Table of Contents

1. Supervisory Report............................................................................................................................................3
A. Scenario.........................................................................................................................................................3
B. General Stance..............................................................................................................................................3
C. Risk Factor.....................................................................................................................................................3
D. Overall Findings.............................................................................................................................................3
E. Recommendation Summary..........................................................................................................................4
F. Roadmap.......................................................................................................................................................4
2. Technical Report...............................................................................................................................................4
3. Exploitation Phases...........................................................................................................................................4
A. Engagement..................................................................................................................................................4
a) Scope.........................................................................................................................................................4
b) Testing Pre-Requisites...............................................................................................................................5
c) Reporting Authority...................................................................................................................................5
d) Payment terms..........................................................................................................................................5
B. Information Gathering..................................................................................................................................5
a) Screenshots...............................................................................................................................................5
C. Scanning and Foot-Printing...........................................................................................................................6
a) Tool(s).......................................................................................................................................................6
b) Application of tools for scanning and footprinting....................................................................................6
c) Screenshots...............................................................................................................................................6
D. Exploitation.................................................................................................................................................12
a) Tool(s).....................................................................................................................................................12
b) Screenshots.............................................................................................................................................12
4. Problems and Recommendations...................................................................................................................15
A. Problems Identified.....................................................................................................................................15
a) Hardware Isolation..................................................................................................................................15
b) File Descriptor Attack..............................................................................................................................15
c) Misconfigurations in the System.............................................................................................................15
d) Unpatched System..................................................................................................................................16
e) Poorly secured services...........................................................................................................................16
B. Recommended Settings...............................................................................................................................16
a) Server Hardening.....................................................................................................................................16

1
 b) Closing Un-Necessary Ports.....................................................................................................................16
c) Up-to Date System..................................................................................................................................16
d) Use of Licensed Software:.......................................................................................................................16
e) Configured and Patched Devices.............................................................................................................16
f) Induction of IDS and IPS..........................................................................................................................16
g) Security Incident and Event Management..............................................................................................17
5. Conclusion.......................................................................................................................................................17
6. References......................................................................................................................................................18

2
1. Supervisory Report
An XYZ Company provided their website, server including the targeted VM to be tested against attacks. The XYZ
Company has asked a Security firm to examine the detailed overall security posture of their system. At the time
of testing the web-based portal was in production phase, and a test/staging system was provided to us for
testing. The penetration testing process is taken into consideration, which goes through five phases:
Engagement & Information Gathering, Foot printing & Scanning, Vulnerability Assessment, and Exploitation
stages.

The testing was done on April of 2022, and was completed on April 25th, 2022

A. Scenario
This is the internet age. Each day, a lot of information is released on the internet. The bad side of this perpetual
availability of information, however, haunts us. In the current pandemic crisis, cyber-crime has increased by
600%. (cyber-security-statistics, 2021). A corporation wanted to test their Web server using the most up-to-date
new trends and security measures, as well as the most well-known and widely used exploits of the time. As a
result, the corporation contracted the security evaluation to a few penetration testers.

For their website, the company intended to protect the CIA triad's confidentiality, integrity, and availability
(Weidman, 2014). The company hoped to do this by extensively testing their website and server.

B. General Stance
Penetration testers had run several tests to examine the generic or overall posture of the malfunctioning system,
and it was highly effective. Many vulnerabilities were detected during penetration testing, ranging in severity
from low to high. Several open ports were found that were exploitable enough to access the system. To be more
specific, “vsftpd” was the vulnerability of the services running on port 22 of the server that was open. The hacker
could gain access easily to through the open port and can exploit the vulnerability of the system to gain access of
the system. This report includes the exploitation of the ftp service that was found vulnerable.

C. Risk Factor
Security Rank: Critical

System was tested for vulnerability assessment, as previously discussed. Many vulnerabilities and loop hole in
the Linux based Web server system were found by the Pen-testers. In order to provide and generate a real
evidence document, Pen-testers exploited the vulnerabilities that were noticed earlier starting from High-Ranked
vulnerabilities which includes gaining access to root user by backdoor command execution. In context to Pen-
testers opinion, if someone is able to run the code on a remote system, they can control the overall process of
the system. User who have enough permissions can access the system same as of an authorized person can, that
means gaining access as root user means that the battle is lost.

Pen-testers succeeded in getting that access with precision. If someone has access to that privilege, it might
result in embarrassment and the company could lose its reputation

D.Overall Findings
During the testing phase, it was discovered that web server was vulnerable in a number of ways. The web
server was responding to a number of scans, and services running on ports were made available to users.
Moreover, there were some outdated port versions that were prone to exploitation and lateral movement. It

3
is pertinent to mention that exploitation of the web-server is also mention in the document in its technical
portion.

