
StarDotStar 31
7.4.4 Hashcat
For cracking the hashes, we used hashcat 3.0. To maximize results,

we used the GPU cracking options, which let us run the dumped hashes
against over 500 million password from several wordlists, as well as test
every letter number password possible up to eight characters.
7.4.5 Hydra
While we did not get any results, we used hydra to test for weak
credentials in smtp on the Ubuntu (Hackerdemia) box. We did this using
leaked users from the smtp service.
7.4.6 BEEF XSS Framework
We tested and experimented with BEEF (Browser Exploitation

Framework) which yielded few results due to not finding any XSS or CSRF
vulnerabilities. However an attacker with the same shell access we obtained
could edit the web applications to include client side XSS attacks such as
CSRF and session hijacking using BEEF or other means.
StarDotStar 32
Appendix A
People Searching websites used
www.peekyou.com
www.411.com
www.spokeo.com
www.rehold.com
www.whitepages.com
http://people.equilar.com/
Tools used
Recong-ng
Maltego
Burp Suite
dnsenum.pl
Python
Bash
StarDotStar 33
Appendix B
Employee and Executive Information
Name Position Professional Email LinkedIn Phone Address

Number
Tim President tim.mahoney@honeywell.com 480- 16065 S 18th Place,

Mahoney 706- Phoenix AZ
0472
Rob Ferris Vice President, rob.ferris@honeywell.com https://www.linkedin.c

External om/in/rob-ferris-
Communication 54109a6
Bob Controls bob.morrison6@honeywell.com https://www.linkedin.c

Morrison Software om/in/bob-morrison-
Integration 895a7561
James james.bryson@honeywell.com https://uk.linkedin.com

Bryson /in/james-bryson-
723b591
James james.mcqueeney@honeywell.com
Mcqueeney
Dan Morket dan.morkert@honeywell.com
Carey President of carey.smith@honeywell.com https://www.linkedin.c 7000 Columbia Gateway

Smith Defense and om/in/carey-smith- Drive, Columbia, MD
Space 7545a613
Carl VP, Marketing carl.esposito@honeywell.com https://www.linkedin.c

Esposito and Product om/in/carl-esposito-
Management b821848
Bill Reavis Dir. Media bill.reavis@honeywell.com https://www.linkedin.c

Relations om/in/bill-reavis-
3853125a
Karen Vice President of karen.crabtree@honeywell.com https://www.linkedin.c

Crabtree Marketing and om/in/carl-esposito-
Product b821848
Management
Samantha samantha.tiger@honeywell.com
Tiger
Douglas Sr. Network douglas.welch@honeywell.com https://www.linkedin.c

Welch Security om/in/doug-welch-
Engineer 238a813a
Clifford Solution clifford.vaughan@honeywell.com https://www.linkedin.c

Vaughan Engineer om/in/cvaughan3
David Process david.snyder6@honeywell.com https://www.linkedin.c

Snyder Engineer om/in/david-snyder-
56b07861
StarDotStar 34
Naseeba naseeba.ali@honeywell.com
Ali
Kimberly Real Estate kimberly.forrer@honeywell.com https://www.linkedin.c

Forrer Portfolio om/in/kimberly-forrer-
Manager 63475824
Roth Director, roth.eddings@honeywell.com https://www.linkedin.c

Eddings External om/in/rob-ferris-
Communications 54109a6
John Director of John.Wyrwas@honeywell.com https://www.linkedin.c 1 Rock Island Arsenal Rock

Wyrwas Program om/in/john-wyrwas- Island IL
Management 3b569a11
Alan EMEA VAT Alan.Thompson2@Honeywell.com https://uk.linkedin.com 2800 Eisenhower Ave,

Thompson Manager /in/alan-thompson- Alexandria
79524b15
Catherine Catherine.Schade@honeywell.com https://www.linkedin.c 6078 Shawnee Court,

Schade om/in/catherine- Bettendorf IA
schade-52a6b354
StarDotStar 35
ARIN network details
Net Range: 129.30.0.0 - 129.30.255.255

CIDR: 129.30.0.0/16
Name: HONEYWELL
Organization: Honeywell International, Inc.
Email address in comments: abuse@honeywell.com
StarDotStar 36
Net Range: 165.195.0.0 - 165.195.255.255

CIDR: 165.195.0.0/16
Name: HONEYWELL
Organization: Honeywell International Inc.
StarDotStar 37
Net Range: 199.61.0.0 - 199.64.255.255

CIDR:199.61.0.0/16
199.62.0.0/15
199.64.0.0/16
Name: HONEYWELL
Organization: Honeywell International Inc.
StarDotStar 38
Appendix C
poc.sh & poc.py full raw output file contents:
HTTP/1.1 301 Moved Permanently

Connection: Keep-Alive
Set-Cookie: ISAWPLB{D8A4C545-3B43-410C-A99C-C401BC720537}={0EE049A3-30DA-
431B-BEA2-7712B9811104}; HttpOnly; Path=/
Content-Length: 147
Date: Fri, 10 Jun 2016 23:25:40 GMT
Location: http://www.honeywell.com
Content-Type: text/html; charset=UTF-8
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
X-Frame-Options: SAMEORIGIN
; <<>> DiG 9.9.5-9+deb8u2-Debian <<>> honeywell.com ANY +noall +answer

;; global options: +cmd
honeywell.com. 123 IN A 199.64.218.61
honeywell.com. 14398 IN NS dns1.honeywell.com.
honeywell.com. 14398 IN NS dns2.honeywell.com.
honeywell.com. 14398 IN SOA de08undgm01.honeywell.com.
hostmaster.honeywell.com. 2015092460 7200 3600 604800 86400
honeywell.com. 298 IN MX 15 honeywell-
com.mail.protection.outlook.com.
honeywell.com. 14398 IN TXT "google-site-
verification=FKijZCsx1UCydtYo2KJ1YIKBI-UaCa0JD3NzSI8BhG4"
honeywell.com. 14398 IN TXT "MS=ms35314715"
honeywell.com. 14398 IN TXT "v=spf1 ip4:199.64.220.26 ip4:199.61.24.27
ip4:199.15.215.105 ip4:198.245.81.13 include:mktomail.com
include:spf.messaging.microsoft.com a mx ?all"
honeywell.com. 14398 IN TXT
"3uvUsWYLVTiRB+qIRL4SugHQhjKlHiDFExvbhDey/CL+oX66+F4TIJzPH97ktR/dJPZjSr
X5BMjhiQUqvSeH7A=="
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/public/whoisinaccuracy/index.xhtml
#
#
# The following results may also be obtained via:
#
https://whois.arin.net/rest/nets;q=199.64.218.61?showDetails=true&showARIN=false&showNon
ArinTopLevelNet=false&ext=netref2
StarDotStar 39
NetRange: 199.61.0.0 - 199.64.255.255

CIDR: 199.61.0.0/16, 199.62.0.0/15, 199.64.0.0/16
NetName: HONEYWELL
NetHandle: NET-199-61-0-0-1
Parent: NET199 (NET-199-0-0-0-0)
NetType: Direct Assignment
OriginAS:
Organization: Honeywell International Inc. (HONEY-13)
RegDate: 1993-11-23
Updated: 2012-02-24
Ref: https://whois.arin.net/rest/net/NET-199-61-0-0-1
OrgName: Honeywell International Inc.

