See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/352102901

Exploiting Vulnerabilities of a Linux Based Machine: Penetration Testing Report

and Incident Response Procedure

Preprint · September 2016

DOI: 10.13140/RG.2.2.13192.96005

CITATIONS READS

0 4,464

1 author:

Imrana Abdullahi Yari

Friedrich-Alexander-University of Erlangen-Nürnberg
13 PUBLICATIONS 242 CITATIONS

SEE PROFILE

All content following this page was uploaded by Imrana Abdullahi Yari on 03 June 2021.

The user has requested enhancement of the downloaded file.

Exploiting Vulnerabilities of a Linux Based Machine: Penetration Testing
Report and Incident Response Procedure
Imrana Abdullahi Yari, BSc (2016)
Keywords: vulnerability assessment, penetration testing, Metasploitable, Ubuntu, Kali, Linux,
incidence response

1. Report Summary
Management Summary

This report presents the result of the penetration testing and vulnerability assessment of a
Metasploitable virtual machine and its underlying services. A Metasploitable 2 machine is an
Ubuntu Linux (version 8.04) based vulnerable machine developed by Rapid71 in collaboration
with MIT that is tasked to perform internal and external penetration testing and vulnerability
assessment. This machine has been distinguished as posing intentional risks in terms of its security
controls which can be exposed and compromised. The motivation behind this security assessment
was to investigate and confirm the adequacy of controls assigned to the security of the machine by
those responsible for protecting critical and confidential information. The purpose of this
assessment is to identify the Metasploitable machine issues that could affect the system and its
functionality. The procedure employed starts from initial preparation, setting the attack goal,
scope, and requirements. Next, vulnerable services were discovered. Further, the machine was
attacked to test the risk associated with it. Finally, the findings were reported.

The scope of this experiment involves penetration testing of the Metasploitable machine and all
services included in it. The Metasploitable machine is rated at a high-risk level based on the risk
associated with the findings. Moreover, this rating suggests a critical risk of security controls being
traded off with the potential loss of the entire business and the individuals involved. In this
penetration testing, successful findings of the attack demonstrated extreme risk vulnerabilities in
light of the severity of six vulnerabilities found. In general, all the security issues found in this
research are extremely susceptible, which allows the entire system to be compromised. The
findings are achieved successfully by utilizing the techniques, tools, and procedures of the
approach designed in this study. In general, the target system (Metasploitable machine) needs
viable patch integration of suitable security measures such as firewall and intrusion detection
mechanisms to fix the vulnerable services. Moreover, the system likewise needs the solid
validation of access credentials which put the greater part of the active services in danger. The
result obtained is intended to be a general assessment of the Metasploitable machine and its
contents. Therefore, any current version of Ubuntu Linux-based machines possessing similar
system features and weaknesses identified in this study could potentially pose greater susceptibility
to the risks of malicious threats.

1
https://information.rapid7.com/download-metasploitable-2017.html

1
Technical Summary

To evaluate the security of the target system, it is assumed that the Pentester (the authorized person
performing the security assessment) should mimic the procedure of an attacker and attempt to
perform unauthorized activities, acquire important information, and identify the general security
of the machine by playing different checks to find a vulnerability. The testing includes all services
and applications on the target system. Initially, the Fping tool is used to identify the availability of
the target system. Secondly, tools like Nmap and Traceroute are used to determine the open and
active services of the target system. Moreover, Nessus automated vulnerability scanner is used to
scan for the vulnerabilities of the target system. Furthermore, tools like Metasploit framework with
its modules and Netcat were employed to exploit and post exploit the system.

Table 1. Summary of vulnerabilities found.

