Penetrationtest Guest Network for

Analysis of 2023-10-17
Dominik Lang
ditis Systeme, Ulm
Confidential
Revision History
Revision Date Author Comment
2023-10-17
Performance of the penetration test and documentation of re-
0.1 - DLA
sults
2023-10-25
0.9 2023-11-06 BOB Review
1.0 2023-11-07 RST Approval

This report has been assembled with great care and according to the guidelines of the German Federal
Agency for Security in Information Technology (BSI) for performing penetration tests and in compliance
with the requirements of the international security norm ISO/IEC 27001.
Table of contents
1 Objective ......................................................................................................................................... 4
1.1 Subject of the Test ................................................................................................................. 4
1.2 Credentials Used ................................................................................................................... 4
1.3 Altered Data ........................................................................................................................... 4
2 Testing Methodology ..................................................................................................................... 5
2.1 Test Criteria ........................................................................................................................... 5
2.2 Classification of the Penetration Test .................................................................................... 5
2.3 Tools Used............................................................................................................................. 6
2.4 Systems Used........................................................................................................................ 6
2.5 Legend ................................................................................................................................... 6
3 Results of the Analysis ................................................................................................................. 8
3.1 Overview of the Detected Vulnerabilities ............................................................................... 8
3.2 Vulnerability by System ......................................................................................................... 8
3.3 Vulnerabilities According to their implementation Status ...................................................... 9
4 Specific Measures........................................................................................................................ 10
4.1 Guest Network ..................................................................................................................... 10

confidential © ditis Systeme, www.ditis.de page 3

1 Objective
The goal of the Penetration test is to check the IT systems listed below for possible security
vulnerabilities. This report lists all detected vulnerabilities and the required measures to fix them and to
enhance the overall security of the system.
This Penetration test is based on the concept for performing Penetration tests of the German Federal
Agency for Security in Information Technology (BSI).

1.1 Subject of the Test

Within the scope of the analysis the following systems were tested in collaboration with the IT depart-
ment:

System/Network Hostname Description

- Guest Network

1.2 Credentials Used

System Credentials E-Mail
-

1.3 Altered Data

During the test, no permanent changes to the systems or data inside the scope of the test were per-
formed beyond normal usage.

confidential © ditis Systeme, www.ditis.de page 4

2 Testing Methodology

2.1 Test Criteria

The test was conducted under following assumptions:
• The scan plug-ins mainly rely on the results returned by the server (e.g., version numbers and
ident-strings of web, DNS and mail servers). If these version numbers can’t be determined cor-
rectly, “false-positive messages” in the result are possible. In all cases, a further examination of the
detected vulnerabilities is necessary. Especially in the case of vendor specific software distribu-
tions such as SUSE or Debian, security patches are usually supplied without adapting the version
numbers of the servers and may lead to false results.
• The time of the scan is always a snapshot. The goal of the analysis was to check as many vulnera-
bilities as possible with the technical means available. The result of the analysis additionally de-
pends on the availability of computers and services of the customer at the time of the scan.
• The analysis does not represent an audit in the sense of a certification. It is possible that not every
vulnerability is detected and named during the analysis. This depends among other things on the
basic conditions selected by the customer. In order to detect further vulnerabilities on the systems,
a manual test on the system itself may be necessary. This must be checked individually (refer-
enced in the report if required).
• In accordance with the customer no direct attacks based on „Denial of Service (DoS)“ techniques
were carried out, to ensure not to affect productive systems. The systems were analyzed in man-
ner to have no impact on productive systems.
• The actual test has been carried out with deactivated Intrusion-Prevention functions (blocking of
attacker-addresses) of the screening router. Without the deactivation of these functions the analy-
sis couldn’t be carried out. It would have been necessary to acquire more information to simulate a
real attack scenario by bypassing the implemented security features (scan detection) (for infor-
mation gathering see chapter 7.1 and 7.2 of the BSI study:
https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Studien/Penetra-
tionstest/penetrationstest.pdf?__blob=publicationFile&v=3).

