PENETRATION TEST REPORT

EXAMPLE ORGANIZATION

Penetration Tester – Avinash Yadav

Phone Number – +91 xxxx-yyyyyy
Email – whatsoever@example.com
 Penetration Test Report | EXAMPLE-ORGANIZATION
___________________________________________________________________________________________

Document Control

Document Version Owner & Role Status & comments

v1.0 Avinash Yadav – Penetration Tester Prepared the Internal Draft

Disclaimer
The content of this report is highly confidential and may include critical information on Example
Organization’s systems, network, and applications. The report should be shared only with intended parties.

Although maximum effort has been applied to make this report accurate, Avinash Yadav cannot be held
responsible for inaccuracies or systems changes after the report has been issued since new vulnerabilities
may be found once the tests are completed.

Moreover, Avinash Yadav cannot be held responsible on how the report is implemented and changes made
to Example Org. systems based on the recommendations of this report. Guidance should be taken from a
network and security expert on how best to implement the recommendations.

All other information and the formats, methods, and reporting approaches is the intellectual property of
Avinash Yadav and is considered proprietary information and is provided in confidence to Example
Organization for the purpose of internal use only.

Any copying, distribution, or use of any of the information set forth herein or in any attachments hereto form
outside of Example Org.‘s authorized representatives is strictly prohibited unless Example Organization
obtains prior written consent of Avinash Yadav.

Table of Contents
Document Control........................................................................................................................................... 1
Disclaimer........................................................................................................................................................ 1

Page 1 of 17 Copyright © 2021 Example Security Service Provider, All rights reserved. PTR-1685
 Penetration Test Report | EXAMPLE-ORGANIZATION
___________________________________________________________________________________________

Executive Summary........................................................................................................................................... 3
Security Posture................................................................................................................................................. 4
Methodology...................................................................................................................................................... 5
Tools Utilized.................................................................................................................................................... 5
Detailed Findings............................................................................................................................................... 6
192.168.26.45................................................................................................................................................. 6
1. Backdoor Command Execution – HIGH................................................................................................ 7
2. Weak Credentials – MEDIUM............................................................................................................. 10
Conclusion....................................................................................................................................................... 15
Recommendations............................................................................................................................................ 16
Additional Items............................................................................................................................................... 17

Page 2 of 17 Copyright © 2021 Example Security Service Provider, All rights reserved. PTR-1685
 Penetration Test Report | EXAMPLE-ORGANIZATION
___________________________________________________________________________________________

Executive Summary
I was tasked with performing a black box penetration test towards Example Organization network which
revealed a need for Immediate Attention. The test was conducted on total 5 targets under an emergency 24
hours time period.

Security tests were conducted from internet over the period from 13 August, 2021 to 14 August, 2021 with
no prior knowledge of Example Organization’s state of security for the systems under tests. All target
systems were successfully exploited and access granted.

The environment was found to contain numerous vulnerabilities, including some very serious security flaws
such as EternalBlue which makes them susceptible to data breaches and system takeovers. Highly important
files which contain HIPAA and payment information are easily accessible and very visible; putting the
Example Organization at great risk to compliance violation and potentially subject to large fines and/or loss
of business reputation

Most of the vulnerabilities found relate to Outdated and Unpatched OS, Weak Passwords, lack of protection
of information disclosures through web and no inbound data sanitization.

It appears that the overall security posture is extremely poor and is

mostly due to human related error like patch management issues,
and no compliance to best practices. This is a clear case of
inefficient security management and gross negligence in
maintaining a proper security program in the organization.

High Medium Low

In conclusion, based on the results of the tests, I believe that the
Example Organization presents a high-risk attack surface and their current security defenses are deemed
below the expected level of security, therefore the overall assessment was rated as “SEVERE”.

Security Posture
The scope was to exploit vulnerabilities on Example Organization servers and apps that may be exploited by
malicious attackers. The aim of the tests was to go as far as possible.

