Server Penetration Testing - graduation project.pdf

Server Penetration Testing DONE BY: ZEINA ATALLAH FRIEKH 201811378 ALMOGHREEA OSAID NAOOSH 201820179 MUSTAFA JAMAL AL-BANNA 201810378 MALIK IBRAHIM ABU-SHARAR 201810959 SUBMITTED TO: DR. MAHRAN AL-ZYOUD DEPARTMENT OF NETWORKS & INFORMATION SECURITY FACULTY OF INFORMATION TECHNOLOGICAL AL - AHLIYYA AMMAN UNIVERSITY SUBMITTED IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF BACHELOR OF NETWORKS & INFORMATION SECURITY SECOND SEMESTER – 2022 Server Penetration Testing Wednesday, June 22, 2022 2 Acknowledgement It has been a great opportunity to gain lots of experience in real-time projects, followed by the knowledge of how to design and analyze real projects. For that, we want to thank all the people who made it possible for students like us. Special thanks to the graduation Project Unit for the efforts they did to provide us with all useful information and make the path clear for the students to implement all the education periods in real-time project design and analysis. We would like to express our deepest gratitude to our graduation project supervisor Dr Mahran Al-Zyoud for his patience and guidance throughout the semester. In addition, continuous encouragement, and support during the course. Moreover, we must thank all the testing committee members for their generous discussions and encouragement. Prof. Dr Musleh Abu Alhaj ... We thank Prof. Dr Omar Al-Adwan, Dean of the College, for the unparalleled support he provided us. Server Penetration Testing Wednesday, June 22, 2022 3 Symbols and Abbreviations: PT: Penetration Testing OSSTMM: Open Source Security Testing Methodology Manual OWASP: Open Web Application Security Project NIST: National Institute Of Standards And Technology PIES: Penetration Testing Execution Standard IP: Internet Protocol NAT: Network Address Translation VLAN: Virtual Local Area Networks AD: Active Directory OSINT: Open Source Intelligence DoS: Denial of Service FTP: File Transfer Protocol LAN: Local Area Network WAN: Wide Area Network DMZ: Demilitarized Zone TCP: Transmission Control Protocol SQL: Structured Query Language Server Penetration Testing Wednesday, June 22, 2022 4 ABSTRACT Two scenarios are set up to cover some strategies and techniques that the attacker can implement on networks and servers to find vulnerabilities and assess network security. The first will simulate a network for a small-size organization with a few departments hiring a penetration tester to prepare a report that includes recommendations to build a protected system that meets the needs and enhances the security posture of the company and help developers to know what can the attacker gain. The second scenario will simulate the different types of attacks on web servers and other devices. The purpose of designing a network in this way is for the attacker to infiltrate the system and exploit a vulnerability up to full privileges on servers. Server Penetration Testing Wednesday, June 22, 2022 5 Table of contents: 1. INTRODUCTION 6 1.1 Objective 6 1.2 Penetration Testing Standards 6 1.3 Penetration Testing Strategies 7 2. NETWORKING 9 2.1 First Scenario 9 2.1.1 Network Components 9 2.1.2 Network Design 9 2.1.3 Network Configuration 10 2.2 Second Scenario 11 2.2.1 Network Design 11 3. PENETRATION TESTING 12 3.1 Penetration Testing Overview 12 3.2 The Phases of Penetration Testing 12 3.2.1 Pre-Engagement 13 3.2.2 Reconnaissance 13 3.2.3 Discover & Vulnerability Assessment 14 3.2.4 Exploitation 14 3.2.5 Analysis & Reporting 14 3.3 First Scenario 15 3.4 Second Scenario 29 4. Conclusion 52 5. Appendices 53 6. References 64 Server Penetration Testing Wednesday, June 22, 2022 6 CHAPTER ONE INTRODUCTION 1.1 Objective This documentation provides the guidance for Penetration Testing (PT), The guidance is the following:  The Penetration Testing : showing some of the manual and automated PT techniques.  Risk Identification : offering insight into which channels and devices in your organization or application are most vulnerable.  Decrease Risks : knowledge about the types of new security tools you should apply or protocols you should follow. 1.2 Penetration Testing Standards Standards for PT aimed to give a basic outline of the steps used, There are currently various methodologies that could be followed:  Open Source Security Testing Methodology Manual ( OSSTMM) : It allows businesses to customize their PT to meet their individual requirements while also giving developers access to more secure areas of their environment to work on.  Open Web Application Security Project (OWASP) : It's a collection of web application security standards and guidelines that also includes a number of resources for strengthening the security posture of both internal and external web applications.  