E. Recommendation Summary
The penetration testers advised adhering to established security documents such as NIST's (Karen Scarfone,
2008). According to vulnerability assessments, the firm should use secure coding mitigations of standards like
ISO. To avoid scans, penetration testers recommended installing firewalls and intrusion detection system (IDS) /
intrusion prevention system (IPS) solutions. A company's critical files must be stored safely. It is better to encrypt
the critical files before storing. Use up-to date port versions. It is advised to only use licensed software and avoid
cracked or patched software. Other recommendations are provided in the section 4 of this report.

F. Roadmap
Penetration testers divided the company's to-do list into two portions in order to safeguard the webserver.
Testers insisted on following up on versions of the server and technologies used in the short-term roadmap. In
the long run, testers recommended that the organization do such tests quarterly to determine the defense
capabilities of a web server.

2. Technical Report
This portion of the document includes the technical details, which shows the appropriate results to be shown to
the officials of the company, so that they can design and implement proper security controls for their systems.
Pen-testers started the testing by following the guidelines provided by Weidman in his book named as
Penetration Testing. Pen-testers tested the system phase by phase and went to full depth of the system. After
completing the testing of the company’s systems Pen-testers provided detailed recommendations for improving
and enhancing the overall posture of the system. The main purpose of the technical report is to provide a bird’s
eye view of the overall technicalities of the system.

3. Exploitation Phases
A. Engagement
The penetration testing operation would be carried out by a team of penetration testers. The testers were
approached via email by the company. This exploitation was carried out after the company’s competent
authority provided the assignment to the Pen-testers. The scope of this attack was limited to the use of white hat
hacking techniques to gain access to a system. Additionally, this was assigned to approach systems from various
angles and to understand how a malware often accesses systems in order to infiltrate them. Everything was
carried out in a secure environment. As a result, penetration testers did not examine suitable guards such as
proxy servers and so forth. Prior to the start of a penetration test, the firm assumed full responsibility for any
damage that may arise as a result of the activity. The firm admitted that accepting this harm was required if they
wanted Pen-testers to safeguard their network. Furthermore, before the exploitation, pen-testers ensured that
the organization had adequate archives. Additionally, penetration testers were given access to the whole
network so that the assessment could be done with full details and depth. The company totally assured that any
loss tangible or non-tangible, ethical or financial will be the sole responsibility of the company and no one would
be held responsible for any loss resulted in the overall process.

a) Scope
The XYZ Company restricted Pen-testers to specific types of testing. Testers were free to use whatever tools they
chose. Pen-testers, on the other hand, were limited to using the default tools included with pen-testing distros

4
such as Kali Linux. Except for DoS attacks and social engineering attempts, pen-testers were authorized to
employ any technique they could think of. Pen-testers are not permitted physical access to the network. Below
mentioned figure can be referred for the overall scope of the agreement.

Components Agreed/Not Agreed

Gathering Information Agreed
Scanning Agreed
Vulnerability Assessment Agreed
Penetration Testing / Exploitation Agreed
Reporting Agreed
Recommendation Agreed
Figure 1: Scope

b) Testing Pre-Requisites
The XYZ Company wants to run their systems/servers continuously. As a result, it was up to penetration testers
to test the server at their own convenient times. Pen-testers could attempt it during or after workplace hours.
For penetration testers, the office was kept open.

c) Reporting Authority
All security breaches identified in the system should be reported to the firm immediately. Pen-testers were
required to create a comprehensive report for each vulnerability they discovered.

d) Payment terms
The payment will be on project basis and the Pen-testers were hired for the whole project. Payment are to be
provided at the end of project via bank transfer from the company account to the pen testing company.

B. Information Gathering
a) Screenshots
Following figure shows the terminal screen of Kali Linux, checking the firewall details of the system. The target
system IP address is shown in the figure.

5
 Figure 2: Target discovery

The results in the above figure shows that the application is not protected by any WAF. Purpose of this step was
to ensure that if there resides any firewall, it should be bringing down first. It gives testers the better idea what
to bypass first and reflect them accordingly in the document.