All of the findings (Table 1) eventually provide root access, complete system unauthorized
disclosure of information, modifications, and also disruption of services. But the vulnerability with
the medium impact of exploitation is PHP CGI; this shows that this vulnerability requires some
precondition to escalate to high privilege users like an Admin. However, it permits an attacker to
perform some modifications before post-exploitation. Therefore, the probability of exploiting
lesser and greater vulnerabilities may vary since more emphasis is required to attain a greater
impact of exploitation. For the attack of java RMI and UnreallRCD vulnerabilities to be successful
and achieve complete system compromise, great skills and tools are required, so this type of
vulnerability rarely occurs. The chances to exploit Samba and Vsftpd vulnerabilities are rated
moderate due to some preconditions required to exploit the system. The PHP CGI and VNC weak
password vulnerabilities are very common; this is because some less advanced skills and open
tools are needed to exploit the system.
The overall findings were identified based on vulnerability that was either because of effective
guessable access credentials, missing patches, or because of the absence of system hardening. It is
recommended that the system services ought to be upgraded to the most recent definitions which
contain security patches to fix the discovered vulnerabilities. The weak credentials ought to be
supplanted by solid credentials that cannot be easily guessed.

2. Design of Methodology
The penetration testing methodology used for this study is categorized into the following phases
and sourced from (PCIsec 2015, Saindane 2015, SANS 2012a):

2
 Planning & Pre- Attack Phase
Discovery Phase Reporting
Engagement
Interaction Phase

Exploitation Post-
Intelligent Exploitation
Gathering

Vulnerability
Analysis

Methodology flow diagram

2.1. Planning and Pre-Engagement Interactions

• Goal and scope of the assessment which involves:
o What to be tested?
▪ IP address
▪ Hosted Web application
▪ Time and requirements of the test
• Legal consideration and agreements
• Involves client and engagement interactions
• Start-up meeting between the individuals involved
• The type of testing (white box, black box, or grey box) to be performed

2.2. Discovery phase

This is the phase where primarily the main testing commences and involves the following stages:
2.2.1. Intelligent gathering
This is a pre-testing stage that is used to examine and gather information about the target machine.
This phase involves footprinting, scanning, and enumerating (SANS 2016, McGreevy 2012, Vines
2007). The main attribute is reconnaissance.
• Footprinting
o The passive initial gathering of information of the target machine
o Determination of network address of the target machine
o Using the following resources
▪ Resources from the internet such as whois databases, like whois.ripe.net
▪ Nslookup and Fping
▪ Actively social engineering can also be used
• Scanning
o This phase is more active than the previous phase of footprinting
o External and internal network scanning
o OS and Application fingerprinting
3
 o Active and open ports services
o What type of host is available?
▪ Any hosted web application(s)
o Using the following tools
▪ Traceroute, Ping, Netcat, and Nmap
• Enumerating
o The outputs obtained in the scanning phase are used to map the network
o The goal here is to gain a complete picture of the target machine
o Use of active services to determine poorly implemented resources
▪ Techniques like the following are used
• Using Snmputil for SNP threat modeling
• Finding NetBIOS information using NBTscan and Metasploit
smb_version aux module
• Using dig command tool for Querying DNS
2.2.2. Vulnerability Detection
• Involves discovering flaws in the targeted system
• Threat level classification needs to be created for the exploitation phase
• Priority should be given for the threat level that needs to be analyzed and exploit threats
and reflects in the exploitation phase
• Invalid or random inputs like “ ‘ “can be supplied to system glance at the expected error
that could point out the existence of SQL injection vulnerability.
• The following automated tools can be used to scan the vulnerabilities. However, this also
requires some intelligent experience to judge the findings.
o NESSUS
o Retina,
o OpenVAS and ISS scanner.

2.3. Attack Phase

This is the most fascinating and challenging section which is divided into the exploitation and
post-exploitation phase.
2.3.1. Exploitation
• Completely depend on the vulnerability analysis phase and mainly focus on the target
exploitation.
• Exploit target with the appropriate exploits and with a compatibility check
• Skills of coding are of vital importance to understand codes of exploits
• A rigorous test should be performed in the testing environment before the actual activity
• Risk analysis should be presented based on the test before the actual test
• Example of the open-source exploitable frameworks are
o Metasploit project
o Core security impact project
2.3.2. Post Exploitation
• Involves extending attacks, referred to as privilege escalation

4
 • Mostly occur, in a phenomenon where the exploit to gain root privileges is not achieved in
the previous phase, which causes further vulnerability analysis.
• This phase might require an installation of some tools to gain root access level
• Pentester can analyze further information during post-exploitation. For instance, with an
organization’s permission, using a compromised system to attack further another
vulnerable system within the targeted system.
• Keeping logs of all the processes and findings as is helpful to evident the work done
• Using the post-exploitation phase an attacker can gain persistence in a comprised system

2.4. Reporting
• Is one of the crucial phases that involves preparing a final paper for the organization.
• Consist of executive summary for management and technical support, detailing the results
in an appropriate form.
• It focuses on threat impacts, the level of severity, general findings, recommendations, fixes,
the cost of implementing a resolution, summary, and roadmap.
• A technical report carried out how vulnerability analysis, exploitation, and post-
exploitation is done.