Page 3 of 17 Copyright © 2021 Example Security Service Provider, All rights reserved. PTR-1685
 Penetration Test Report | EXAMPLE-ORGANIZATION
___________________________________________________________________________________________

NOTE:- Dots Color Signify ⪢ Red - High Risk Orange - Mid Risk Green - Low Risk Grey - Safe

By this map, it is extremely clear that the organizational security measures, policies, practices and procedures
are not aligned with the industry best practices. More than 25% of the tested infrastructure is in a critical
state with High level of Risk.

TOTAL NUMBER OF VULNERABILITIES (including all 5 target machines)

Total Findings High Medium Low

14 9 2 3

Overall Security Rating – Immediate Attention and Action Required

Methodology
I utilized a widely adopted approach to performing penetration testing during the tests to test how well the
target environment is secured. Below, a breakdown of the applied methodology is provided.

Page 4 of 17 Copyright © 2021 Example Security Service Provider, All rights reserved. PTR-1685
 Penetration Test Report | EXAMPLE-ORGANIZATION
___________________________________________________________________________________________

Information Vulnerability Post House

Exploitation
Gathering Analysis Exploitation Cleaning

 Information Gathering – Reconnaissance [Footprinting, Scanning and Enumeration]

 Vulnerability Analysis – Researching Potential Vulnerabilities and Analyzing them
 Exploitation – Using Exploits in order to validate the vulnerabilities of the target
 Post Exploitation – Everything that should be performed after successful exploitation
 House Cleaning – Ensuring that the Remnants of the Penetration Test are removed

Tools Utilized
Tools used by me were Industry Grade in a combination of Open Source and Commercial Licenses.

1. Nmap – Industry’s Most Commonly used Open-Source Scanning Tool

2. Metasploit Framework – Industry Grade Most Popular Pen-Testing Framework Toolset
3. BurpSuite Professional – Best in Class Suite of Tools for Web Application Assessment
4. Nikto – Web Server Audit Tool
5. Dirbuster – Directory & Web Files Enumeration Tool
6. Wpscan – Most popular Wordpress Website Security scanning tool

Detailed Findings

Page 5 of 17 Copyright © 2021 Example Security Service Provider, All rights reserved. PTR-1685
 Penetration Test Report | EXAMPLE-ORGANIZATION
___________________________________________________________________________________________

HOST - 192.168.26.45

Name: Basic PenTesting 1

IP: 192.168.26.45
Type: Virtual Machine

This host contains –

1. FTP Server (ProFTPd)

2. SSH Server
3. Web Server (Apache)
Operating System: Ubuntu

Number of Vulnerabilities by Severity

High; 1 Medium; 1
1

Low; 0.1
0
High Medium Low

Page 6 of 17 Copyright © 2021 Example Security Service Provider, All rights reserved. PTR-1685
 Penetration Test Report | EXAMPLE-ORGANIZATION
___________________________________________________________________________________________

1. Backdoor Command Execution – HIGH

 System Vulnerable – 192.168.26.45
 Vulnerability – ProFTPD-1.3.3c Backdoor Command Execution
 Severity Rating – High | CVSS Risk Score – 10 (Critical)
 Exploit Used – Rapid7.com/db/modules/exploit/unix/ftp/proftpd_133c_backdoor

Description

ProFTPD 1.3.3c service is found to be running on Port 21. It’s a highly configurable & feature rich FTP
server for Unix-like environments. An FTP Server’s purpose is to handle data transfer between computers. In
this case, this installation contains a backdoor vulnerability.

Analysis

Backdoor command execution allows remote attackers to execute arbitrary system commands with superuser
privileges. This results in full confidentiality, integrity and availability violation of organizational data and
systems.

