Professional Documents
Culture Documents
United Services Automobile Association
United Services Automobile Association
United Services
Automobile
Association
Penetration Test USAA Network
December 17, 2015
This Report Was Prepared by:
Net Ninjas LLC
Darren Blakely Security Analyst
Marie Whiting Security Analyst
David Savlowitz Security Analyst
Table of Contents
Executive Summary
Document Properties
Version History
Summary of Findings
Windows XP (Spider) (192.168.1.90)
Windows Server 2008 (Lion) (192.168.37.10)
Windows XP (Fox) 192.168.37.20)
Windows XP (Owl) (192.168.37.30)
Windows XP (Mongoose) (192.168.37.50)
Windows XP (Frog) (192.168.37.250)
Secret Files Retrieved from Network
Recommendations
Windows XP (Spider) (192.168.1.90)
Windows Server 2008 (Lion) (192.168.37.10)
Windows XP (Fox) 192.168.37.20)
Windows XP (Owl) (192.168.37.30)
Windows XP (Mongoose) (192.168.37.50)
Windows XP (Frog) (192.168.37.250)
Detailed Findings
Initial Setup and Findings
Windows XP (Spider) (192.168.1.90)
Exploitation
Subnet 192.168.37.1/24
Windows Server 2008 (Lion) 192.168.37.10
Windows XP (Fox) (192.168.37.20)
Windows XP (Owl) (192.168.37.30)
Exploitation
Windows XP (Mongoose) (192.168.37.50)
Exploitation
Windows XP (192.168.37.250)
Executive Summary
Net Ninjas Security has been contracted to perform a penetration test for the
United Services Automobile Association (USAA) network. In so doing, the security
company was successful in accessing vital information located in the networks
system. The ease of penetration suggests that there are major flaws in USAAs
network that must be addressed immediately. In the section labeled, Summary of
Findings, detailed information is provided identifying the areas of vulnerability. In
addition, in the section labeled Recommendations, suggestions to address these
flaws are provided.
Document Properties
Name
Classification
Classified
Version
1.0
Authors
Reviewed By
Approved By
Date Approved
Version History
Version
Date
Purpose
Authors
1.0
12/11/20
15
Darren Blakely
David Savlowitz
Marie Whiting
2.0
12/14/20
15
Darren Blakely
David Savlowitz
Marie Whiting
3.0
12/14/20
Darren Blakely
David Savlowitz
Marie Whiting
Summary of Findings
Windows XP (Spider) (192.168.1.90)
A scan revealed three open ports (openings used for communication by a
specific service or program) on the Windows XP (Spider) system. This included one
port vulnerable to a popular exploit used to access this system. Once inside the
system a secret file was located along with password hashes for several users.
Although hashing passwords or encrypting them by changing the text to an
algorithm or set of numbers, makes passwords more difficult to decipher, this code
can easily be broken. The Web server on this machine has also been misconfigured
to allow cross-site tracing which is another well-known vulnerability.
(Fox)
(Owl)
(Mongoose)
(FROG)
(Lion)
Recommendations
Windows XP (Spider) (192.168.1.90)
This machine is vulnerable to the popular exploit ms08_067_netapi. This is
fixable by updating the machine to a version of Windows that has patched
ms08_067_netapi such as Windows 7 or newer. Windows XP is no longer supported
by Microsoft and will not have a patch for this vulnerability in the future. It is also
recommended the administrator account utilize password protection in the near
future to better protect the network. Finally, the Web Server should be altered to
protect against cross-site tracing.
Detailed Findings
Initial Setup and Findings
Upon starting this Black Box assessment, it was determined the Kali Linux
machine provided resided on the 192.168.1.1/24 network. This is an important fact
as it lets Net Ninjas know what the network range they will be working with. In this
case a scope was undefined with the exception of the router on 192.168.1.1.