2.2 Classification of the Penetration Test

The criteria meet the requirements from chapter 3.4 (classification of penetration test) of the BSI study.

Criteria Classification Description

The information regarding the systems in the scope which
Basis of infor-
Black-box test are going to be scanned can be retrieved over the internet.
mation
There is no other information available than the IP address.
Aside from obviously disrupting tests (e.g. Denial-of-Service
Aggressiveness Calculated
attacks), no restrictions on the aggressiveness were made.
The analysis was limited to the web applications and the
Scope Limited
hosting servers that are listed in the scope of the test.
Procedure Transparent Stealthy Scanning was not necessary.
Technology Network The scan was carried out over the internet.
Starting point From outside see above.

confidential © ditis Systeme, www.ditis.de page 5

2.3 Tools Used
The following tools were used:
Scanner Version Description
Dradis Professional
4.9.0 Collaboration and reporting tool
Edition
Comprehensive port scanner with service and OS
nmap 7.93
discovery methods (http://nmap.org).
Framework for application specific vulnerability scan
Metasploit v5.0.101-dev
(http://rapid7.com/metasploit).
DiG 9.16.6 Tool for analyzing DNS name servers
host - Tool to execute DNS queries.
nslookup - Tool to execute DNS queries.
fping - Tool to quickly ping large IP ranges.
nuclei v3 Vulnerability scanner.
Wireshark - Network sniffer.
Network address discovering tool based on ARP
netdiscover -
packets.
nbtscan - NetBios name information scanning tool.
Commandline tool to access and control
go-chromecast -
Chromecasts.

2.4 Systems Used

Several systems have been used to perform the tests. In particular, the following IP addresses where
used:
IPv4 addresses IPv6 addresses description

95.216.183.62/32,
Systems used for manual and automated tests.

IP range used by Qualys for automated vulnerability

64.39.96.0/20
scans.

2.5 Legend

2.5.1 Rating Assessment

Rating Description
Vulnerabilities which enable a potential attack, and which should be immedi-
High
ately eliminated.
Vulnerabilities which do not require an immediate action and should be
Medium
changed or eliminated depending on the case in hand.

confidential © ditis Systeme, www.ditis.de page 6

 Rating Description
Vulnerabilities with a low rating which can be eliminated for example during a
Low
planned update or kept where acceptance of the rating is justifiable.
Test items which have not revealed vulnerabilities and do not require further
None
back-up measures.
Test items which could not be associated with a known quantifiable rating. It
Untestable
must be assumed that a potential rating is present and must be inspected.

2.5.2 Effort Assessment

The specified efforts assist in the further prioritization of measures. These efforts are estimates based
on experience. The actual efforts depend on the degree of automation and the standardization of the
processes for implementing measures.

Effort Description
The elimination of the vulnerability requires very high effort.
For example:
• The measures require an entire new setup of the system.
• The architecture or the design require extensive adjustments or new
High developments.

• As a prerequisite, fundamental requirements for the measures need to be

implemented (e.g., procurement and setup of a firewall, …).

The elimination of the vulnerability requires medium effort.

For example:
Medium • Adjustments and changes to the source code
• Installation of patches
• Certificate changes
The elimination of the vulnerability requires low effort.
For example:
Low • Configuration changes
• Firewall rule changes
• Authorization and access rights changes
None No further measures are necessary.
Untestable It is not possible to estimate the effort for the elimination of the vulnerability.