C. Scanning and Foot-Printing

The testing done was totally black box testing, Pen-tester was unaware of the machines and the systems. They
knew nothing about the systems. They only knew the network structure of the systems, IP addresses and the
MAC addresses only. So, the main goal was to penetrate the machines without any prior knowledge of the
system. Tools used by the testers are mentioned below:

a) Tool(s)
Pen-testers used many tools for the whole pen-testing process, for scanning and reconnaissance purpose testers
used Nmap tool to scan the open ports and services of the targeted systems. Built-in commands of Nmap
provides flexibility to the testers to get refined and useful results in a timely manner. Another scanning tool
Nikto was also used in group with Namp to get better insight of the network and the whole system. These tools
are already available in Kali Linux by default. Nmap shows the processes details and ports status of the network,
which helps in identifying open ports and running services and helps in determining the vulnerabilities of the
system. As far as Nikto is concerned it is a web application scanning tool, the main feature of Nikto is to scan the
web applications and web apps for possible loop holes and security issues is a very comprehensive manner. For
footprinting wafw00f was used to identify the firewals / intrusion detection system (IDS) / intrusion prevention
system (IPS) systems if any on the servers. It helps is getting the firewall details and versions details and possible
exploits of the firewalls.

b) Application of tools for scanning and footprinting

In the next section, all of the applications were added in terms of screenshots. Pen-testers was certain about a
host after receiving output, but they needed to validate it by physically visiting the host. Pen-testers then used

6
nmap to scan the host. So, what exactly does nmap do? nmap communicates with the server and collects data
from its responses in a passive manner. The server assumes he is responding to genuine queries, but nmap is
attempting to map a network and gather information about the services it is running.

It collects data on: port numbers, OS detection, and so on.

 State of the port

 Version of the port
 Running services
 Port number for services
 If there are any hosts, count them.
 Details about the host
 Topology of a network

Then the pen-testers chose Nikto. Nikto is a tool that detects a website's server architecture and vulnerabilities.

c) Screenshots
In the figure below, Nmap scan was performed and it can be seen that port no 21 was found
open and vsfpd was found.

Figure 3: Intense scan launched on web server

7
The scan revealed almost all the details of the target.

Following is the description of the details:

Hostname, Open/closed ports, services running and OS. The open port 21 had vsftpd service running which the
pen-testers targeted during the exploitation stage.

After nmap, nikto command was used to detect vulnerabilities, shown in the figure above

8
 Figure 4: Nikto Scan

Nikto is a very powerful tool for website vulnerability assessment andis quite impressive so far.

Another in-built kali tool dirbuster was used to find any useful directories. As shown in above figure Nikto
searched for Objects that are present already in the system. Dictionary attack was executed on the server and
the results are shown in the above figure.The tool contain its own wordlists used to brute force the directories.

Penetration testers also ran dirbuster to brute-force the directories path and observe the response of server in
return to know more about the directories or files present openly on the server.

9
 Figure 5: dirb command on target

The result shows directories path with response code 200 along with the size of data in particular file.

10
 Figure 6: Scan Complete of dirb

The code response 200 shows that the directories are legitimate.

Penetration testers also ran Wapiti Scanner to know more about the vulnerabilities.

Wapiti is an open source tool that checks web applications for a variety of vulnerabilities such as database
injections, file disclosures, cross-site scripting, command execution assaults, XXE injection, and CRLF injection.

Figure 7: Scan start of wapiti

11
The scanner is targeted on server IP.

Figure 8: Scan Complete of wapiti

The scanner results depict the website has not implemented X-XSS protection, X-frame option and transport
policy. If the secure flag is not set, if the user navigates to any HTTP URLs within the cookie's scope, the cookie
will be delivered in clear text. An attacker could exploit this by establishing proper links with the user, either
directly or through another website.

Figure 9:Scan Complete of wapiti

12
The Secure flag specifies that the cookie should only be sent via a secure connection (SSL/HTTPS). If this cookie is
set, if the connection is HTTP, the browser will never send the cookie. Man-in-the-middle attacks are prevented
by this flag.

D.Exploitation
Pen-testers found many useful information about the server and the system. The details are given below:

 Server (Linux)
 IP address
 Open Ports
 Services
 Accessible Directories
Above results shows that the systems were vulnerable and were exploitable.

Pen-testers were able to retrieve the open ports and services, as well as a few directories and files, from the
system. Pen-testers attempted to remotely access several server functions, and the results were remarkable.

a) Tool(s)
Whole testing was carried out using the command line and by using Kali Linux default shell scripting to gain
backdoor access to FTP server. Another command line based tool for Exploit-DB was used named as SearchSploit
that lets you carry a copy of the database around with you. The Exploit Database repository on GitHub includes
Searchsploit. The Metasploit Framework is a penetration testing framework for writing, testing, and executing
exploit code. The Metasploit Framework is a collection of tools for testing security vulnerabilities, enumerating
networks, executing attacks, and avoiding detection.

The Pen-testers described each and every step of the whole pen-testing procedure. All the main steps are
properly explained according to the attached figures.

b) Screenshots
To check whether the information was correct and exploitable the searchsploit kali command line tool is used.
The output of login can be seen.

Figure 10: Searching for accurate exploit

13
The pentesters then tried to take a look at exploit that can be run through Metasploit on the target
server in figure.