OrgId: HONEY-13
Address: 101 Columbia Road
City: Morristown
StateProv: NJ
PostalCode: 07962
Country: US
RegDate: 2007-07-19
Updated: 2015-07-09
Ref: https://whois.arin.net/rest/org/HONEY-13
OrgAbuseHandle: ABUSE106-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-480-592-1137
OrgAbuseEmail: abuse@honeywell.com
OrgAbuseRef: https://whois.arin.net/rest/poc/ABUSE106-ARIN
OrgNOCHandle: CERF-HM-ARIN
OrgNOCName: ATand T Enhanced Network Services
OrgNOCPhone: +1-858-812-5000
OrgNOCEmail: notify@attens.com
OrgNOCRef: https://whois.arin.net/rest/poc/CERF-HM-ARIN
OrgTechHandle: RTE57-ARIN
OrgTechName: Eddings, Roth T
OrgTechPhone: +1-480-287-4158
OrgTechEmail: roth.eddings@honeywell.com
OrgTechRef: https://whois.arin.net/rest/poc/RTE57-ARIN
OrgTechHandle: DGW24-ARIN
OrgTechName: welch, douglas grant
OrgTechEmail: douglas.welch@honeywell.com
OrgTechRef: https://whois.arin.net/rest/poc/DGW24-ARIN
StarDotStar 40
OrgTechHandle: CV136-ARIN
OrgTechName: Vaughan, Cliff
OrgTechEmail: clifford.vaughan@honeywell.com
OrgTechRef: https://whois.arin.net/rest/poc/CV136-ARIN
RTechHandle: CV136-ARIN
RTechName: Vaughan, Cliff
RTechPhone: +1-480-592-5125
RTechEmail: clifford.vaughan@honeywell.com
RTechRef: https://whois.arin.net/rest/poc/CV136-ARIN
RNOCHandle: CV136-ARIN
RNOCName: Vaughan, Cliff
RNOCPhone: +1-480-592-5125
RNOCEmail: clifford.vaughan@honeywell.com
RNOCRef: https://whois.arin.net/rest/poc/CV136-ARIN
RAbuseHandle: ABUSE106-ARIN
RAbuseName: Abuse
RAbusePhone: +1-480-592-1137
RAbuseEmail: abuse@honeywell.com
RAbuseRef: https://whois.arin.net/rest/poc/ABUSE106-ARIN
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/public/whoisinaccuracy/index.xhtml
#
DNS ENUM RESULTS:
honeywell.com 199.64.218.61
dns1.honeywell.com 199.64.220.7
honeywell-com.mail.protection.outlook.com 207.46.163.170
ads.honeywell.com 23.5.216.142
san2.honeywell.com.edgekey.net 23.5.216.142
e11442.x.akamaiedge.net 23.5.216.142
apps.honeywell.com 77.73.98.236
StarDotStar 41
extranet.honeywell.com 199.61.20.164
mail1.honeywell.com 199.64.220.25
mail2.honeywell.com 199.61.24.28
nova.honeywell.com 137.135.129.175
portal.honeywell.com 199.64.2.222
projects.honeywell.com 199.64.218.48
rcs.honeywell.com 199.61.20.118
search.honeywell.com 199.64.2.164
stats.honeywell.com 66.235.139.17
honeywell.com.112.2o7.net 66.235.139.18
vps.honeywell.com 23.96.252.52
vpshoneywell.azurewebsites.net 23.96.252.52
ssl.vpshoneywell.azurewebsites.net 23.96.252.52
webmail.honeywell.com 199.64.200.150
www.honeywell.com 40.114.43.40
prod.honeywell.trafficmanager.net 40.114.43.40
ent-prd-dcx-webcd.cloudapp.net 40.114.43.40
StarDotStar 42
Appendix D
Ping Sweep Results (From Section 5.3.1):
Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-06-22 16:14 MST

Nmap scan report for 172.16.112.1
Host is up (0.00058s latency).
MAC Address: 00:50:56:A5:B6:7E (VMware)
MAC Address: 00:50:56:A5:4D:A2 (VMware)
MAC Address: 00:50:56:A5:CA:AA (VMware)
Host is up (-0.087s latency).
MAC Address: 00:50:56:A5:29:9A (VMware)
MAC Address: 00:50:56:A5:FD:A5 (VMware)
Host is up.
Nmap done: 256 IP addresses (6 hosts up) scanned in 4.34 seconds
StarDotStar 43
TCP Port Scan Results (From Section 5.3.2):
8 open ports found on 172.16.112.20

6 open ports found on 172.16.112.25
Result:
Not shown: 992 closed ports
PORT STATE SERVICE
21/tcp open ftp
25/tcp open smtp
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS

PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
1433/tcp open ms-sql-s
StarDotStar 44
UDP Port Scan Results (From Section 5.3.2):
11 ports found on 172.16.112.20

9 ports found on 172.16.112.25
Results:
PORT STATE SERVICE
123/udp open ntp
137/udp open netbios-ns
138/udp open|filtered netbios-dgm
161/udp open|filtered snmp
445/udp open|filtered microsoft-ds
500/udp open|filtered isakmp
1026/udp open|filtered win-rpc
1434/udp open|filtered ms-sql-m
1900/udp open|filtered upnp
3456/udp open|filtered IISrpc-or-vat
4500/udp open|filtered nat-t-ike

PORT STATE SERVICE
123/udp open|filtered ntp
137/udp open netbios-ns
138/udp open|filtered netbios-dgm
161/udp open|filtered snmp
162/udp open|filtered snmptrap
445/udp open|filtered microsoft-ds
500/udp open|filtered isakmp
1434/udp open|filtered ms-sql-m
4500/udp open|filtered nat-t-ike
StarDotStar 45
Web Port Scan Results (From Section 5.3.4):
Port 443 is open on 172.16.112.1

Ports 80/443 are open 172.16.112.20
Port 80 is open on 172.16.112.25
Results:
Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-06-23 15:28 MST
PORT STATE SERVICE
80/tcp closed http
443/tcp open https

PORT STATE SERVICE
80/tcp open http
443/tcp open https

PORT STATE SERVICE
80/tcp open http
443/tcp closed https
StarDotStar 46
Scan Report with Reason for state (From Section 5.3.5):

Host is up, received arp-response (0.00038s latency).
Scanned at 2016-06-23 15:49:03 MST for 1219s
Reason: 998 port-unreaches and 998 resets
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 64
443/tcp open https syn-ack ttl 64
514/udp open|filtered syslog no-response
4500/udp open|filtered nat-t-ike no-response

Reason: 992 resets and 989 port-unreaches
21/tcp open ftp syn-ack ttl 128
25/tcp open smtp syn-ack ttl 128
80/tcp open http syn-ack ttl 128
135/tcp open msrpc syn-ack ttl 128
139/tcp open netbios-ssn syn-ack ttl 128
443/tcp open https syn-ack ttl 128
445/tcp open microsoft-ds syn-ack ttl 128
1025/tcp open NFS-or-IIS syn-ack ttl 128
123/udp open ntp udp-response ttl 128
137/udp open netbios-ns udp-response ttl 128
138/udp open|filtered netbios-dgm no-response
161/udp open|filtered snmp no-response
445/udp open|filtered microsoft-ds no-response
500/udp open|filtered isakmp no-response
1026/udp open|filtered win-rpc no-response
1434/udp open|filtered ms-sql-m no-response
1900/udp open|filtered upnp no-response
3456/udp open|filtered IISrpc-or-vat no-response

Reason: 994 resets and 991 port-unreaches
80/tcp open http syn-ack ttl 128
135/tcp open msrpc syn-ack ttl 128
139/tcp open netbios-ssn syn-ack ttl 128
445/tcp open microsoft-ds syn-ack ttl 128
1025/tcp open NFS-or-IIS syn-ack ttl 128
1433/tcp open ms-sql-s syn-ack ttl 128
StarDotStar 47
123/udp open|filtered ntp no-response