2.5.3 Information and Textmarking

Note Description
Additional information found regarding the scanned systems or services (e.g.
Information
version numbers or software classifications).
Designates an area which has been changed or supplemented since the pre-
[UPDATE]
vious version of the report.
<script>
alert(X); Blocks in this script denote code examples or extracts.
</script>

confidential © ditis Systeme, www.ditis.de page 7

3 Results of the Analysis
While the penetration test was going on, it became more and more clear that the setup might not lead
to accurate results. After some discussion, it was deemed sufficient for this penetration test. Hence,
the following findings might not be 100% reliable.
During the penetration test it was not possible to access the internal network from the guest network,
even though no form of network access control is established and it is also possible to set arbitrary IP
addresses. However, the guest network is only separated using a switch instead of a firewall. In the
past, there have been multiple methods of attacking switches in order to gain access to apparently
separated networks.
Several machines were found in the network running services such as Sony BRAVIA TVs, which could
be accessed, and other machines with many open ports and running services. An attacker might be
able to use these devices to gain a foothold in the environment.
In addition, a few domain-joined clients were connected to the guest network. This led to some infor-
mation disclosure about the internal domain and gives an attacker the opportunity to potentially lever-
age these clients to access the internal network, e.g. using techniques such as LLMNR/NBT-NS poi-
soning, etc.
It is recommended to carefully consider which clients are connected to the guest network, in order to
minimize the attack surface.
A public DNS server is used – Google's 8.8.8.8. This opens a door into the internet via UDP port 53. It
was possible to tunnel data back and forth using UDP port 53 with an arbitraty server on the internet.
This finding might also be true for the internal network, as this might have been the case while con-
nected to the internal network, which is unclear from the setup.
It is recommended to check whether it is possible to circumvent ADFS by using this tunnel.
All in all, with the given setup and time, it was not possible to find any criticial vulnerabilities.

3.1 Overview of the Detected Vulnerabilities

Rating Amount Amount Retest
High 0 0
Medium 4 0
Low 1 0
None 0 0
Untestable 0 0
Sum 5 0

3.2 Vulnerability by System

System/IP High Medium Low None Untestable
Guest Network 0 4 1 0 0

confidential © ditis Systeme, www.ditis.de page 8

3.3 Vulnerabilities According to their implementation Status

3.3.1 Guest Network

Vulnerability Rating
DNS – External Resolvers Medium
Ports and Services Medium
Network – NAC & Static Network Configuration Low
Network – Segmentation Medium
Network – Separation Medium

confidential © ditis Systeme, www.ditis.de page 9

4 Specific Measures

4.1 Guest Network

4.1.1 Server Configuration

Check DNS – External Resolvers

System/IP Guest Network
Rating Medium
External name resolution enables attackers or malware to exchange data with any
external system on the internet and can thus be misused as a covert communica-
tion channel.
This allows attackers to abuse the DNS protocol by performing normal DNS queries
Description and responses, thereby forwarding data or logs to a DNS server under their control.
In this way, it is possible to exfiltrate data from a network that does not have direct
internet access (or any other external access).
Furthermore, using an external external DNS server can lead to information disclo-
sure, e.g. when machines try to lookup internal names.

The google DNS server 8.8.8.8 is used as the DNS server. In addition, to allow ac-
cess to the external DNS server, it is possible to access arbitrary servers on the in-
ternet via UDP port 53. Thus, it is possible to configure other DNS servers, or to
use UDP port 53 as a covert channel. During the penetration test such a tunnel was
set up to transfer data with a server on the internet, bypassing any captive portals /
Findings login mechanisms.
This might also be an issue in the internal network, as due to the setup it is unclear
whether the attack was performed via the internal network or the guest network.
Furthermore, using an external external DNS server can lead to information disclo-
sure, e.g. when machines try to lookup internal names.

External name resolution for any system must not be possible in protected net-
Measures works.
Network traffic to any external DNS forward servers must be restricted.

Effort Medium

References -

Check Ports and Services

System/IP Guest Network
Rating Medium
Only the strictly necessary ports and services should be available. Further ports
Description
and services generate additional attack vectors.

A client seems to be a TV (tivoconnect) (in addition to the other TVs, see “Network
Findings
– Separation”):

confidential © ditis Systeme, www.ditis.de page 10

 Check Ports and Services

Host is up (0.0073s latency).

