Offensive Technologies

Transcription

1 University of Amsterdam System and Network Engineering Offensive Technologies OS3 Network Security Assessment Students: Peter van Bolhuis Kim van Erkelens June 1, 2014

2 Executive Summary Being a security oriented education, OS3 should set an example in their practices. As a means of checking the current status, a network security test was performed. The first phase was scanning for live hosts and their ports. A subset of hosts was excluded from this, as defined in 1.1. Phase two was scanning the live hosts that resulted from phase one for vulnerabilities using the tools Nessus, Nexpose and Nikto. This resulted in a list of possible vulnerabilities for each host. The most critical vulnerabilities were manually verified. The third and last phase was to exploit the verified vulnerabilities. This was done in cooperation with the systems administrator, to allow for quick response in case of unforeseen events. The main result is outdated software running on multiple machines. Next to that several information leakage vulnerabilities are found. Among those are leakage of DNS entries and LDAP data. The first finding constitutes the highest risk for OS3 because those systems are vulnerable for exploits. It is advised to update the outdated systems and apply security patches automatically. Priority should be given to the systems that are reachable from the outside. However, exposure to the outside should be minimised in order to reduce the attack vector. I

3 Contents 1 Introduction Scope Methodology Information gathering Vulnerability identification Exploiting Results Outdated software NSEC zone walking LDAP anonymous directory access permitted Anonymous FTP access Web application information leakage Install.php with full path disclosure Directory indexing enabled Conclusion 7 A OS3 core systems 9 B Services state from outside 10 C Risk calculation 16 II

4 1 Introduction Systems and Network Engineering (SNE/OS3) at the University of Amsterdam is a security-focused education. This means staff and students should set an example in their security practises. This research sets out to find out what the status of the security of the OS3 network is. After looking at possible security flaws, ways to mitigate them will be listed. The open environment of the OS3 education will be taken into account when listing the ways to fix the security problems. The research question for this project is: What is the state of the security of the OS3 network and how can it be improved without creating an unworkable environment for students? In order to answer the research question, the following sub-questions will be answered: What vulnerabilities are present in the OS3 network? What is the risk for the vulnerabilities that were found? How can the vulnerabilities be mitigated? 1.1 Scope Because of privacy concerns, not the entire OS3 net block is scanned. The addresses in Table 1 will be excluded from the security assessment. Furthermore, the exploiting is only attempted at the OS3 core. This means that the student desktops and servers are scanned but not exploited. Function IPv4 IPv6 Hosting (3rd parties) / :610:158:980::/60 Staff network / :610:158:1000::/64 Student laptops (1st floor) / :610:158:1020::/64 Student laptops (3rd floor) / :610:158:1021::/64 Student desktops (1st floor) / :610:158:1023::/64 Student desktops (3st floor) / :610:158:1022::/64 Guest network (C3.150) / :610:158:1029::/64 Table 1: Restricted IP addresses 1

5 2 Methodology This section describes the approach for performing the security assessment of the OS3 network. All three phases are described in the following subsections. For performing the tests, two servers were assigned and the administrators were notified. All scans originated from these servers, unless mentioned otherwise. 2.1 Information gathering The first phase is the gathering of information about the systems that are to be tested. A lookup reveals that the netblock that is to be tested is /20. However, the exclusions mentioned in 1.1 apply. Information regarding the systems within the scope is obtained with the following tools: Nmap Nsecwalker Network exploration tool and security/port scanner. Tool to walk DNS NSEC information. To help us test the most important systems, the administrator provided a list of servers that were most interesting. These are listed in Appendix A. 2.2 Vulnerability identification The hosts discovered during the first phase will be subjected to more intense scanning. This scanning will include scanning for outdated versions, open services and vulnerable services. This will be done with one or more of the following tools: Nessus Nexpose Nikto Nessus is a vulnerability scanning tool that will check for outdated versions of software with known vulnerabilities. As a second tool, Nexpose will be used. This scan will verify results Nessus gave and will also report vulnerabilities Nessus may have missed. The combined results will be checked to filter out the most critical vulnerabilities. These vulnerabilities are verified to exist manually. Both Nessus and Nexpose only check for software versions and network related vulnerabilities. To account for vulnerabilities via web applications, Nikto is used. Nikto is a web application vulnerability scanner that will scan for a range of vulnerabilities in websites and web servers. It will be configured to scan all hosts with ports 80 and 443 open. The results of Nikto will also be verified manually. All found vulnerabilities will be graded using Common Vulnerability Scoring System (CVSS) [1]. Vulnerabilities with a score higher than seven will be marked as high. Between three and seven will be marked as medium. Anything lower will be marked low risk. 2