3. Discovery Phase
3.1. Intelligent gathering
Footprinting
Here is assumed that the attacker does not know the IP address of the target machine within a
specified domain. To find the active host that is connected within the subnet network of the target
machine. Figure 1 below illustrates the Fping tool used to find the active systems that are within
the same subnet with the source address. The -A optional command is used to display the address
of the hosts, while -g is used to specify the range of IP addresses.

5
 Figure 1: Fping

Figure 1 above shows the results of the findings. The two shown active systems that are connected
to the same class are the target system and the source system IP addresses. Thus, gives an attacker
a clue of live systems within the network.
Scanning
The previous phase assists an attacker in finding the IP address of the target machine. Now to
move further tools like ping, traceroute are used to provides more information about the target
machine. Figure 2 shows the output using ping and traceroute with the IP address, which indicates
that the machine is active and reachable with 30 hops maximum gateways in-between the source
and destination. Thus, such offer a confirmation to the attacker that the system is live and active
and the range of possible distance to reach the target.

6
 Figure 2: Ping and Traceroute

An attacker can uniquely identify the different applications and services running on the target or
port that enables sharing of a single physical connection to the packet switch network. Figure 3
below shows the output of the Netcat command used with the optional commands -v to indicates
the open port that the scanning covers, -w tells nc to wait for 1 second if the port is open or close,
-z to operates in 0 i/o modes to ignore a latency victim by the program to account for delays in the
CPU. The 1-1000 are a range of possible ports to scan.

Figure 3: Netcat output

7
Figure 4 below shows the output of ping sweep using Nmap, which utilizes ICMP to syntactically
go up and down host IDs in the target subnet. However, the destination machine may capture the
packets that come in and out of the network as shown in figure 5, using the TCP dump tool.
Moreover, port scanning in figure 6 indicates open ports and service version and their protocols.
Additionally, custom packet crafting (-sS) of the source field data is used as an optional command
for Nmap to spoof the address of the attackers’ machine, so as not to trigger an alarm or arouse
suspiciously. The output of Netcat of figure 3 and Nmap of figure 5 is different due to the
specification of a range of ports to scan.

Figure 4: Nmap

8
 Figure 5: tcpdump

Figure 6: Nmap

Enumerating
Here using active connections and open ports service to detect poorly implemented services. Thus,
assist an attacker in building the map of the target network to determine potential weaknesses
(McNab 2007). The nbtscan tool is used to reveal the target NetBIOS hostname, the domain name
of the machine, accessible Mac address, as illustrated in figure 7.

9
 Figure 7: nbtscan

To enumerate more, the Metasploit framework is used to find the version of the samba of the
Metasploitable machine as shown in figure 8. Chris mentioned that the NetBIOS name is
vulnerable to several attacks if exposed to an untrusted network or if the UDP port 137 is open and
active (McNab 2007). Also, port 80 is enumerated using Nmap script to find intelligent
information about the target machine, as shown in figure 8.

Figure 8: smb_version

10
 Figure 9: HTTP enumeration

3.2. Vulnerability detection

Nessus vulnerability scanner is configured against the Metasploitable machine to scan and find
vulnerabilities. The result of vulnerabilities is shown below with the full details which are arranged
following the severity level. The total number of vulnerabilities found is 72, but only those with
the impact of exploiting the Metasploitable machine are the point of focus. The result of Nessus is
strictly based on open and active services, OS, and applications that are gathered in the previous
phases. To investigate more, figure 11 illustrates the result of the Nmap scan to validate the Samba
vulnerability that Nessus found.