Remediation

Option 1: If the FTP Service is not necessary, disable or remove it.
Option 2: Upgrade to a Stable Release. (Latest version available is ProFTPD 1.3.7a)

Steps to Reproduce

Page 7 of 17 Copyright © 2021 Example Security Service Provider, All rights reserved. PTR-1685
 Penetration Test Report | EXAMPLE-ORGANIZATION
___________________________________________________________________________________________

1. My initial nmap scan revealed 3 open ports and detected Ubuntu OS on the target.
Command Used – nmap 192.168.26.45 -A -p- --min-rate 10000

2. Searchsploit displayed a potential exploit for the ProFTPD 1.3.3c service at Port 21.
Command Used – searchsploit ProFTPD 1.3.3c

3. To configure and test the discovered exploit, I used Metasploit Framework.

Exploit Used – exploit/unix/ftp/proftpd_133c_backdoor

Page 8 of 17 Copyright © 2021 Example Security Service Provider, All rights reserved. PTR-1685
 Penetration Test Report | EXAMPLE-ORGANIZATION
___________________________________________________________________________________________

4. I decided to upgrade this shell from normal reverse shell to meterpreter.

Module Used – post/multi/manage/shell_to_meterpreter

2. Weak Credentials – MEDIUM

 Endpoint – http://192.168.26.45/secret/wp-login.php
 Vulnerability – Weak Password Usage for Wordpress
 Severity Rating – High | OWASP’s ID – WSTG-ATHN-07
 CWE Reference – https://cwe.mitre.org/data/definitions/521.html

Description

During the test, user “admin” was found to be using a weak password at Endpoint.

Analysis

This wordpress user has admin level access on the wordpress website. So, with this level of privileges, an
attacker can generate a fake plugin, pack the payload into it and upload it to the wordpress sever which on
executing would give server’s user access to him/her.

Remediation

Introduce and enforce strong password policy and two-factor authentication.

Page 9 of 17 Copyright © 2021 Example Security Service Provider, All rights reserved. PTR-1685
 Penetration Test Report | EXAMPLE-ORGANIZATION
___________________________________________________________________________________________

Expert Opinion

Though weak wordpress credentials that finally lead to a system takeover are normally considered a High
Severity Vulnerability, but in case of this specific machine, we only get a www-data user access (and not
root!), so this has been rated as Medium.

Steps to Reproduce
1. A basic directory structure enumeration revealed http://192.168.26.45/secret.
Command Used – dirb http://192.168.26.45

2. Further reconnaissance disclosed that Wordpress 4.9.16 was installed.

Command Used – whatweb dirb http://192.168.26.45/secret

Page 10 of 17 Copyright © 2021 Example Security Service Provider, All rights reserved. PTR-1685
 Penetration Test Report | EXAMPLE-ORGANIZATION
___________________________________________________________________________________________

3. A wordpress username “admin” was easily detected through a special scan.

Command Used – wpscan –url http://192.168.26.45/secret -e u

4. Another attack using wpscan successfully found this username’s password.

Command Used – wpscan -U admin --url 192.168.26.45/secret -P
/usr/share/wordlists/metasploit/http_default_pass.txt

5. Since this username had admin level privileges, it was possible to upload a shell. Screenshot below
shows how the payload was configured for this purpose.
Payload Location in Kali Linux – /usr/share/webshells/php/php-reverse-shell.php

Page 11 of 17 Copyright © 2021 Example Security Service Provider, All rights reserved. PTR-1685
 Penetration Test Report | EXAMPLE-ORGANIZATION
___________________________________________________________________________________________

6. After logging into the wordpress dashboard of the website with admin:admin credentials, I uploaded
this php-reverse-shell.php file as a payload to the site.
Plugin Uploader URL – http://192.168.26.45/secret/wp-admin/plugin-install.php

After pressing the “Install Now” Button, the following error was displayed on wordpress because our
payload was obviously not a real plugin. But, the file has been uploaded.