Penetration Testing Execution Standard (PTES): It instructs security professionals and businesses on what to anticipate from a PT, as well as how to scope and negotiate successful projects. Server Penetration Testing Wednesday, June 22, 2022 7  National Institute Of Standards And Technology (NIST) : It's a security framework that gives companies a baseline standard for customizing technologies and stacks in their environment. Every standard has specified information related to the three primary parts of a PT: pre-engagement, engagement and post-engagement. And this documentation will describe the general stages applied by the penetration tester in any standard. 1.3 Penetration Testing Strategies 1.3.1 Black-box testing : The tester is not given any information about how the servers or network architecture work in this type of PT. So this type of test can take a long time to perform. 1.3.2 White-box testing : The tester, commonly known as "Clear Box Testing," has a complete understanding of the network architecture and servers. So when compared to a Black Box test, this test can be completed in significantly less time. 1.3.3 Gray-box testing : This sort of test combines the White Box and the Black Box Tests. In other words, the penetration tester only has a rudimentary understanding of how some servers or network architecture work. 1.3.4 External testing : This form of testing targets only the visible servers or assets of the organisations, such as domain name servers, email servers, web servers, or firewalls. It examines whether an external attacker can access devices and impact these. Server Penetration Testing Wednesday, June 22, 2022 8 1.3.5 Internal testing: This form of testing simulates an internal attack launched by an authorized user with standard access privileges. The result decides how much harm an annoyed employee can cause. 1.3.6 Targeted testing: The client's IT or security team, as well as the testing team, do this testing. Everyone is aware of what is going on, and no one will be surprised. There will be minimal disruption because the IT staff will not regard the test as a real attack, allowing for a speedy response in both ways. Server Penetration Testing Wednesday, June 22, 2022 9 CHAPTER TWO NETWORKING 2.1 First Scenario 2.1.1 Network Components: Below are the components of this network: A. Hardware Components:  Servers : Active Directory(AD) Server and Database Server.  Clients : Computers that request and receive service from the servers to access and use the network resources.  Network intermediary devices : Routers and Switches.  Security devices : Palo Alto Firewall. B. Software Components:  Networking operating system: Windows Server, Windows 10 and Windows 7.  Protocol suite: OSI Model (Open Systems Interconnection) 2.1.2 Network Design This network created for an organisation has a few departments based on the network design standards to make it more robust and allow for better performance overall. In addition, a protection device has been added to Separate the internal network from the other networks. Server Penetration Testing Wednesday, June 22, 2022 10 The following figure shows how devices and servers are distributed: Figure 2.1.2: Network topology for first scenario 2.1.3 Network Configuration (detailed in Appendix A: configuration)  R1, R2: Each interface in router will be assigned with an IP address. Then, will determine where to route data packet over the network.  Firewall: The interfaces, Zones and Virtual Router have been configured, And to connect zones with each other, NAT will be created. Then, The security policies will then be set to block or allow a session based on traffic attributes.  Core-Switch: This is the backbone of the local area network, representing the gateway for VLANs and aiming to connect a group of edge switches. Each department will have its own VLAN (i.e. 3 VLANs in our network), in addition to the interface connected with the R2. Therefor, will determine where to route data packets over the network. Server Penetration Testing Wednesday, June 22, 2022 11  SW-01, SW-02, and SW-03: All VLANs will be defined and allowed for switches to give out a specific VLAN to the devices in the department.  Database Server: The purpose of database is design tables to represent enviromental data. The server use MYSQL system to describe and insert a data stored in tables like (Employee, Project, Job, etc.).  Active Directory Server : The purpose of the Active Directory is to create a server and pormote it to a domain controller, it controls the permissions of the users and computers on the domian, we added users into groups we created and these groups represent the departments of the organization. 