137/udp open netbios-ns udp-response ttl 128
138/udp open|filtered netbios-dgm no-response
161/udp open|filtered snmp no-response
162/udp open|filtered snmptrap no-response
445/udp open|filtered microsoft-ds no-response
500/udp open|filtered isakmp no-response
1434/udp open|filtered ms-sql-m no-response
StarDotStar 48
OS Scan Result (From Section 5.3.9):

PORT STATE SERVICE
22/tcp open ssh
443/tcp open https
Device type: general purpose
Running: OpenBSD 5.X
OS CPE: cpe:/o:openbsd:openbsd:5
OS details: OpenBSD 5.0 - 5.4
Network Distance: 1 hop

PORT STATE SERVICE
21/tcp open ftp
25/tcp open smtp
80/tcp open http
135/tcp open msrpc
443/tcp open https
Running: Microsoft Windows XP|2003
OS CPE: cpe:/o:microsoft:windows_xp::sp2:professional cpe:/o:microsoft:windows_server_2003
OS details: Microsoft Windows XP Professional SP2 or Windows Server 2003

PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
1433/tcp open ms-sql-s
Running: Microsoft Windows 2003
OS CPE: cpe:/o:microsoft:windows_server_2003::sp1 cpe:/o:microsoft:windows_server_2003::sp2
OS details: Microsoft Windows Server 2003 SP1 or SP2
StarDotStar 49
Appendix E
Nessus MyPolicy.txt
I Summary
=========
This document reports on the results of an automatic security scan.

The report first summarises the results found.
Then, for each host, the report describes every issue found.
Please consider the advice given in each description, in order to rectify
the issue.
All dates are displayed using the timezone "Coordinated Universal Time",
which is abbreviated "UTC".
Vendor security updates are not trusted.
Overrides are on. When a result has an override, this report uses the
threat of the override.
Notes are included in the report.
This report might not show details of all issues that were found.
It only lists hosts that produced issues.
Issues with the threat level "Debug" are not shown.
Issues with the threat level "False Positive" are not shown.
This report contains all 46 results selected by the

filtering described above. Before filtering there were 46 results.
Scan started: Wed Jun 22 07:33:33 2016 UTC

Scan ended: Wed Jun 22 07:39:26 2016 UTC
Task: Immediate scan of IP 172.16.112.20
Host Summary
************
Host High Medium Low Log False Positive

172.16.112.20 4 9 0 33 0
Total: 1 4 9 0 33 0
II Results per Host

===================
Host 172.16.112.20
******************
Scanning of this host started at: Wed Jun 22 07:33:44 2016 UTC
Number of results: 46
StarDotStar 50
Port Summary for Host 172.16.112.20

-----------------------------------
Service (Port) Threat Level

445/tcp High
80/tcp High
25/tcp Medium
general/tcp Log
general/icmp Log
general/SMBClient Log
general/CPE-T Log
443/tcp Log
21/tcp Log
139/tcp Log
1025/tcp Log
Security Issues for Host 172.16.112.20

--------------------------------------
Issue
-----
NVT: Vulnerabilities in SMB Could Allow Remote Code Execution (958687) - Remote
OID: 1.3.6.1.4.1.25623.1.0.900233
Threat: High (CVSS: 10.0)
Port: 445/tcp
Summary:
This host is missing a critical security update according to
Microsoft Bulletin MS09-001.
Vulnerability Detection Result:

Vulnerability was detected according to the Vulnerability Detection Method.
Impact:
Successful exploitation could allow remote unauthenticated attackers
to cause denying the service by sending a specially crafted network message
to a system running the server service.
Impact Level: System/Network
Solution:
Solution type: VendorFix
Run Windows Update and update the listed hotfixes or download and
update mentioned hotfixes in the advisory from the below link,
http://www.microsoft.com/technet/security/bulletin/ms09-001.mspx
Affected Software/OS:
Microsoft Windows 2K Service Pack 4 and prior.
Microsoft Windows XP Service Pack 3 and prior.
Microsoft Windows 2003 Service Pack 2 and prior.
Vulnerability Insight:
The issue is due to the way Server Message Block (SMB) Protocol software
StarDotStar 51
handles specially crafted SMB packets.
Vulnerability Detection Method:

Details:
Vulnerabilities in SMB Could Allow Remote Code Execution (958687) - Remote
(OID: 1.3.6.1.4.1.25623.1.0.900233)
Version used: $Revision: 3183 $
References:
CVE: CVE-2008-4114, CVE-2008-4834, CVE-2008-4835
BID: 31179
Other:
http://www.milw0rm.com/exploits/6463
Issue
-----
NVT: Microsoft Windows SMB Server NTLM Multiple Vulnerabilities (971468)
OID: 1.3.6.1.4.1.25623.1.0.902269
Port: 445/tcp
Summary:

Impact:
Successful exploitation will allow remote attackers to execute arbitrary
code or cause a denial of service or bypass the authentication mechanism
via brute force technique.
Impact Level: System/Application
Solution:
Microsoft Windows 7
Microsoft Windows 2000 Service Pack and prior
Microsoft Windows XP Service Pack 3 and prior
Microsoft Windows Vista Service Pack 2 and prior
Microsoft Windows Server 2003 Service Pack 2 and prior
Microsoft Windows Server 2008 Service Pack 2 and prior
- An input validation error exists while processing SMB requests and can
be exploited to cause a buffer overflow via a specially crafted SMB packet.
StarDotStar 52
- An error exists in the SMB implementation while parsing SMB packets during
the Negotiate phase causing memory corruption via a specially crafted SMB
packet.
- NULL pointer dereference error exists in SMB while verifying the 'share'
and 'servername' fields in SMB packets causing denial of service.
- A lack of cryptographic entropy when the SMB server generates challenges
during SMB NTLM authentication and can be exploited to bypass the
authentication mechanism.

Details:
Microsoft Windows SMB Server NTLM Multiple Vulnerabilities (971468)
(OID: 1.3.6.1.4.1.25623.1.0.902269)
References:
CVE: CVE-2010-0020, CVE-2010-0021, CVE-2010-0022, CVE-2010-0231
CERT: DFN-CERT-2010-0192
Other:
http://secunia.com/advisories/38510/
http://support.microsoft.com/kb/971468
http://www.vupen.com/english/advisories/2010/0345
Issue
-----
NVT: Microsoft Security Bulletin MS07-040
OID: 1.3.6.1.4.1.25623.1.0.101005
Port: 80/tcp
Summary:
Microsoft .NET is affected by multiples criticals vulnerabilities.
Two of these vulnerabilities could allow remote code execution on client systems!
with .NET Framework installed,
and one could allow information disclosure on Web servers running ASP.NET.

Missing MS07-040 patch, detected Microsoft .Net Framework version: 2.0.50727.42
Solution:
Microsoft has released an update to correct this issue,
you can download it from the following web site:

Details:
Microsoft Security Bulletin MS07-040
(OID: 1.3.6.1.4.1.25623.1.0.101005)
StarDotStar 53
References:
CVE: CVE-2007-0041, CVE-2007-0042, CVE-2007-0043
Issue
-----
NVT: Microsoft IIS WebDAV Remote Authentication Bypass Vulnerability
OID: 1.3.6.1.4.1.25623.1.0.900711
Port: 80/tcp
Summary:
The host is running Microsoft IIS Webserver with WebDAV Module and
is prone to remote authentication bypass vulnerability.

Impact:
Successful exploitation will let the attacker craft malicious UNICODE characters
and send it over the context of IIS Webserver where WebDAV is enabled. As a
result due to lack of security implementation check it will let the user fetch
password protected directories without any valid authentications.
Impact Level: Application
Solution:
http://www.microsoft.com/technet/security/Bulletin/MS09-020.mspx
Microsoft Internet Information Services version 5.0 to 6.0
Workaround:
Disable WebDAV or Upgrade to Microsoft IIS 7.0
http://www.microsoft.com/technet/security/advisory/971492.mspx
Due to the wrong implementation of UNICODE characters support (WebDAV extension)
for Microsoft IIS Server which fails to decode the requested URL properly.
Unicode character checks are being done after IIS Server internal security
check, which lets the attacker execute any crafted UNICODE character in the
HTTP requests to get information on any password protected directories without
any authentication schema.