11
Figure 10: list of vulnerabilities found

Figure 11: samba vulnerability with exploits

12
4. Attack phase
Primarily based on the findings on the previous phases

4.1. Vulnerability 1: Samba MS-RPC on port 445 Remote Shell Command Execution – CVE
-2007-2447
Description
Samba versions 3.0.0 to 3.0.25 rc3 are inclined with a vulnerability that permits intruders in
executing shell commands in light of the fact the target machine neglects to verify and sanitize
users’ inputs (SecurityFocus 2010a). However, an attacker may influence this problem to run shell
arbitrary commands on the target vulnerable machine with the benefits of the vulnerable samba
application. CVE details 2007-2447 reported this vulnerability with a vulnerability impact score
of 6.0 addressing the medium level impact of exploitation (CVE Details 2015). Another instance
was reported that this vulnerability also affects remote printer and file share management (Samba
2007).
Exploitation
For instance, the previous phase of enumeration has already shown the version of samba which is
3.0.20. This module exploit/multi/samba/usermap_script in Metasploit framework is used to
exploit a command execution vulnerability in samba when utilizing non-default “username map
script” configuration as shown in figure 12. In exploiting this vulnerability no authentication is
required because the configuration option is utilized to map usernames preceding system
verification.

Figure 12: samba exploitation

13
 Figure 13: shadow file of the target machine

Shell access is used to get the password hashes of the target machine. John dripper password
cracker was then used to crack the password. The cracked password and their username were then
later used to get another user access to the system using SSH as shown in figure 14.

Figure 14: using ssh

14
Resolution
• To mitigate this issue, patches are available from
https://www.samba.org/samba/history/security.html for vulnerable samba 3.0 through
4.40
• This deformity can be mitigated by expelling all outer script invocations from samba
configuration, such as username map and printer commands (Samba 2007).
• Also, running up to date stable samba can reduce the risk because the latest versions are
integrated with the definitions to solve the previous issues (Samba 2007).

4.2. Vulnerability 2: vsftpd on port 21, version 2.3.4 backdoored - CVE-2013-1493

Description
Several Linux OS has VSFTPD (very secure FTP domain) server which is a server for FTP.
VSFTPD is secured, besides a noteworthy occurrence that happened around July 2011 when
someone supplanted the standard version 2.3.4 with another form that contained a malicious code
that has a backdoor (PentsetLab 2012). This vulnerability allows users to log into the compromised
VSFTPD version listening on port 6200 to gain remote shell access using smiley “:)” as username,
with any password (Evans 2011). Moreover, a similar instance was reported by CVE-2013-1493
that a java SE 15 vulnerability also allows an attacker to remotely execute commands using a
malware backdoor (Acunetix 2014).
Exploitation
Figure 14 shows how the Netcat command is used to find the version of VSFTD whether it is a
backdoor and then used a smiley “letmein:)” as username. On the second terminal, while the first
terminal is still running, The Netcat command is used to gain shell and root access using port 6200
instead of 21.

15
 Figure 14: exploitation of vstpd

Shell access is utilized to reveal the actual username and password of the Metasploitable machine,
as shown in below figure 15.

Figure 15: admin details

Resolution
• The reported CVE-2011-2523 issue associated with VSTFD version 2.3.4 has been fixed
with the later released version 2.3.5-3 and high (SecTrack 2011). The versions are
incorporated with patches that removed the feature of the backdoor.
• The corrected version that has been repaired can be downloaded from
https://security.appspot.com/vsftpd.html

4.3. Vulnerability 3: PHP CGI Argument Injection CVE 2012-1823

Description
This is the kind of vulnerability that affects the apache server that its PHP version is set with a
CGI script. The service receives variables in which some of the parameters are managed by users.
Therefore, the services utilized them to invoke calls in the library. If these parameters are passed
not the way they should be, an attacker can add some additional codes to the query string (CVE
Details 2013). Running CGI with PHP version 5.3.12 and 5.4.2 is vulnerable to an injection attack.
The -d flag in php.ini is used as mandates to accomplish code execution. It has an impact of
allowing an attacker to access confidential information, DOS attack, and user privilege options
(KbPlesk 2014).
Exploitation
Figure 16 shows that PhpMyAdmin of the hosted Metasploitable is vulnerable when passed with
-s characters on the URL. Figure 17 shows the exploitation using

16
exploit/multi/http/php_cgi_arg_injection module of Metasploit framework with PHP interpreter
payload with the required entities. (Calderon 2012).