2.2 Second Scenario 2.2.1 Network Desgin Figure 2.2.1: Network topology for second scenario Server Penetration Testing Wednesday, June 22, 2022 12 CHAPTER THREE PENETRATION TESTING 3.1 Penetration Testing Overview: Each standard has specific usage depending on the test case, which has various advantages and disadvantages, So we will utilise the general methodology because that includes all standards. The tests might be automatic, manual, or a combination of both, the advantages of automated tools include thoroughness and consistency and the manual way approach lets testers have more control. 3.2 The Phases of Penetration Testing Figure 3.2: General phases of Penetration Testing Server Penetration Testing Wednesday, June 22, 2022 13 3.2.1 Pre-Engagement Pre-engagement interactions, also known as scoping, are an often overlooked step in penetration testing. A penetration testing organization will define the logistics of the test, expectations, legal consequences, and the customer's objectives and goals during this pre- phase. Penetration testers should collaborate with your organization during the Pre-Engagement phase to understand fully any vulnerabilities, your organisation's characteristics, and the optimal pentesting methodology for your company. A white box, black box, or gray box penetration test may be suitable. It's at this point that you'll start preparing and matching your goals with specific pentesting objectives. 3.2.2 Reconnaissance This phase is used to acquire as much data as possible, which will be used to test the target during the vulnerability assessment and exploitation stages. And it can be passive or active.  Passive reconnaissance: This is when the attacker collects information about the organization without directly interacting with the system This means you don’t send the target any kind of request.  Active reconnaissance: This is when the attacker engages with the target system conducting a port scan to determine and find any open ports and enumerate the services. Server Penetration Testing Wednesday, June 22, 2022 14 3.2.3 Discover & Vulnerability Assessment This phase is a thorough examination of a system's security flaws. It assesses whether the system is vulnerable to any known flaws, gives severity levels to those flaws, and, if and when necessary, suggests remediation or mitigation. 3.2.4 Exploitation This phase focuses on getting access to the system through the vulnerabilities found. In many cases, the initial point of entry will not provide a high level of access. So, will attempt to escalate the privilege to get more permissions or access to more sensitive systems. 3.2.5 Analysis & Reporting In this phase, a detailed report will be prepared, which will contain vulnerability classification, exploitation records demonstrating the harm that vulnerabilities represent to the company if exploited and recommendation remediation with key organization stakeholders. \ Server Penetration Testing Wednesday, June 22, 2022 15 3.3 Scenario 1 1. Pre-Engagement: The most effective strategy, in this case, is white- box because that enables the tester to go deeper to test every feature and aspect of the system. White-box PT implies sharing servers information with the tester including such:  AD server - Domain name: project.local - IP address: 10.10.30.5  DB server - Database name: project - IP address: 10.10.30.6  Departments devices - Operating system: Windows 7 - IP address: 10.10.20.5 2. Reconnaissance :  Passive reconnaissance: As a result, the target has no way of knowing you're gathering data on them. we implement penetration testing on virtual machines this makes passive recon is difficult because we can't lead to employee awareness and emotions. Server Penetration Testing Wednesday, June 22, 2022 16  Active reconnaissance: o Active Directory server Use nmap to scan open ports and determine services on these ports. Server Penetration Testing Wednesday, June 22, 2022 17 By using Metasploit we will enumerate valid domain users via Kerberos protocol. Server Penetration Testing Wednesday, June 22, 2022 18 o Database Server Use nmap to scan open ports and determine services on these ports. It Implements Nmap scripts to make disclosure on the targeted system which is the database server by listening via TCP protocol on MySQL port (3306), the result tells us information about users of the machine (Windows 10) and the databases, users and information of MySQL service. Server Penetration Testing Wednesday, June 22, 2022 19 o Windows 7 Use nmap to scan open ports and determine services on these ports. 3. Discover & Vulnerability Assessment We found a number of vulnerabilities on the devices and information about the system used and many other services, we didn't use them because most of them spin around DoS and we don't want to shut down the service. Note: detailed in Appendix B: vulnerability scan report. Server Penetration Testing Wednesday, June 22, 2022 20 4. Exploit o Active Directory Server Save the hash in text file and use john the ripper tool to crack the password. this python script's most powerful uses include launching interactive command prompts in order to get shellcode access on the server.