Details:
Microsoft IIS WebDAV Remote Authentication Bypass Vulnerability
(OID: 1.3.6.1.4.1.25623.1.0.900711)
References:
CVE: CVE-2009-1535
StarDotStar 54
BID: 34993
Other:
http://view.samurajdata.se/psview.php?id=023287d6&page=2
http://www.microsoft.com/technet/security/advisory/971492.mspx
http://blog.zoller.lu/2009/05/iis-6-webdac-auth-bypass-and-data.html
http://downloads.securityfocus.com/vulnerabilities/exploits/34993.rb
http://downloads.securityfocus.com/vulnerabilities/exploits/34993.txt
Issue
-----
NVT: Microsoft Windows SMTP Server DNS spoofing vulnerability
OID: 1.3.6.1.4.1.25623.1.0.100624
Threat: Medium (CVSS: 6.4)
Port: 25/tcp
Summary:
The Microsoft Windows Simple Mail Transfer Protocol (SMTP) Server is
prone to a DNS spoofing vulnerability.
Successfully exploiting this issue allows remote attackers to spoof
DNS replies, allowing them to redirect network traffic and to launch
man-in-the-middle attacks.

Solution:
This issue is reported to be patched in Microsoft security advisory
MS10-024
please see the references for more information.

Details:
Microsoft Windows SMTP Server DNS spoofing vulnerability
(OID: 1.3.6.1.4.1.25623.1.0.100624)
References:
CVE: CVE-2010-1690, CVE-2010-1689
BID: 39910, 39908
Other:
http://www.securityfocus.com/bid/39910
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0058.html
http://www.microsoft.com
http://www.coresecurity.com/content/CORE-2010-0424-windows-stmp-dns-query-id-
bugs
Issue
-----
NVT: http TRACE XSS attack
StarDotStar 55
OID: 1.3.6.1.4.1.25623.1.0.11213
Port: 80/tcp
Summary:
Debugging functions are enabled on the remote HTTP server.
The remote webserver supports the TRACE and/or TRACK methods. TRACE and TRACK
are HTTP methods which are used to debug web server connections.
It has been shown that servers supporting this method are subject to
cross-site-scripting attacks, dubbed XST for Cross-Site-Tracing, when
used in conjunction with various weaknesses in browsers.
An attacker may use this flaw to trick your legitimate web users to give
him their credentials.

Solution: Use the URLScan tool to deny HTTP TRACE requests or to permit only the!
methods
needed to meet site requirements and policy.
Solution:
Disable these methods.

Details:
http TRACE XSS attack
(OID: 1.3.6.1.4.1.25623.1.0.11213)
References:
CVE: CVE-2004-2320, CVE-2003-1567
BID: 9506, 9561, 11604
CERT: CB-K14/0981
, DFN-CERT-2014-1018
Other:
http://www.kb.cert.org/vuls/id/867593
Issue
-----
NVT: Microsoft Windows SMTP Server MX Record Denial of Service Vulnerability
OID: 1.3.6.1.4.1.25623.1.0.100596
Port: 25/tcp
Summary:
The Microsoft Windows Simple Mail Transfer Protocol (SMTP) Server is
prone to a denial-of-service vulnerability and to to an information-disclosure v!
ulnerability.
Successful exploits of the denial-of-service vulnerability will cause the
affected SMTP server to stop responding, denying service to legitimate users.
Attackers can exploit the information-disclosure issue to gain access to
sensitive information. Any information obtained may lead to further attacks.
StarDotStar 56

Solution:
Microsoft released fixes to address this issue. Please see the
references for more information.

Details:
Microsoft Windows SMTP Server MX Record Denial of Service Vulnerability
(OID: 1.3.6.1.4.1.25623.1.0.100596)
References:
CVE: CVE-2010-0024, CVE-2010-0025
BID: 39308, 39381
Other:
http://www.microsoft.com
http://support.avaya.com/css/P8/documents/100079218
Issue
-----
OID: 1.3.6.1.4.1.25623.1.0.101009
Port: 80/tcp
Summary:
This Information Disclosure vulnerability could allow an attacker to bypass ASP.!
Net security
and gain unauthorized access to objects in the Application folders explicitly by!
name.
this could be used to produce useful information that could be used to try to fu!
rther compromise the affected system.

Solution:
Microsoft has released a patch to correct this issue,

Details:
StarDotStar 57
(OID: 1.3.6.1.4.1.25623.1.0.101009)
References:
CVE: CVE-2006-1300
BID: 18920
Issue
-----
NVT: IIS Service Pack - 404
OID: 1.3.6.1.4.1.25623.1.0.11874
Port: 80/tcp
Summary:
Ensure that the server is running the latest stable Service Pack

The remote IIS server *seems* to be Microsoft IIS 5.1 - SP0
Solution:
The Patch level (Service Pack) of the remote IIS server appears to be lower
than the current IIS service pack level. As each service pack typically
contains many security patches, the server may be at risk.
Caveat: This test makes assumptions of the remote patch level based on static
return values (Content-Length) within the IIS Servers 404 error message.
As such, the test can not be totally reliable and should be manually confirmed.

Details:
IIS Service Pack - 404
(OID: 1.3.6.1.4.1.25623.1.0.11874)
Issue
-----
NVT: Microsoft IIS Tilde Character Information Disclosure Vulnerability
OID: 1.3.6.1.4.1.25623.1.0.802887
Port: 80/tcp
Product detection result: cpe:/a:microsoft:iis:5.1

Detected by: Microsoft IIS Webserver Version Detection (OID:
1.3.6.1.4.1.25623.1.0.900710)
Summary:
This host is running Microsoft IIS Webserver and is prone to
information disclosure vulnerability.

StarDotStar 58
File/Folder name found on server starting with :aspnet
Impact:
Successful exploitation will allow remote attackers to obtain
sensitive information that could aid in further attacks.
Solution:
Solution type: WillNotFix
No solution or patch was made available for at least one year
since disclosure of this vulnerability. Likely none will be provided anymore.
General solution options are to upgrade to a newer release, disable respective
features, remove the product or replace the product by another one.
Microsoft Internet Information Services versions 7.5 and prior
Microsoft IIS fails to validate a specially crafted GET request
containing a '~' tilde character, which allows to disclose all short-names of
folders and files having 4 letters extensions.

Details:
Microsoft IIS Tilde Character Information Disclosure Vulnerability
(OID: 1.3.6.1.4.1.25623.1.0.802887)
Product Detection Result:

Product:cpe:/a:microsoft:iis:5.1
Method:Microsoft IIS Webserver Version Detection

(OID: 1.3.6.1.4.1.25623.1.0.900710)
References:
BID: 54251
Other:
http://www.osvdb.org/83771
http://www.exploit-db.com/exploits/19525
http://code.google.com/p/iis-shortname-scanner-poc
http://soroush.secproject.com/downloadable/iis_tilde_shortname_disclosure.txt
http://soroush.secproject.com/downloadable/microsoft_iis_tilde_character_vulnerability_fea
ture.pdf
Issue
-----
NVT: Microsoft ASP.NET Information Disclosure Vulnerability (2418042)
OID: 1.3.6.1.4.1.25623.1.0.901161
Port: 80/tcp
StarDotStar 59
Summary:

Impact:
Successful exploitation could allow remote attackers to decrypt and gain
access to potentially sensitive data encrypted by the server or read data
from arbitrary files within an ASP.NET application. Obtained information
may aid in further attacks.
Impact Level: System/Application
Solution:
http://www.microsoft.com/technet/security/bulletin/MS10-070.mspx
Microsoft ASP.NET 1.0
Microsoft ASP.NET 4.0
Microsoft ASP.NET 3.5.1
Microsoft ASP.NET 1.1 SP1 and prior
The flaw is due to an error within ASP.NET in the handling of
cryptographic padding when using encryption in CBC mode. This can be
exploited to decrypt data via returned error codes from an affected server.