Not shown: 986 closed tcp ports (conn-refused)
PORT STATE SERVICE
80/tcp open http
1048/tcp filtered neod2
1199/tcp filtered dmidi
1300/tcp filtered h323hostcallsc
2190/tcp open tivoconnect
4004/tcp filtered pxc-roid
5101/tcp filtered admdog
7070/tcp filtered realserver
8008/tcp open http
8009/tcp open ajp13
49154/tcp filtered unknown
50389/tcp filtered unknown
51493/tcp filtered unknown
55055/tcp filtered unknown

There is also a machine running an accessible VNC server. However, it is pass-

word protected. During the penetrationtest a bruteforce attack was not performed:

Host is up (0.0050s latency).

Not shown: 995 filtered tcp ports (no-response)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
5800/tcp open vnc-http

PORT STATE SERVICE VERSION

5900/tcp open vnc VNC (protocol 3.8)
| vnc-info:
| Protocol version: 3.8
| Security types:
| VNC Authentication (2)
| Tight (16)
| Tight auth subtypes:
|_ STDV VNCAUTH_ (2)

Another machine is potentially running a lot of services:

Host is up (0.35s latency).

Not shown: 972 closed tcp ports (conn-refused)
PORT STATE SERVICE

confidential © ditis Systeme, www.ditis.de page 11

 Check Ports and Services
179/tcp filtered bgp
427/tcp filtered svrloc
749/tcp filtered kerberos-adm
901/tcp filtered samba-swat
1066/tcp filtered fpo-fns
1086/tcp filtered cplscrambler-lg
1112/tcp filtered msql
2008/tcp filtered conf
2260/tcp filtered apc-2260
2301/tcp filtered compaqdiag
2602/tcp filtered ripd
2725/tcp filtered msolap-ptp2
3030/tcp filtered arepa-cas
3580/tcp filtered nati-svrloc
3920/tcp filtered exasoftport1
5903/tcp filtered vnc-3
5915/tcp filtered unknown
5961/tcp filtered unknown
6100/tcp filtered synchronet-db
6129/tcp filtered unknown
7000/tcp filtered afs3-fileserver
7512/tcp filtered unknown
7625/tcp filtered unknown
8093/tcp filtered unknown
8443/tcp filtered https-alt
8649/tcp filtered unknown
19101/tcp filtered unknown
50000/tcp filtered ibm-db2

Services not needed must be shut down. Required services that don’t have to be
Measures accessible by the public must be protected by a firewall and only specified users (IP
addresses or networks) must be permitted to access them.

Effort Medium

References -

4.1.2 Network

Check Network – NAC & Static Network Configuration

System/IP Guest Network
Rating Low
Without any form of network access control (NAC), arbitrary computers can access
the network. In addition, accepting arbitrary, statically set network configuration
Description
from clients, may enable further attacks, such as access to other network segments
or disruption of the network.

Findings It is possible to set a static self-choosen IP address.

confidential © ditis Systeme, www.ditis.de page 12

 Check Network – NAC & Static Network Configuration
During the penetrationtest it was not possible to access the internal network by
simply setting an internal IP address.
However, this might also have been due to the setup.

A form of NAC needs to be established. In addition, statically set network configura-

Measures
tion on clients should not be accepted by the network, if possible.

Effort Medium

References

Check Network – Segmentation

System/IP Guest Network
Rating Medium
If network segments are not separated from one another sufficiently and one net-
work segment is compromised, an attacker can leverage the compromised seg-
Description
ment to attack another network segment and thus access sensitive data or disrupt
the entire network.

During the penetrationtest it was not possible to access the internal network from
the guest network.
However, due to the setup, these findings are not 100% reliable.
Findings
In additon, no firewall is used to ensure a separation of the guest network. The
switches cannot provide any security guarantees and there have been multiple at-
tacks on switches in the past in order to access other network segments, e.g. via
overloading.

Network segments need to be properly separated from each other, e.g. via a fire-
Measures
wall.

Effort Medium

References -

Check Network – Separation

System/IP Guest Network
Rating Medium
If services are not separated from one another sufficiently and one service is com-
promised, an attacker can freely attack another service on the same network seg-
Description
ment and thus access sensitive data or disrupt both the service and the entire net-
work.

