StaticSpeed Vulnerability Report

Step 1: Asset identification, address update, dependencies,

patches, and native protections at targeted Server/ Desktop
Operating Systems

Task 2

After reviewing the windows, we found it does not enable the auto-update for the
system. but for Linux, the package repositories are configured correctly. And to fix
that in windows, we need to enable the GP in this path

Computer Configuration\Policies\Administrative
Templates\Windows
Components\Windows Update\Configure Automatic Updates
Task 3- Native Protections and Software Inventory

We can’t find “DisableExceptionChainValidation” in the registry location, which

means the windows machine is not compliant. So, to mitigate this, we must establish
the configuration via GP and set the following UI path to Enabled:
Computer Configuration\Policies\Administrative Templates\MS Security
Guide\Enable Structured Exception Handling Overwrite Protection (SEHOP).

We found that the VNC viewer is installed in the windows system.

We have audited and found that ubuntu complies with 1.6.1 & 1.6.2, so no
recommendation is required. We can see that the TightVNC is installed
Task 4

We can see the following vulnerabilities exist in both systems.

Step 2: Assess Access Management at Targeted Assets

Task 1

We can see the following host settings for the Ubuntu machine.

Following are the Vlan setting and IP security policies on windows machines.
We can see that anonymous access is in place.
My recommendation for improvements is to stop sharing with anyone and add IPsec
policies to increase security.

Task 2

We can see all running services in ubuntu and windows. Also, we see that IPv6 exists
in both machines. My recommendation is to remove them if there are not needed
Task 3
There no firewall rules are there; we should Deny clear text protocols such as FTP,
Telnet, and TFTP, block things like SMTP, and POP, should force to use HTTPS

Task 4

Yes, the guest account is allowed to sudo in Linux.

No, the guest account is not allowed to run as an administrator in Windows.

Yes, we can see everyone has full control.

My recommendation is to revoke the sudo from the guest account. And provide only
needed access for sharing data.
Step 3: Log Monitoring Setup for Detection at Targeted Assets

Task 1

• The source IP of the attack

10.0.2.7

• What protocol was brute-forced?

telnet

• What password was used? 12345678

• Which user was compromised? guest

To prevent this type of attack, we need to deny clear text protocols.

Task 2

• Source IP of the “initial” attack is 10.0.2.4

 • Did the attacker try to access your machine from a compromised machine -
(MITRE ATT&CK Technique T1021)? No.
• What service and port were targeted? SMB port 445
• Was the attacker able to access a sensitive file? Yes, we can see the payroll
excel file.

My recommendation to patch and close all unnecessary ports.

Task 3
Yes, there is an account trying to access windows share.

• Using the audit logs setup at your Linux machine, what was the name of the
attacker account?

Nobody

My recommendation is to check accounts and provide them with only needed

permission.

Task 4
For CIS 4.2.1.3 we can see the following logs files are logging.
We can see windows don’t send the logs.

I recommend centralizing the logs to get full of this powerful function.

Step 4: Assess Authentication Management at Targeted Assets

Task 1

We didn’t see root remote login permitted.

There are no users allowed to SSH.

Provide recommendations on how to improve security in these areas.

We can see that the student should be outside the administrator group.
Guest is in remote desktop access users should not be there.

My recommendation to remove all unnecessary access.

Task 2

For windows we should meet complexity requirements.

For Linux, also, nothing was abled by the password policy.

Both systems do not comply with the control as they don’t have any compliance
policy applied.

Task 3

Is not compliant with FIPS 140-2.

Ubuntu 18.04 CIS 5.2.13

FIPS is disabled in windows.

We recommend enabling the FIPS to includes security fixes timely before the packages
are re-certified.

Task 4
To access FTP and SBM, we can make burt force attack to have the password and then
access both servers. We can use:

nmap --script ftp-brute -p 21 IP

to test brute force attack of the FTP server.

For SMB is used the default password is.
My recommendation is to update these two services.
Step 5: Final Report

Windows 10 ENT

Ex
Host High Medium Low Log

10.0.2.4 33 5 2 48

IP Address: 10.0.2.4

Service Port Sensitive Level

SMB 445 TCP High

qotd 17 TCP Medium

Relative IP TCP Low

 Echo service detection 7 TCP Log

Expected detail format for vulnerabilities found

High

1- CVE-1999-0503

Issue
A number of known default credentials are tried for the login via the SMB protocol.

Impact
It was possible to login with the following credentials via the SMB protocol to the 'IPC$'
share. <User>:<Password> rdpadmin:1234
Mitigation
Change the password as soon as possible.