Details:
Microsoft ASP.NET Information Disclosure Vulnerability (2418042)
(OID: 1.3.6.1.4.1.25623.1.0.901161)
References:
CVE: CVE-2010-3332
BID: 43316
, DFN-CERT-2010-1237
Other:
http://www.vupen.com/english/advisories/2010/2429
http://www.microsoft.com/technet/security/bulletin/MS10-070.mspx
http://www.troyhunt.com/2010/09/fear-uncertainty-and-and-padding-oracle.html
http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-
vulnerability.aspx
StarDotStar 60
Issue
-----
NVT: Microsoft IIS IP Address/Internal Network Name Disclosure Vulnerability
OID: 1.3.6.1.4.1.25623.1.0.902796
Port: 80/tcp
Summary:
The host is running Microsoft IIS Webserver and is prone to
IP address disclosure vulnerability.

Impact:
Successful exploitation will allow remote attackers to gain internal IP
address or internal network name, which could assist in further attacks
against the target host.
Solution:
Apply the hotfix for IIS 6.0 from below link
http://support.microsoft.com/kb/834141/#top
Microsoft Internet Information Services version 4.0, 5.0, 5.1 and 6.0
Workaround:
Apply workaround from below link for IIS 4.0, 5.0 and 5.1
http://support.microsoft.com/default.aspx?scid=KB
EN-US
Q218180
The flaw is due to an error while processing 'GET' request. When
MS IIS receives a GET request without a host header, the Web server will
reveal the IP address of the server in the content-location field or the
location field in the TCP header in the response.

Details:
Microsoft IIS IP Address/Internal Network Name Disclosure Vulnerability
(OID: 1.3.6.1.4.1.25623.1.0.902796)
References:
BID: 3159
Other:
http://support.microsoft.com/kb/834141/
http://www.securityfocus.com/bid/3159/info
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q218180
http://www.juniper.net/security/auto/vulnerabilities/vuln3159.html
StarDotStar 61
Issue
-----
OID: 1.3.6.1.4.1.25623.1.0.101006
Port: 80/tcp
Summary:
A cross-site scripting vulnerability exists in a server running a vulnerable ver!
sion of the .Net Framework 2.0
that could inject a client side script in the user's browser. The script could s!
poof content,
disclose information, or take any action that the user could take on the affecte!
d web site.

Solution:
Microsoft has released a patch to correct this issue,

Details:
(OID: 1.3.6.1.4.1.25623.1.0.101006)
References:
CVE: CVE-2006-3436
BID: 20337
Issue
-----
NVT: ICMP Timestamp Detection
OID: 1.3.6.1.4.1.25623.1.0.103190
Threat: Log (CVSS: 0.0)
Port: general/icmp
Summary:
The remote host responded to an ICMP timestamp request. The Timestamp Reply is
an ICMP message which replies to a Timestamp message. It consists of the
originating timestamp sent by the sender of the Timestamp as well as a receive
timestamp and a transmit timestamp. This information could theoretically be used
to exploit weak time-based random number generators in other services.

Log Method:
StarDotStar 62
Details:
ICMP Timestamp Detection
(OID: 1.3.6.1.4.1.25623.1.0.103190)
References:
CVE: CVE-1999-0524
CERT: CB-K15/1514
, CB-K14/0632
, DFN-CERT-2014-0658
Other:
http://www.ietf.org/rfc/rfc0792.txt
Issue
-----
NVT: OS Detection
OID: 1.3.6.1.4.1.25623.1.0.105937
Port: general/tcp
Summary:
This script consolidates the OS information detected by several NVTs and tries t!
o find the best matching OS.

Best matching OS:
cpe:/o:microsoft:windows
Found by NVT 1.3.6.1.4.1.25623.1.0.105355 (FTP OS Identification)
Other OS detections (in order of reliability):
OS: cpe:/o:microsoft:windows found by 1.3.6.1.4.1.25623.1.0.111067 (HTTP OS Iden!
tification)
OS: cpe:/o:microsoft:windows found by 1.3.6.1.4.1.25623.1.0.102011 ()
OS: cpe:/o:microsoft:windows found by 1.3.6.1.4.1.25623.1.0.102002 (Detects remo!
te operating system version)
Log Method:
Details:
OS Detection
(OID: 1.3.6.1.4.1.25623.1.0.105937)
Issue
-----
NVT: arachni (NASL wrapper)
OID: 1.3.6.1.4.1.25623.1.0.110001
Port: general/tcp
Summary:
This plugin uses arachni ruby command line to find
StarDotStar 63
web security issues.

See the preferences section for arachni options.
Note that OpenVAS is using limited set of arachni options.
Therefore, for more complete web assessment, you should
use standalone arachni tool for deeper/customized checks.

Arachni could not be found in your system path.
OpenVAS was unable to execute Arachni and to perform the scan you
requested.
Please make sure that Arachni is installed and that arachni is
available in the PATH variable defined for your environment.
Log Method:
Details:
arachni (NASL wrapper)
(OID: 1.3.6.1.4.1.25623.1.0.110001)
Issue
-----
NVT: Traceroute
OID: 1.3.6.1.4.1.25623.1.0.51662
Port: general/tcp
Summary:
A traceroute from the scanning server to the target system was
conducted. This traceroute is provided primarily for informational
value only. In the vast majority of cases, it does not represent a
vulnerability. However, if the displayed traceroute contains any
private addresses that should not have been publicly visible, then you
have an issue you need to correct.

Here is the route from 172.16.112.11 to 172.16.112.20:
172.16.112.11
172.16.112.20
Solution:
Block unwanted packets from escaping your network.
Log Method:
Details:
Traceroute
(OID: 1.3.6.1.4.1.25623.1.0.51662)
Issue
-----
NVT: SMB Remote Version Detection
StarDotStar 64
OID: 1.3.6.1.4.1.25623.1.0.807830
Port: general/tcp
Summary:
Detection of Server Message Block(SMB).
This script sends SMB Negotiation request and try to get the version from the
response.

Only SMBv1 is enabled on remote target
Log Method:
Details:
SMB Remote Version Detection
(OID: 1.3.6.1.4.1.25623.1.0.807830)
Issue
-----
NVT: CPE Inventory
OID: 1.3.6.1.4.1.25623.1.0.810002
Port: general/CPE-T
Summary:
This routine uses information collected by other routines about
CPE identities (http://cpe.mitre.org/) of operating systems, services and
applications detected during the scan.

