Professional Documents
Culture Documents
Send P3
Send P3
Task 2
After reviewing the windows, we found it does not enable the auto-update for the
system. but for Linux, the package repositories are configured correctly. And to fix
that in windows, we need to enable the GP in this path
Computer Configuration\Policies\Administrative
Templates\Windows
Components\Windows Update\Configure Automatic Updates
Task 3- Native Protections and Software Inventory
Task 1
We can see the following host settings for the Ubuntu machine.
Following are the Vlan setting and IP security policies on windows machines.
We can see that anonymous access is in place.
My recommendation for improvements is to stop sharing with anyone and add IPsec
policies to increase security.
Task 2
We can see all running services in ubuntu and windows. Also, we see that IPv6 exists
in both machines. My recommendation is to remove them if there are not needed
Task 3
There no firewall rules are there; we should Deny clear text protocols such as FTP,
Telnet, and TFTP, block things like SMTP, and POP, should force to use HTTPS
Task 4
My recommendation is to revoke the sudo from the guest account. And provide only
needed access for sharing data.
Step 3: Log Monitoring Setup for Detection at Targeted Assets
Task 1
10.0.2.7
telnet
Task 2
Task 3
Yes, there is an account trying to access windows share.
• Using the audit logs setup at your Linux machine, what was the name of the
attacker account?
Nobody
Task 4
For CIS 4.2.1.3 we can see the following logs files are logging.
We can see windows don’t send the logs.
Task 1
We can see that the student should be outside the administrator group.
Guest is in remote desktop access users should not be there.
Task 2
Task 3
We recommend enabling the FIPS to includes security fixes timely before the packages
are re-certified.
Task 4
To access FTP and SBM, we can make burt force attack to have the password and then
access both servers. We can use:
Windows 10 ENT
Ex
Host High Medium Low Log
10.0.2.4 33 5 2 48
IP Address: 10.0.2.4
High
1- CVE-1999-0503
Issue
A number of known default credentials are tried for the login via the SMB protocol.
Impact
It was possible to login with the following credentials via the SMB protocol to the 'IPC$'
share. <User>:<Password> rdpadmin:1234
Mitigation
Change the password as soon as possible.
Reference
CVE CVE-1999-0503CVE-1999-0504CVE-1999-0505CVE-1999-0506CVE-2000-0222CVE-2005-3595
Medium
1- CVE-1999-0103
Issue
The remote host is running a 'chargen' service.
Impact
When contacted, chargen responds with some random characters
(something like all the characters in the alphabet in a row). When contacted via TCP, it will
continue spewing characters until the client closes the connection.
The purpose of this service was to mostly to test the TCP/IP protocol by itself, to make sure
that
all the packets were arriving at their destination unaltered. It is unused these days, so it is
suggested you disable it, as an attacker may use it to set up an attack against this host, or
against a third party host using this host as a relay.
Remark: NIST don't see 'configuration issues' as software flaws so the referenced CVE has a
severity of 0.0. The severity of this VT has been raised by Greenbone to still report a
configuration issue on the target.
Mitigation
Under Unix systems, comment out the 'chargen' line in
/etc/inetd.conf and restart the inetd process
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableTcpChargen
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableUdpChargen
Reference
CVE
CVE-1999-0103
Low
1- CVE-1999-0524
Issue
The remote host responded to an ICMP timestamp request.
Impact
The Timestamp Reply is an ICMP message which replies to a
Timestamp message. It consists of the originating timestamp sent by the sender of the
Timestamp as
well as a receive timestamp and a transmit timestamp. This information could theoretically
be used
to exploit weak time-based random number generators in other services.
Mitigation
- Disable the support for ICMP timestamp on the remote host completely
- Protect the remote host by a firewall, and block ICMP packets passing through the firewall
in
either direction (either completely or only for untrusted networks).
Reference
CVE CVE-1999-0524
CERT DFN-CERT-2014-0658CB-K15/1514CB-K14/0632
Other http://www.ietf.org/rfc/rfc0792.txt
Ubuntu 18.04
Ex
Host High Medium Low Log
10.0.2.5 36 40 4 34
IP Address: 10.0.2.5
High
1- CVE-2018-1333
Issue
Apache HTTP Server is prone to a denial-of-service vulnerability.
Impact
Successful exploitation will allow remote attackers to cause a denial of service (DoS)
condition on a targeted system.
Mitigation
Update to Apache HTTP Server 2.4.34 or later. Please see the references for more
information
Reference
CVE
CVE-2018-1333
CERT
DFN-CERT-2019-0359DFN-CERT-2019-0351DFN-CERT-2018-2316DFN-CERT-2018-
2011DFN-CERT-2018-1642DFN-CERT-2018-1412CB-K18/0805
Other
http://seclists.org/oss-sec/2018/q3/39https://httpd.apache.org/security/vulnerabilities_24.html
Medium
1- CVE-1999-0497
Issue
Reports if the remote FTP Server allows anonymous logins.
Impact
Based on the files accessible via this anonymous FTP login and
the permissions of this account an attacker might be able to:
CVE-1999-0497
Low
1- CVE-1999-0497
Issue
The remote host responded to an ICMP timestamp request.
Impact
The Timestamp Reply is an ICMP message which replies to a Timestamp message. It
consists of the originating timestamp sent by the sender of the Timestamp as well as a
receive timestamp and a transmit timestamp. This information could theoretically be used
to exploit weak time-based random number generators in other services
Mitigation
Various mitigations are possible: - Disable the support for ICMP timestamp on the remote host
completely - Protect the remote host by a firewall, and block ICMP packets passing through the
firewall in either direction (either completely or only for untrusted networks)
Reference
CVE
CVE-1999-0524
CERT
DFN-CERT-2014-0658CB-K15/1514CB-K14/0632
Other
http://www.ietf.org/rfc/rfc0792.txt