Figure 16: PHP CGI vulnerability

Figure 17: php cgi vulnerability exploitation

17
Privilege escalation
Figure 18 below shows the post-exploitation using SSH with exposed username and password
from index.php.

Figure 18: post exploitation using ssh command

Resolution
• Use of the latest definitions is highly recommended. Alternatively, use of automatic scripts
that can be downloaded from
http://kb.sp.parallels.com/Attachments/20000/Attachments/cve-2012-1823-wa_pp.tgz
• Use of the .htaccees rule and write to a file and then save in apache directory can prevent
those optional parameters from filtering (KbPlesk 2014).

4.4. Vulnerability 4: Java RMI Server on port 1009 Java Code Execution - CVE-2011-3556
Description
The Java Remote Method Invocation (RMI) server has an insecure registry configuration and the
activation service which are the reasons that allow execution of code remotely with high privilege
user permission. This is possible because Java RMI allows the loading of its classes via a remote
protocol (Cisco 2011). The Java RMI method of invoking a call does not require any form of
validation or authentication. An attacker can exploit this weakness by forwarding malicious
packets when the packet is processing to execute codes remotely to the affected version and may
eventually compromise the vulnerable system.
Exploitation

18
The figure 19 below shows the exploitation using exploit/multi/misc/java_rmi_server module of
Metasploit framework to get a shell access with high privilege user.

Figure 19: exploitation of java_rmi_server

Resolution
• Disabling class-loading in the AdminServerPlugins.properties file could potentially
prevent the attack (KnowledgeBProg 2016).
• Using a host-based firewall to confine access to the influenced service (Cisco 2011).

4.5. Vulnerability 5: UnrealIRCD 3.2.8.1 backdoored on port 6667 - CVE 2010-2075

Description
The unrealRCD contains a unrea13.2.8.1 file that has been reported to be replaced or extremely
modified by the backdoor. This Trojan horse permits the user to execute commands remotely
without restriction just like the normal user running ircd. This serious problem occurred due to the
original .tar file that is being replaced by the backdoor in November 2009 (UnRealircd 2010,
CVE_Mitre 2010).
Exploitation
The Metasploit framework module exploit/Unix/irc/unreal_ircd_3281_backdoor is used to exploit
the unrealRCD vulnerability as shown in figure 20, which also gives root access.

19
 Figure 20: exploitation of unrealircd

Figure 21 illustrates the access to the MySQL server using the shell to explore more on the attack.

Figure 21: MySQL server

Resolution
• The new versions are patched with the solution. Alternatively, re-downloading and
compiling the exact version that has been mitigated:

20
https://www.unrealircd.org/download

4.6. Vulnerability 6: VNC Server weak 'password' Password, on port 5900

Description
Nessus scan reported in the previous section of discovery that the VNC server is secured with a
very weak password that can be easily guessed or brute force attack. An attacker can leverage this
vulnerability to gain shell access remotely via a VNC viewer with the leaked password. Nessus
also shows that this vulnerability has a critical issue since VNC is used to get shell access.
Exploitation
Figure 22 illustrates the access to the VNC server with the leaked ‘password’ as a password.

Figure 22: VNC server access

To explore more on the attack, a vnc shell access is used to access MySQL server and then drop
the one of the databases as shown in figure 23.

21
 Figure 23: MySQL server

Resolution
• Strong secure password creation with the following rules:
o The password should be long enough
o Includes combination of numbers, upper and lower case, and special characters
o And avoid using obvious passwords like using the username as a password (Owasp
2016)

5. Reconnaissance activity on shu.ac.uk

Google hacking technique
Advance google search technique is used to gather intelligent information for shu.ac.uk website
and some vulnerable information. The following search site command and optional commands are
used to gather all login pages. We accessed the robot.txt file that contains exclusion instruction
that prevents web crawlers from crawling excluded contents. The robot.txt file content as shown
in figure 24 may offer a hint to the attacker about the root directory and some sensitive files
especially administrative and configuration information.
site:www.shu.ac.uk ext:xml | ext: conf | ext:cnf | ext:inf | ext:cfg | ext:txt | ext:ini
site:www.shu.ac.uk inurl:login

22
 Figure 24: sitemap

Figure 25: login URLs

Netcraft and Nslookup

An attacker can make use of a free online tool like netcraft.com to obtain relevant information
about shu.ac.uk on the server and client-side technologies. Figure 26 illustrates the findings when
searched shu.ac.uk in the Netcraft website. The findings are a hint to the attacker to know the

23
address of the target system, its availability, and some additional details. NSLookup command is
used to validate the IP address as shown in figure 27.