172.16.112.20|cpe:/a:microsoft:ftp_service
172.16.112.20|cpe:/a:microsoft:.net_framework:2.0.50727.42
172.16.112.20|cpe:/a:microsoft:exchange_server
172.16.112.20|cpe:/a:microsoft:iis:5.1
172.16.112.20|cpe:/o:microsoft:windows
Log Method:
Details:
CPE Inventory
(OID: 1.3.6.1.4.1.25623.1.0.810002)
Issue
-----
NVT: SMB Test
OID: 1.3.6.1.4.1.25623.1.0.90011
Port: general/SMBClient
Summary:
StarDotStar 65
Test remote host SMB Functions

OS Version = WINDOWS 5.1
Domain = WORKGROUP
SMB Serverversion = WINDOWS 2000 LAN MANAGER
Log Method:
Details:
SMB Test
(OID: 1.3.6.1.4.1.25623.1.0.90011)
Issue
-----
NVT: Anonymous FTP Checking
OID: 1.3.6.1.4.1.25623.1.0.900600
Port: general/tcp
Summary:
This FTP Server allows anonymous logins.
A host that provides an FTP service may additionally provide Anonymous FTP
access as well. Under this arrangement, users do not strictly need an account
on the host. Instead the user typically enters 'anonymous' or 'ftp' when
prompted for username. Although users are commonly asked to send their email
address as their password, little to no verification is actually performed on
the supplied data.

Solution:
If you do not want to share files, you should disable anonymous logins.
Log Method:
Details:
Anonymous FTP Checking
(OID: 1.3.6.1.4.1.25623.1.0.900600)
References:
CVE: CVE-1999-0497
Issue
-----
NVT: FTP Banner Detection
OID: 1.3.6.1.4.1.25623.1.0.10092
Port: 21/tcp
StarDotStar 66
Summary:
This Plugin detects the FTP Server Banner

Remote FTP server banner :
220 Microsoft FTP Service
Log Method:
Details:
FTP Banner Detection
(OID: 1.3.6.1.4.1.25623.1.0.10092)
Issue
-----
NVT: Services
OID: 1.3.6.1.4.1.25623.1.0.10330
Port: 21/tcp
Summary:
This routine attempts to guess which
service is running on the remote ports. For instance,
it searches for a web server which could listen on
another port than 80 or 443 and makes this information
available for other check routines.

An FTP server is running on this port.
Here is its banner :
220 Microsoft FTP Service
Log Method:
Details:
Services
(OID: 1.3.6.1.4.1.25623.1.0.10330)
Issue
-----
NVT: SMTP Server type and version
OID: 1.3.6.1.4.1.25623.1.0.10263
Port: 25/tcp
Summary:
This detects the SMTP Server's type and version by connecting to
the server and processing the buffer received.

Remote SMTP server banner :
StarDotStar 67
220 WINVUL Microsoft ESMTP MAIL Service, Version: 6.0.2600.2180 ready at Wed, 2!
2 Jun 2016 01:34:00 -0600
Solution:
Change the login banner to something generic.
Log Method:
Details:
SMTP Server type and version
(OID: 1.3.6.1.4.1.25623.1.0.10263)
Issue
-----
NVT: Services
OID: 1.3.6.1.4.1.25623.1.0.10330
Port: 25/tcp
Summary:

An SMTP server is running on this port
Here is its banner :
2 Jun 2016 01:33:58 -0600
Log Method:
Details:
Services
(OID: 1.3.6.1.4.1.25623.1.0.10330)
Issue
-----
NVT: SMTP Missing Support For STARTTLS
OID: 1.3.6.1.4.1.25623.1.0.105091
Port: 25/tcp
Summary:
The remote Mailserver does not support the STARTTLS command.

The remote Mailserver does not support the STARTTLS command.
StarDotStar 68
Log Method:
Details:
SMTP Missing Support For STARTTLS
(OID: 1.3.6.1.4.1.25623.1.0.105091)
Issue
-----
NVT: Microsoft Exchange Server Remote Detection
OID: 1.3.6.1.4.1.25623.1.0.111085
Port: 25/tcp
Summary:
The script checks the SMTP/POP3/IMAP server
banner for the presence of Microsoft Exchange Server.

Detected Microsoft Exchange
Version: 6.0.2600.2180
Location: 25/tcp
CPE: cpe:/a:microsoft:exchange_server
Concluded from version identification result:
2 Jun 2016 01:33:58 -0600
Service version: 6.0.2600.2180
Log Method:
Details:
Microsoft Exchange Server Remote Detection
(OID: 1.3.6.1.4.1.25623.1.0.111085)
Issue
-----
NVT: Microsoft dotNET version grabber
OID: 1.3.6.1.4.1.25623.1.0.101007
Port: 80/tcp
Summary:
The remote host seems to have Microsoft .NET installed.

OpenVAS was able to Detected Microsoft .NET Framework Version:2.0.50727.42 and A!
SP.NET Version:2.0.50727.42
Solution:
It's recommended to disable verbose error displaying to avoid version detection.
this can be done througth the IIS management console.
StarDotStar 69
Log Method:
Details:
Microsoft dotNET version grabber
(OID: 1.3.6.1.4.1.25623.1.0.101007)
Issue
-----
NVT: Windows SharePoint Services detection
OID: 1.3.6.1.4.1.25623.1.0.101018
Port: 80/tcp
Summary:
The remote host is running Windows SharePoint Services.
Microsoft SharePoint products and technologies include browser-based collaborat!
ion and a document-management platform.
These can be used to host web sites that access shared workspaces and documents!
from a browser.

Server: Microsoft-IIS/5.1
Operating System Type: Windows XP
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Solution:
It's recommended to allow connection to this host only from trusted hosts or net!
works.
Log Method:
Details:
Windows SharePoint Services detection
(OID: 1.3.6.1.4.1.25623.1.0.101018)
Issue
-----
NVT: HTTP Server type and version
OID: 1.3.6.1.4.1.25623.1.0.10107
Port: 80/tcp
Summary:
This detects the HTTP Server's type and version.

The remote web server type is :
Microsoft-IIS/5.1
Solution:
StarDotStar 70
Configure your server to use an alternate name like

'Wintendo httpD w/Dotmatrix display'
Be sure to remove common logos like apache_pb.gif.
With Apache, you can set the directive 'ServerTokens Prod' to limit
the information emanating from the server in its response headers.
Log Method:
Details:
HTTP Server type and version
(OID: 1.3.6.1.4.1.25623.1.0.10107)
Issue
-----
NVT: DIRB (NASL wrapper)
OID: 1.3.6.1.4.1.25623.1.0.103079
Port: 80/tcp
Summary:
This script uses DIRB to find directories and files on web
applications via brute forcing.

This are the directories/files found with brute force:
http://172.16.112.20:80/
Log Method:
Details:
DIRB (NASL wrapper)
(OID: 1.3.6.1.4.1.25623.1.0.103079)
Issue
-----
NVT: Services
OID: 1.3.6.1.4.1.25623.1.0.10330
Port: 80/tcp
Summary:

A web server is running on this port
Log Method:
StarDotStar 71
Details:
Services
(OID: 1.3.6.1.4.1.25623.1.0.10330)
Issue
-----
NVT: Web mirroring
OID: 1.3.6.1.4.1.25623.1.0.10662
Port: 80/tcp
Summary:
This script makes a mirror of the remote web site
and extracts the list of CGIs that are used by the remote host.
It is suggested you allow a long-enough timeout value for
this test routine and also adjust the setting on
the number of pages to mirror.

The following CGI have been discovered :
Syntax : cginame (arguments [default value])
/Default.aspx (__VIEWSTATE
[/wEPDwUKMjA5NTM4ODIyM2QYAQUeX19Db250cm9sc1JlcXVpcmVQ!
b3N0QmFja0tleV9fFgEFCWJ0blN1Ym1pdNEpbLWanoVbqK5Ie869aFbfxNEe] txtLogin []
txtPas!
sword [] btnSubmit [] __EVENTVALIDATION
[/wEWBALz2dacBQKG87HkBgK1qbSRCwLCi9reA1L!
Ic4ZiFdqfwrKYt5jOrNlidpaE] )
Log Method:
Details:
Web mirroring
(OID: 1.3.6.1.4.1.25623.1.0.10662)
Issue
-----
NVT: Directory Scanner
OID: 1.3.6.1.4.1.25623.1.0.11032
Port: 80/tcp
Summary:
This plugin attempts to determine the presence of various
common dirs on the remote web server

The following directories were discovered:
/old
While this is not, in and of itself, a bug, you should manually inspect
StarDotStar 72
these directories to ensure that they are in compliance with company

security standards
The following directories require authentication:
/printers
Log Method:
Details:
Directory Scanner
(OID: 1.3.6.1.4.1.25623.1.0.11032)
References:
Other:
OWASP:OWASP-CM-006
Issue
-----
NVT: HTTP TRACE
OID: 1.3.6.1.4.1.25623.1.0.11040
Port: 80/tcp
Summary:
Transparent or reverse HTTP proxies may be implement on some sites.