After noting there was indeed a web server running on this system Net Ninjas
navigated to the web page to find an interesting web site devoted to Horse,
Alpaca, Camel, Koala, and Marlin Emporium. While browsing through the tabs
there appeared to be nothing useful to Net Ninjas at this time.
A Nikto scan revealed a major vulnerability within this apache service. This
allows Net Ninjas and anyone else with this knowledge to navigate the directory for
any information that may be stored within.
Exploitation
Most Windows XP machines are vulnerable to the ms08_067_netapi exploit.
Upon a success this would grant Net Ninjas unauthorized remote access to the
machine.
Net Ninjas was able to dump all user password hashes currently on the
system including the administrator using the hash dump command.
Once inside the system Net Ninjas began parsing through the C:\ drive where
a suspicious file was located. secretfile0.txt. Upon investigation it revealed an odd
message directed toward whoever found the file.
Using the command route it is also possible to see routes the system knows
of. In this case the Windows XP (192.168.1.90) knows of another route to the
192.168.37.1/24 subnet. There are no IPv6 routes known to the machine.
Net Ninjas then confirmed the compromised machine had a connection to the
192.168.37.90 subnet and prepared to pivot in the desired subnet
(192.168.37.1/24).
Subnet 192.168.37.1/24
Using the ARP Scanner script found in meterpreter other machines on the
192.168.37.1/24 subnet were located. This method revealed five (5) new machines
not including a router. The 192.168.37.90 machine is the system Net Ninjas is
currently pivoting off of (Spider).
Using the Mimikatz tool on the FROG system it was possible to retrieve user
credentials including that of the domain admin to gain access to this machine using
the psexec exploit. Once inside the getsystem command granted Net Ninjas system level
access and find the final secret file.
The final file on the network was a congratulations message from the network
creator.
The Secret file was located in the C:\ drive using a similar naming convention
as the others.
Exploitation
Easy FTP is vulnerable to buffer overflow exploits. As a result Net Ninjas
chose an exploit to utilize this and achieved access to this system.
Checking the same location C:\ the next Secret file was located. This one was
named secretfile2.txt. The information from this file was retrieved shortly before
the session died. This file apparently revealed a hint for the Mongoose machine.
A brute force attempt was made to the SQL server revealing the password to
be password1. This username and password was then used to retrieve the
database schema allowing Net Ninjas to find information on the Web App
database.
The SQL database was then quarried for the contents of the table revealing
vital user information such as username and password.
Exploitation
This ms-sql was vulnerable to SQL Payload execution using the login
information gathered from earlier (sa, password1) it was possible to gain access to
the system. Following that technique 1 granted system level privileges.
Windows XP (192.168.37.250)
The same scan used on the previous machines for information was utilized on
this machine. This revealed the system to be running a Windows XP operating
system with a SSH port open.
Using the Hydra tool on the SSH service it was possible to find the username
and password combination from the Web Server 192.168.1.90.
Once inside the system the C:\ drive housed the next secret file. This file
congratulated Net Ninjas on making it this far and contained information on a final
system along with the hint to pivot to it.
From here Net Ninjas used the netsh utility to disable the firewall.
It was later determined another utility Mimikatz was required to gain access
to the Lion system. This utility was loaded onto the FROG machine to dump user
account information including passwords in plain text.
Tools Utilized
Kali Linux (Provided by client)
Nmap (Version 6.40)
Metasploit (Version 4.8.0-2013112001)
Meterpreter (Version
Nikto (Version 2.1.5)
Open Vas (Version 3.0.3)
Mimikatz (Version 1.0)
Feedback
The final was Exactly Right, as it both challenged and increased our
skillsets allowing us to surpass our own perceived limits and achieve new heights.
Net Ninjas spent around 6 hours throughout this engagement. Although Net
Ninjas did run into a technical issue with one of the target systems, a member of
the team was able to create a custom Kali Linux image providing the perfect
environment to run the exploit. Net Ninjas recommends that the Kali Linux template
for this engagement be replaced with the one created by a Net Ninjas team member
to prevent future teams from running into the same technical issues.