Figure 11: Exploit use on msfconsole

So, to exploit the system, they wanted to set RHOSTS and port (Figure 2.1.5 (c)). The exploit against
vsftpd is detected in metasploit and set to be launched.

14
 Figure 12:Setting required parameters

The RHOSTS and RPORT option is set to launch attack (backdoor command execution) on service running
open port 21.

The exploit is used and run on server to gain access.

Figure 13:Exploit on FTP Service

Exploit command launches attack on server. Now the ifconfig command further verifies that the
pentester has now entered the server as root user.

15
 Figure 14:Access Verification

4. Problems and Recommendations

Pen-testers' operations with the server were used to make recommendations. These recommendations
were made for the server and website's active security. A detailed security system can be found in
publications issued by standards agencies such as the National Institute of Standards and Technology
(NIST) (Karen Scarfone, 2008).

A. Problems Identified
These are the problems Identified by the pentesters. Each point is explained separately. One can look at
it in the details.

a) Hardware Isolation
The white-hat hacker team recommended undertaking similar trials in a controlled setting, alike to the
one used here, for testing. This was because a single vulnerable system may jeopardize the entire
network.

b) File Descriptor Attack

Rather than filenames, file descriptors are device numbers that are used to track files. With specific
types of file descriptors, there are implicit applications. Program when allocates insufficient file
descriptor then the that file becomes vulnerable and can be compromise.

c) Misconfigurations in the System

Security settings that have been misconfigured, particularly unsafe default settings, are frequently easily
exploited.

16
 d) Unpatched System
Every day, critical systems must be patched. It is common for a system to be abused due to a
vulnerability for which a fix was provided earlier.

e) Poorly secured services

Pen-testers took advantage of a poorly protected FTP site, as indicated by the results. If you access it
once and acquire access, for example, you won't have to run the exploit again. Permissions for files and
directories are incorrect.

The access granted to users and processes is controlled by file and directory permissions. Poor
permissions could open the door to a variety of attacks, such as reading or writing password files or
adding new trusted remote hosts to the list

B. Recommended Settings
Server hardening is a method of securing a server's data, ports,
components, operations, and privileges by implementing sophisticated
security mechanisms at the hardware, firmware, and software layers.
a) Server Hardening
Server hardening entails adding advanced security methods at the hardware, firmware, and software
layers to protect a server's data, ports, components, activities, and privileges.

b) Closing Un-Necessary Ports

All the ports that are not the need of the server and doesn’t make any difference on smooth functioning
of the server should be closed.

c) Up-to Date System

Systems should be updated time to time for security patches to be installed. System updates are
released by the vendors to fix the vulnerabilities identified by their teams that handles security of their
products.

d) Use of Licensed Software:

Only licensed software should be used in the company. No one should be allowed to install
unauthorized and patched software in any system. The problem is that cracked software often lacks
latest security updates and hackers usually put backdoors in such software. One of such case studies is
of CCleaner (Cnet, 2017). In this attack, attacker replaced their malicious file with the original one. If
hackers can do it with original software, think about cracked one.

e) Configured and Patched Devices

All devices should be regularly patched and configurations should be updated on a regular if not, weekly
bases. Updates can depend on the criticality of the system.

f) Induction of IDS and IPS

Network should be protected using intrusion detect and prevention system. It helps in deep packet
analysis and often trigger alerts if something fishy goes on.

17
 g) Security Incident and Event Management
There should be a basic level SIEM system for proper alerting. There are plenty of open source SIEM
tools available like AlienVault’s OSSIM (cybersecurity AT&T, 2022).

5. Conclusion
In their closing remarks, penetration testers indicated that a corporation should follow a standardized
authority for secure systems, such as NIST, to avoid system vulnerabilities. NIST's recommendations on
safe systems improve the security of websites and servers.

18
6. References

 Wapiti review (vulnerability scanner for web applications) Retrieved from:

https://linuxsecurity.expert/tools/wapiti/

 Metasploit Framework - Docs @ Rapid7, Retrieved from

https://docs.rapid7.com/metasploit/msf-overview/

 Google search. (2021). Retrieved from Google:

https://www.google.com/

 Nmap tool downloaded link

https://nmap.org/download

 Wapiti tool retrieved from

https://wapiti-scanner.github.io/

 Advanced kali Linux tools

PDF Kali Linux And Linux 2021 eBook Download Full – eBook Makes

 Security-cheatsheets/nikto at master - GitHub Retrieved from

Github:https://github.com/andrewjkerr/security-cheatsheets/blob/master/nikto/

 CCleaner hack affects 2.27 million computers, including yours? Case Study retrieved from
https://www.cnet.com/tech/computing/ccleaner-was-hacked-heres-what-to-do-next/

 AlienVault OSSIM retrieved from https://cybersecurity.att.com/products/ossim

19