The TRACE method revealed 99 proxy(s) between us and the web server:
1. ? - Microsoft-IIS/5.1
...
99. ? - Microsoft-IIS/5.1
Log Method:
Details:
HTTP TRACE
(OID: 1.3.6.1.4.1.25623.1.0.11040)
Issue
-----
NVT: Directories used for CGI Scanning
OID: 1.3.6.1.4.1.25623.1.0.111038
Port: 80/tcp
Summary:
The script prints out the directories which
are used when CGI scanning is enabled.

The following directories are used for CGI scanning:
http://172.16.112.20/scripts
StarDotStar 73
http://172.16.112.20/cgi-bin
http://172.16.112.20/old
http://172.16.112.20/
Log Method:
Details:
Directories used for CGI Scanning
(OID: 1.3.6.1.4.1.25623.1.0.111038)
Issue
-----
NVT: Nikto (NASL wrapper)
OID: 1.3.6.1.4.1.25623.1.0.14260
Port: 80/tcp
Summary:
This plugin uses nikto(1) to find weak CGI scripts
and other known issues regarding web server security.
See the preferences section for configuration options.

Here is the Nikto report:
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 172.16.112.20
+ Target Hostname: 172.16.112.20
+ Target Port: 80
+ Start Time: 2016-06-22 07:35:01 (GMT0)
---------------------------------------------------------------------------
+ Server: Microsoft-IIS/5.1
+ Retrieved x-aspnet-version header: 2.0.50727
+ Retrieved x-powered-by header: ASP.NET
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user a!
gent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent !
to render the content of the site in a different fashion to the MIME type
+ Retrieved dasl header: <DAV:sql>
+ Retrieved dav header: 1, 2
+ Retrieved ms-author-via header: DAV
+ Uncommon header 'ms-author-via' found, with contents: DAV
+ Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE!
, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
+ OSVDB-5646: HTTP method ('Allow' Header): 'DELETE' may allow clients to remove!
files on the web server.
+ OSVDB-397: HTTP method ('Allow' Header): 'PUT' method could allow clients to s!
ave files on the web server.
+ OSVDB-5647: HTTP method ('Allow' Header): 'MOVE' may allow clients to change f!
ile locations on the web server.
+ Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE,!
StarDotStar 74
MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH

+ OSVDB-5646: HTTP method ('Public' Header): 'DELETE' may allow clients to remov!
e files on the web server.
+ OSVDB-397: HTTP method ('Public' Header): 'PUT' method could allow clients to !
save files on the web server.
+ OSVDB-5647: HTTP method ('Public' Header): 'MOVE' may allow clients to change !
file locations on the web server.
+ WebDAV enabled (PROPPATCH LOCK MKCOL UNLOCK SEARCH COPY PROPFIND listed as
all!
owed)
+ OSVDB-13431: PROPFIND HTTP verb may show the server's internal IP address: htt!
p://172.16.112.20/
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to X!
ST
+ OSVDB-877: HTTP TRACK method is active, suggesting the host is vulnerable to X!
ST
+ Cookie ASPSESSIONIDAQCACDBA created without the httponly flag
+ OSVDB-3092: /old/: This might be interesting...
+ OSVDB-3092: /localstart.asp: This may be interesting...
+ OSVDB-3092: /iishelp/iis/misc/default.asp: Default IIS page found.
+ /portal/changelog: Vignette richtext HTML editor changelog found.
+ 8495 requests: 0 error(s) and 26 item(s) reported on remote host
+ End Time: 2016-06-22 07:35:38 (GMT0) (37 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
Log Method:
Details:
Nikto (NASL wrapper)
(OID: 1.3.6.1.4.1.25623.1.0.14260)
Issue
-----
NVT: wapiti (NASL wrapper)
OID: 1.3.6.1.4.1.25623.1.0.80110
Port: 80/tcp
Summary:
This plugin uses wapiti to find
web security issues.
Make sure to have wapiti 2.x as wapiti 1.x is not supported.
See the preferences section for wapiti options.
Note that OpenVAS is using limited set of wapiti options.
Therefore, for more complete web assessment, you should
use standalone wapiti tool for deeper/customized checks.

wapiti report filename is empty. that could mean that
wrong version of wapiti is used or tmp dir is not accessible.
Make sure to have wapiti 2.x as wapiti 1.x is not supported.
StarDotStar 75
In short: check installation of wapiti and OpenVAS
Log Method:
Details:
wapiti (NASL wrapper)
(OID: 1.3.6.1.4.1.25623.1.0.80110)
Issue
-----
NVT: Microsoft IIS Webserver Version Detection
OID: 1.3.6.1.4.1.25623.1.0.900710
Port: 80/tcp
Summary:
This script detects the installed MS IIS Webserver and sets the
result in KB

Detected Microsoft IIS Webserver
Version: 5.1
Location: 80/tcp
CPE: cpe:/a:microsoft:iis:5.1
Concluded from version identification result:
IIS/5.1
Log Method:
Details:
Microsoft IIS Webserver Version Detection
(OID: 1.3.6.1.4.1.25623.1.0.900710)
Issue
-----
NVT: SMB on port 445
OID: 1.3.6.1.4.1.25623.1.0.11011
Port: 139/tcp
Summary:
This script detects wether port 445 and 139 are open and
if thet are running SMB servers.

An SMB server is running on this port
Log Method:
Details:
SMB on port 445
(OID: 1.3.6.1.4.1.25623.1.0.11011)
StarDotStar 76
Issue
-----
NVT: Services
OID: 1.3.6.1.4.1.25623.1.0.10330
Port: 443/tcp
Summary:

An unknown service is running on this port.
It is usually reserved for HTTPS
Log Method:
Details:
Services
(OID: 1.3.6.1.4.1.25623.1.0.10330)
Issue
-----
NVT: Identify unknown services with nmap
OID: 1.3.6.1.4.1.25623.1.0.66286
Port: 443/tcp
Summary:
This plugin performs service detection by launching nmap's
service probe against ports running unidentified services.
Description :
This plugin is a complement of find_service.nasl. It launches
nmap -sV (probe requests) against ports that are running
unidentified services.

Nmap service detection result for this port: https
This is a guess. A confident identification of the service was not possible.
Log Method:
Details:
Identify unknown services with nmap
(OID: 1.3.6.1.4.1.25623.1.0.66286)
StarDotStar 77
Issue
-----
NVT: SMB NativeLanMan
OID: 1.3.6.1.4.1.25623.1.0.102011
Port: 445/tcp
Summary:
It is possible to extract OS, domain
and SMB server information from the Session Setup AndX Response packet
which is generatedduring NTLM authentication.

Detected SMB workgroup: WORKGROUP
Detected SMB server: Windows 2000 LAN Manager
Detected OS: Windows 5.1
Log Method:
Details:
SMB NativeLanMan
(OID: 1.3.6.1.4.1.25623.1.0.102011)
Issue
-----
NVT: SMB on port 445
OID: 1.3.6.1.4.1.25623.1.0.11011
Port: 445/tcp
Summary:
This script detects wether port 445 and 139 are open and
if thet are running SMB servers.