7. A listener was setup in Metasploit framework which can catch the reverse shell.
Metasploit Module Used – exploit/multi/handler

8. On accessing the URL of the previously uploaded payload, A reverse shell with user level access on
the target is received by our handler.
Uploaded Plugin URL – 192.168.26.45/secret/wp-content/uploads/2021/06/php-reverse-shell.php

Page 12 of 17 Copyright © 2021 Example Security Service Provider, All rights reserved. PTR-1685
 Penetration Test Report | EXAMPLE-ORGANIZATION
___________________________________________________________________________________________

Conclusion
Example Organization suffered a series of control failures, which led to a complete compromise of many in-
scope machines. These failures would have had a dramatic effect on the company’s operations if a malicious
party had exploited them.

The overall risk identified to Example Organization as a result of the penetration test is High. A direct path
from external attacker to full network compromise was discovered. The fact that all 5 systems in scope were
compromised makes it clear that these systems were not tested from a long time and since, they are all placed
at the DMZ area, It’s a risky situation.

Page 13 of 17 Copyright © 2021 Example Security Service Provider, All rights reserved. PTR-1685
 Penetration Test Report | EXAMPLE-ORGANIZATION
___________________________________________________________________________________________

The primary goal of this penetration test was stated as identifying if there is any weakness in Example
Organization’s Network that could potentially be used by attackers to access sensitive health (PHI) or
payment data which would violate HIPPA or PCI-DSS compliances.

These goals of the pentest were met and in-fact much more than this. Many critical vulnerabilities were
found during the test that directly affect confidentiality, integrity and availability of the information and
systems. Majority of the findings have occasional prevalence, easy exploitability, and devasting impact with
simple prevention.

It was found that your security architecture has few patterns:

 Operating Systems are Outdated and Unpatched.

 Softwares and Services are Outdated.
 Passwords are either defaults or very weak.
 Security Controls are either not defined or implemented in most cases.
 All the vulnerabilities found have easy mitigation

In conclusion, these vulnerabilities should not be there in the first place. Example Corporation needs to
redefine their Information Security Management Program and rethink their processes.

Recommendations
Due to the impact to the overall organization as uncovered by this penetration test, appropriate actions
should be taken to remediate and safeguard your IT infrastructure.

Though mitigation for specific vulnerabilities has already been given in this report, Additionally, we
recommend the following:

1. Establishment of Updates & Patch Management Program

2. Implementation of WAF and IPS
3. Source Code Review of Deployed Applications and Sanitization
4. Alignment of Security Policies with Industry’s Best Practices
5. Use a Custom 404 (Not Found Error) Page
6. Social Engineering training for every employee
7. Vulnerability Scanning on at least monthly basis (Scan – Patch – Scan Again)

Page 14 of 17 Copyright © 2021 Example Security Service Provider, All rights reserved. PTR-1685
 Penetration Test Report | EXAMPLE-ORGANIZATION
___________________________________________________________________________________________

8. Install a HIPS and DLP to stop common attacking payloads like meterpreter

Additional Items
Appendix A - References:

There are some concepts and special tools I used, to which I have given the links below -

 Kali Linux - https://www.kali.org/downloads/

 Vsftpd Exploit - rapid7.com/db/modules/exploit/unix/ftp/vsftpd_234_backdoor/
 Rooting Guide - blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/

Appendix B - Glossary:

There are some technical terms in the report which are important to be explained here -

 Black Box Penetration Test - In penetration testing, black-box testing refers to a method where an
ethical hacker has no knowledge of the system being attacked. The goal of a black-box penetration
test is to simulate an external hacking. It is the most unreliable form of penetration testing.

Page 15 of 17 Copyright © 2021 Example Security Service Provider, All rights reserved. PTR-1685
 Penetration Test Report | EXAMPLE-ORGANIZATION
___________________________________________________________________________________________

 Social Engineering – It is the art of using deception to con someone into providing information or
access they would not normally have provided. It’s the “human side” of breaking into a network and
preys on the qualities of human nature, such as the desire to be helpful, the tendency to trust people
and the fear of getting in trouble. According to recent statistics, 98% of all cyber-attacks rely on
social engineering.

Page 16 of 17 Copyright © 2021 Example Security Service Provider, All rights reserved. PTR-1685