Domain-joined machines are trying to resolve internal names (e.g. festo, CLT…,
Findings SMS_SLP,
DLT00016, SDET2105, …) via LLMNR, NBT-NS, MDNS, e.g.:

confidential © ditis Systeme, www.ditis.de page 13

 Check Network – Separation
[Analyze mode: Browser] Datagram Request from IP: 192.168.245.200 host-
name: DLT00016 via the: File Server to: FESTO. Service: Local Master
Browser
[Analyze mode: NBT-NS] Request by 192.168.245.86 for WPAD
[Analyze mode: NBT-NS] Request by 192.168.245.106 for WORKGROUP
[Analyze mode: NBT-NS] Request by 192.168.245.110 for DVCRQDOCOZTTK
[Analyze mode: NBT-NS] Request by 192.168.245.110 for HNQCHMBKS
[Analyze mode: NBT-NS] Request by 192.168.245.110 for MEAMQZV
[Analyze mode: NBT-NS] Request by 192.168.245.166 for SDET2105
[Analyze mode: NBT-NS] Request by 192.168.245.36 for SDET2105
[Analyze mode: NBT-NS] Request by 192.168.245.142 for DESKTOP-VK7HHE6
[Analyze mode: NBT-NS] Request by 192.168.245.134 for FESTO
[Analyze mode: NBT-NS] Request by 192.168.245.175 for UNDEFINED
[LLMNR] Poisoned answer sent to 192.168.245.83 for name CLT93980
[LLMNR] Poisoned answer sent to 192.168.245.83 for name SDET2105
[MDNS] Poisoned answer sent to 192.168.245.166 for name festo.local

These can be poisoned and attacked, e.g. to retrieve hashes, which can then be
used to
authenticate in the internal network and further attack the internal network.
Multiple machines in the guest network are running multiple services, which can be
used to further attack the entire network. For example, there are at least four TVs
(Sony BRAVIA) on the network with a Chromecast. It is possible to connect and
control these Chromecasts:
1) device="BRAVIA 4K GB" device_name="FW-55XE8001" ad-
dress="192.168.245.194:8009" uuid="9dab20d1a9e6e7b5bb2e659a19ba4bd8"
2) device="BRAVIA 4K GB" device_name="FW-55XE8001" ad-
dress="192.168.245.147:8009" uuid="98b7534689d3b10963057f0f82ca1c0a"
3) device="BRAVIA 4K GB" device_name="FW-55XE8001" ad-
dress="192.168.245.184:8009" uuid="bfcbbe7fec4a2015e2b29976ee76ee8d"
4) device="BRAVIA 4K GB ATV3" device_name="KD-65XF9005" ad-
dress="192.168.245.145:8009" uuid="d4b179f788efe69649e50e1ed6c6f5ed"
Nmap scan report for 192.168.245.184
Host is up (0.0048s latency).
Not shown: 988 closed tcp ports (conn-refused)
PORT STATE SERVICE
80/tcp open http
1033/tcp filtered netinfo
1042/tcp filtered afrog
1048/tcp filtered neod2
2020/tcp filtered xinupageserver
2967/tcp filtered symantec-av
3871/tcp filtered avocent-adsap
7777/tcp filtered cbt
8008/tcp open http
8009/tcp open ajp13
10010/tcp filtered rxapi
33899/tcp filtered unknown
Nmap scan report for 192.168.245.194
Host is up (0.019s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT STATE SERVICE
993/tcp filtered imaps
1025/tcp filtered NFS-or-IIS

confidential © ditis Systeme, www.ditis.de page 14

 Check Network – Separation
5060/tcp filtered sip
9080/tcp open glrpc

Management services such as printer websites, building control technology or ad-

ministration interfaces for remote maintenance of servers must be made accessible
Measures in a network that is separate from the actual office network.
It needs to be carefully considered, which clients and services are connected to the
guest network, in order to limit any exposure and attack surface.

Effort Medium

References -

confidential © ditis Systeme, www.ditis.de page 15