A CIFS server is running on this port
Log Method:
Details:
SMB on port 445
(OID: 1.3.6.1.4.1.25623.1.0.11011)
Issue
-----
NVT: Microsoft SMB Signing Disabled
OID: 1.3.6.1.4.1.25623.1.0.802726
Port: 445/tcp
StarDotStar 78
Summary:
Checking for SMB signing is disabled.
The script logs in via smb, checks the SMB Negotiate Protocol response to
confirm SMB signing is disabled.

SMB signing is disabled on this host
Log Method:
Details:
Microsoft SMB Signing Disabled
(OID: 1.3.6.1.4.1.25623.1.0.802726)
Issue
-----
NVT: Identify unknown services with nmap
OID: 1.3.6.1.4.1.25623.1.0.66286
Port: 1025/tcp
Summary:
This plugin performs service detection by launching nmap's
service probe against ports running unidentified services.
Description :
This plugin is a complement of find_service.nasl. It launches
nmap -sV (probe requests) against ports that are running
unidentified services.

Nmap service detection result for this port: msrpc
Log Method:
Details:
Identify unknown services with nmap
(OID: 1.3.6.1.4.1.25623.1.0.66286)
StarDotStar 79
Appendix F
Windows XP Hashes
Administrator:500:e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bd
d830b7586c::: Cracked! (password)
ASPNET:1005:5fb17a533013285bffc02083c3f48e6c:58404e31eb4ddf8a869a5685fa
813b2e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c
089c0::: Cracked! (*blank no password*)
HelpAssistant:1000:dfbcc05e8a55611dba5dc13d2fb3614b:9cbfb55b0d260922555fa
6d0376e7bfd:::
IUSR_AKELLY-
D3D808A1:1003:fbca4ac487cb197e452a412e36b81d3d:329c4e7007896d4ddf1187
12790b8920:::
IWAM_AKELLY-
D3D808A1:1004:64ee602436e96fe19775591fdbf3c5e2:5ea7d1b5760548726e4449
25c0cbb1fe:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:941c0cc0a1466f
335a2de8f9802fe036:::
Windows 2003 Hashes
Administrator:500:51cd23289304854d22c34254e51bff62:bc23a1506bd3c8d3a533
680c516bab27::: Cracked! (P@55w0rd!)
ASPNET:1007:16a6c99cc13bd5757b48b78093bb5570:da7e180110d6509aa401a5a
7b2dcdc17:::
dave:1022:921988ba001dc8e14a3b108f3fa6cb6d:e19ccf75ee54e06b06a5907af13c
ef42:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c
089c0::: Cracked! (*blank no password*)
IUSR_RALPH:1003:bab940dd7c0477b21856625027bdf484:5cfe2745a7bdca18901e
a74cb73da17c:::
IWAM_RALPH:1004:3b96f3c59c820586983121e72e3ae9f8:b36cd113cd77d576917a
7025f111c86e:::
StarDotStar 80
manager:1019:1ed43cc6d27e263f4ae30af03e6e662d:20c4b6dadf1d4944d55058b5
f069149c:::
operadmin:1017:f150e8fb8eefadf18e5d533411003c5c:d6dec4e236ee0cca62fb6fd5
69cded8e:::
SQLDebugger:1008:aad3b435b51404eeaad3b435b51404ee:8507d66605f11e40f5e
9150c6106bc41:::
supersupport:1018:51cd23289304854dc17ec4fe2a5374cb:0d05cd9c8ded97e26a6b
35ef8c7fc08e:::
SUPPORT_388945a0:1001:aad3b435b51404eeaad3b435b51404ee:c94304ab8c44f
6db09e78487592cef5c:::
Windows Web App Database Dump
userid middle_name username password last_name first_name

1 admin admin s3cr3t admin admin
2 boy jsmith password smith john
3 johnson rjohnson 31337 james robert
Note: Both Windows servers were hosting the same databases and web apps.
Ubuntu (pWnOS) Web App Database Dump
user_id pass email active Last first_name user_level registration_date

name
1 c2c4b admin@isints.com NULL Privett Dan 0 5/7/2011 17:27
4e51d
9e23c
02c15
702c1
36c3e
950ba
9a4af
StarDotStar 81
References
Alharbi, M. A. (2010, April 6). Writing a Penetration Testing Report.
Retrieved from SANS: https://www.sans.org/reading-
room/whitepapers/testing/writing-penetration-testing-report-33343

nts330 wk8-9 Stardotstar 2 0

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

nts330 wk8-9 Stardotstar 2 0

Uploaded by

Copyright:

Available Formats

StarDotStar 1

This Report was Prepared by:

Authors Robert Thompson, Vance Jones, Tyler Weiss

Pen-Testers Robert Thompson, Vance Jones, Tyler Weiss

Reviewed By Robert Thompson, Vance Jones, Tyler Weiss

Approved By Robert Thompson, Vance Jones, Tyler Weiss

2.0 July 11, 2016 Vance Jones, Draft

1.9 July 11, 2016 Vance Jones Draft

1.8 June 25, 2016 Robert Draft

1.7 June 25, 2016 Robert Draft

1.2 June 11, 2016 Robert Draft

7.3.4 Slax (Hackerdemia) ............................................................... 29

The goal of this assessment is to determine how much information is

Penetration Test Phase Start Date End Date

Recon 5/23/2016 6/10/2016

Scanning 6/13/2016 6/24/2016

Penetration 6/27/2016 7/11/2016

1.4 Summary of Findings

2.1 Summary of Findings

2.3 Detail of Findings

8. What type of information did you turn up using search engines?

We found company social media accounts and documents. These gave us

3.3 Detail of Findings

1. Identify key employees. Get names, positions, salary, phone #, and

From there we focused in and found contact information, emails,

4.1 Summary of Findings

We found out physical location information, including side geo-locations and

4.3 Detail of Findings

1. Using Recon-NG perform a full recon on your target company.

a. Physical layout of the company.

3. Wireless recon. (note: this will be perform on the university's

an AP using any wireless devices, or a tool such as Kismet

5.1 Summary of Findings

5.3 Detail of Findings

5.3.1 Perform a ping sweep of your network to identify live hosts

5.3.3 Scan a host adjusting the timing of requests with Nmap.

time, reducing network traffic that could be detected by an

5.3.6 Scan a system with Nmap and output the results to a

5.3.7 Scan a host as if it where denying ICMP (ping).

1. NSE scripts can also be used for bypassing and

5.3.9 Perform Operating System identification on one of the hosts

5.3.10 Perform application fingerprinting on a host with Nmap. In

5.3.11 You are on a penetration test. Your customer asks you to

5.3.12 Which flags does a Xmas scan (-sX) set in Nmap?

6.1 Summary of Findings

We found several vulnerabilities using both OpenVas and Nessus. This

Patching SMB on all machines is highly recommended as they could

6.3 Detail of Findings

6.3.1 Download and install the Nessus Vulnerability Scanner on

when performing this type of scan. Lots of vulnerabilities were

6.3.3 Create a new custom scan policy in Nessus and name it

c. There are many other vulnerabilities that show up in either

6.3.6 Do you believe that there are vulnerabilities on the system

6.3.7 Export the data from the scan in NBE format.

6.3.8 Create a zip file containing your lab memo documentation

7.1 Summary of Findings

Upgrading all Windows computers to an operating system still under

7.3 Detail of Findings

blocking external connections over port 445 on

ii. Weak MS SQL Credentials (No CVE)

iii. SQL Injection Web Vulnerability (No CVE)

v. Guest Account with blank password (No CVE)

7.3.2 Windows Server 2003