Reference

CVE CVE-1999-0503CVE-1999-0504CVE-1999-0505CVE-1999-0506CVE-2000-0222CVE-2005-3595

Medium

1- CVE-1999-0103

Issue
The remote host is running a 'chargen' service.

Impact
When contacted, chargen responds with some random characters
(something like all the characters in the alphabet in a row). When contacted via TCP, it will
continue spewing characters until the client closes the connection.

The purpose of this service was to mostly to test the TCP/IP protocol by itself, to make sure
that
all the packets were arriving at their destination unaltered. It is unused these days, so it is
suggested you disable it, as an attacker may use it to set up an attack against this host, or
against a third party host using this host as a relay.

Remark: NIST don't see 'configuration issues' as software flaws so the referenced CVE has a
severity of 0.0. The severity of this VT has been raised by Greenbone to still report a
configuration issue on the target.
Mitigation
Under Unix systems, comment out the 'chargen' line in
/etc/inetd.conf and restart the inetd process

- Under Windows systems, set the following registry keys to 0 :

HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableTcpChargen

HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableUdpChargen

Then launch cmd.exe and type :

net stop simptcp

net start simptcp

To restart the service.

Reference
CVE
CVE-1999-0103

Low

1- CVE-1999-0524

Issue
The remote host responded to an ICMP timestamp request.
Impact
The Timestamp Reply is an ICMP message which replies to a
Timestamp message. It consists of the originating timestamp sent by the sender of the
Timestamp as
well as a receive timestamp and a transmit timestamp. This information could theoretically
be used
to exploit weak time-based random number generators in other services.
Mitigation
- Disable the support for ICMP timestamp on the remote host completely

- Protect the remote host by a firewall, and block ICMP packets passing through the firewall
in
either direction (either completely or only for untrusted networks).
Reference
CVE CVE-1999-0524

CERT DFN-CERT-2014-0658CB-K15/1514CB-K14/0632

Other http://www.ietf.org/rfc/rfc0792.txt
Ubuntu 18.04

Ex
Host High Medium Low Log

10.0.2.5 36 40 4 34

IP Address: 10.0.2.5

Service Port Sensitive Level

Apache HTTP Server 80 TCP High

FTP 21 TCP Medium

ICMP TCP Low

SMB 445 TCP Log

Expected detail format for vulnerabilities found

High

1- CVE-2018-1333

Issue
Apache HTTP Server is prone to a denial-of-service vulnerability.

Impact
Successful exploitation will allow remote attackers to cause a denial of service (DoS)
condition on a targeted system.

Mitigation
Update to Apache HTTP Server 2.4.34 or later. Please see the references for more
information
Reference

CVE
CVE-2018-1333
CERT
DFN-CERT-2019-0359DFN-CERT-2019-0351DFN-CERT-2018-2316DFN-CERT-2018-
2011DFN-CERT-2018-1642DFN-CERT-2018-1412CB-K18/0805
Other
http://seclists.org/oss-sec/2018/q3/39https://httpd.apache.org/security/vulnerabilities_24.html

Medium

1- CVE-1999-0497

Issue
Reports if the remote FTP Server allows anonymous logins.

Impact
Based on the files accessible via this anonymous FTP login and
the permissions of this account an attacker might be able to:

- gain access to sensitive files

- upload or delete files.

Mitigation
If you do not want to share files, you should disable anonymous logins
Reference

CVE-1999-0497

Low

1- CVE-1999-0497

Issue
The remote host responded to an ICMP timestamp request.
Impact
The Timestamp Reply is an ICMP message which replies to a Timestamp message. It
consists of the originating timestamp sent by the sender of the Timestamp as well as a
receive timestamp and a transmit timestamp. This information could theoretically be used
to exploit weak time-based random number generators in other services
Mitigation
Various mitigations are possible: - Disable the support for ICMP timestamp on the remote host
completely - Protect the remote host by a firewall, and block ICMP packets passing through the
firewall in either direction (either completely or only for untrusted networks)

Reference
CVE
CVE-1999-0524
CERT
DFN-CERT-2014-0658CB-K15/1514CB-K14/0632
Other
http://www.ietf.org/rfc/rfc0792.txt

Step 6: Final Assessment and Recommendations Based on Your

Scans and Checks

Regarding adding this system to the current infrastructure, my recommendation is not

before fixing all the security issues; both systems are practical by critical vulnerabilities,
easy to hack.

I will recommend doing the following before being added:

1- The systems need to be fixed agents for all discovered vulnerabilities.
2- Both systems should be with the latest security updates and patches.
3- Should follow Firewall Best Practices.
4- Should be isolated be very will defined VLAN to reduce any risks.
5- Should able Principle of Least Privilege.