Figure 26: netcraft.com

Figure 27: nslookup

24
Maltego
An attacker can make use of the Kali Linux tool Maltego to run reconnaissance activity for
information gathering and data mining from all publicly available areas on the internet. Maltego
has a pallete with a domain option to add a domain name and it also supports several sub-features
for transformations, like email, website, DNS, and so on. Figure 28 shows the data gathered from
shu.ac.uk website. The attacker can make use of these findings for social engineering and phishing
attack.

Figure 28: maltego

SECTION B

6. Incident response procedure

The following are the fundamental steps of incident response procedure to deal with the potential
data breach, and are sourced from (Johnson 2013, Luttgens, Pepe et al. 2014, McCarthy 2012):

Step 1: Incident Preparation Plan

• All the requirements to handle incidents should be instantly available with a constant check
to ensure their accuracy
• Pre-deployed incident handling of assets using sensors and monitors to monitors critical
systems
• Keeping and observing tracks of normal operation and logs of critical system
• Developing a method and checklist to deal with the incident
• Building up a communication plan to the trained incident respondents, authorities, and any
other parties involved

25
 • Setting up a safe area to execute incidence response procedure
• Guaranteeing utilities (disaster recovery tools) required are readily and actively available

Step 2: Incident Identification Plan

• Allocating responsibility for the potential incident to the individual/system responsible for
handling the incident
• Confirming the reported incident qualify to be an incident by employing incident response
indicators like:
o Malicious codes, unauthorized access, suspicious entries, IDS alerts, bogus
accounts, unfamiliar files or accounts, and so on.
• Setting of measures when identifying the potential incident
• Deciding the severity of the incident and treat it as fundamental

Step 3: Incident Containment Plan

• Evaluate the status of the infected system and take one of the following options:
o Stop the system from accessing a network
o Shutdown the system entirely
o Inspects the system and allow it to run
• Enabling of the incident response team to handle the incident and raise awareness to the
affected individuals
• Getting approval on the associated risk which may affect accessibility or endanger the
control process
• Acquiring the individual(s) involved to execute, acquire and safeguard the evidence
• Reporting and keeping a record of the step taken for any further actions ahead

Step 4: Incident Eradication Plan

• Investigate the scope of the incident and hence, decide the reason behind the incident
• Finding the most appropriate and recent solutions
• Getting rid of the main root of the incident which can be evacuated or clean-up by using
suitable fixes, for instance utilizing recommended IPS or antivirus with the latest definition
updates
• Enhance security solutions and perform vulnerability investigation to discover the new risk
associated or created by the underlying threat

Step 5: Incident Recovery Plan

• Re-establishing services to their normal typical stage
• Verifying the implementation made on restoring the framework was successfully achieved
• Testing, validating, and certifying the system to be safe and operational by the responsible
individuals

Step 6: lessons learned and Follow-up Plan

• Investigation and evaluation of the issues experienced when endeavors to resolve the
incident

26
 • Proposing areas for change in light of the issues experienced
• Exhibiting to the relevant individual or parties
• Lastly, generating incident response documentation

Reference List

ACUNETIX, 2014. Analysis of an Intrusion: Backdoors.

CALDERON, P., May 27, 2012, 2012-last update, Detecting and exploiting vulnerable PHP-CGI
applications. Available: http://www.websec.ca/blog/view/detecting-and-exploiting-php-cgi.

CISCO, 2011-last update, Oracle Java RMI Server Insecure Default Configuration Remote Code
Execution Vulnerability. Available:
https://tools.cisco.com/security/center/viewAlert.x?alertId=23665 [17, May, 2016].

CVE DETAILS, 2015-last update, Lists vulnerability statistics for all versions of Microsoft
Internet Explorer. Available: http://www.cvedetails.com/product/9900/Microsoft-Internet-
Explorer.html?vendor_id=26.

CVE DETAILS, 2013-07-19, 2013-last update, vulnerability Details : CVE-2012-1823 (1

Metasploit modules). Available: http://www.cvedetails.com/cve/2012-1823/ [May, 16, 2016].

CVE_MITRE, 2010-last update, CVE-2010-2075. Available: https://cve.mitre.org/cgi-

bin/cvename.cgi?name=CVE-2010-2075.

EVANS, C., 2011. Alert: vsftpd download backdoored.

http://scarybeastsecurity.blogspot.co.uk/2011/07/alert-vsftpd-download-backdoored.html edn.

JOHNSON, L., 2013. Computer Incident Response and Forensics Team Management Conducting
a Successful Incident Response. Burlington: Elsevier Science.

KBPLESK, Aug 12, 2014, 2014-last update, Parallels Plesk Panel: PHP-CGI remote code
execution vulnerability (CVE-2012-1823). Available: http://kb.plesk.com/en/116241 [May, 16,
2016].

KNOWLEDGEBPROG, 2016.
How to Prevent Java Rmi Class Loader Exploit With Adminserver.
http://knowledgebase.progress.com/articles/Article/How-to-prevent-Java-RMI-class-loader-
exploit-with-AdminServer edn.

LUTTGENS, J.T., PEPE, M. and PROSISE, C., 2014. Incident response and computer forensics.
Third edition.. edn. McGraw-Hill Education.

27
 MCCARTHY, N.K., 2012. The computer incident response planning handbook : executable plans
for protecting information at risk. McGraw-Hill.

MCGREEVY, P., James, 2012. Footprinting: What Is It, Who Should Do It, and Why?
https://www.sans.org/reading-room/whitepapers/auditing/footprinting-it-it-why-62 edn.

MCNAB, C., 2007. Network security assessment. 2nd ed.. edn. Farnham; Sebastopol, Calif.:
O'Reilly.

OWASP, 14 February, 2016, 2016-last update, Password length & complexity. Available:
https://www.owasp.org/index.php/Password_length_%26_complexity [17, May, 2016].

PCISEC, 2015. Information Supplement: Penetration Testing Guidance.

https://www.pcisecuritystandards.org/documents/Penetration_Testing_Guidance_March_2015.p
df edn.

PENTSETLAB, 12 November, 2012, 2012-last update, VSFTPD Exploitation. Available:

https://pentestlab.wordpress.com/tag/vsftpd-backdoor/ [16, May, 2016].

SAINDANE, S.,Manish, 2015. Penetration Testing – A Systematic Approach.

http://www.infosecwriters.com/text_resources/pdf/PenTest_MSaindane.pdf edn.

SAMBA, May, 7, 2007, 2007-last update, CVE-2007-2447: Remote Command Injection

Vulnerability. Available: https://www.samba.org/samba/security/CVE-2007-2447.html.

SANS, 2016. The Art of Reconnaissance - Simple Techniques. https://www.sans.org/reading-

room/whitepapers/auditing/art-reconnaissance-simple-techniques-60 edn.

SANS, 2012. Conducting a Penetration Test on an Organization. https://www.sans.org/reading-

room/whitepapers/auditing/conducting-penetration-test-organization-67 edn.

SECTRACK, 2011-last update, CVE-2011-2523. Available: https://security-

tracker.debian.org/tracker/CVE-2011-2523 [16th May, 2016].

SECURITYFOCUS, 2010-last update, Samba MS-RPC Remote Shell Command Execution

Vulnerability. Available: http://www.securityfocus.com/bid/23972/discuss.

UNREALIRCD, 2010. unrealsecadvisory.20100612.txt.

https://www.unrealircd.org/txt/unrealsecadvisory.20100612.txt edn.

VINES, R., D., 2007. Penetration testing reconnaissance -- Footprinting, scanning and
enumerating. http://searchitchannel.techtarget.com/tip/Penetration-testing-reconnaissance-
Footprinting-scanning-and-enumerating edn.

28

View publication stats