6 2.3 Exploiting After identification and verification vulnerabilities, the found vulnerabilities are exploited. In this exploit phase, the scope is limited to exploits that grant privilege escalation or access to information that should be limited. Denial of service attacks will not be performed, as bringing down the hosts is not the goal of this research. 3

7 3 Results This section documents the results of the scan after verification. Only the verified and more critical results will be listed here. A more complete overview of the results can be found in a separate attachment. The risk calculation based on the CVSS can be found in Appendix C 3.1 Outdated software Asset(s): see Appendix A Accessible: see Appendix B Risk: High Several systems are running outdated software. The systems that are not reachable from the outside have a lower risk. However, one needs to take into account that when another system in the network is compromised those core systems are reachable as well. The systems should be updated and security patches should be applied, preferably automatically. 3.2 NSEC zone walking Asset: / / ns1.os3.nl / ns2.os3.nl Accessible: Outside OS3 Risk: Medium While running DNSSEC, the server supports NSEC instead of NSEC3, enabling zone walking of the domains. This results in information leakage of all DNS entries. It may give attackers additional information, especially since the DNS server lists entries of the private admin network. By enabling NSEC3 instead of NSEC, pointers to next domains will be changed to hashes of domains. This makes zone walking next to impossible, without removing the ability to proof a domains (non-)existance. 3.3 LDAP anonymous directory access permitted Asset: / ldap1.serv.os3.nl Accessible: Outside OS3 Risk: Medium The Lightweight Directory Access Protocol (LDAP) provides information about students and teachers such as user-names and addresses. The LDAP service on this system allows anonymous connections from outside the OS3 network. This results in information leakage and can assist a malicious user in a brute force attack or the sending of spam. Proof: ldapsearch -h x -b "dc=os3,dc=nl" For OpenLDAP, slapd.conf has to be modified by including defaultaccess none. Additional entries have to be created for permitting access to specific groups of users [2]. 4

8 3.4 Anonymous FTP access Asset: ( Accessible: Outside OS3 Risk: Low The FTP server on this system allows anonymous authentication. The anonymous user has write permissions for the incoming directory, and read permissions for the other directories. Anonymous FTP access should be disabled if it s not a critical functionality [3]. 3.5 Web application information leakage Assets: (intranet.os3.nl) / ( Accessible: Outside OS3 Risk: Medium A partial sitemap of the intranet website, which is based on DokuWiki, can be viewed. This is also possible for the OS3 wiki. That will show the names of all previous students since 2006 among other information about the education. This exploit uses the DokuWiki action modes, invoked by the do query string. A full list of possible actions can be found on the DokuWiki website: Proof: The DokuWiki settings should be changed accordingly in order to minimise information leakage. 3.6 Install.php with full path disclosure Asset: (intranet.os3.nl) Accessible: Outside OS3 Risk: Medium An installation file was found on the web server. It discloses the full path to the root when the page is forced to generate error output by manipulating its query string. This information can be used in further attacks, such as directory traversal or file inclusion [4]. Proof: Installation files should be removed after installation, or be password protected [5]. display_errors should be disabled in production environments. log_errors could be used instead. 5

9 3.7 Directory indexing enabled Asset: (yang.os3.nl) Accessible: Directory only local, but Apache also from outside OS3 Risk: Low Directory indexing is enabled for this system. The page below can be viewed when inside the network. Proof: Directory indexing should be disabled if it s not necessary for the functionality of the system. 6

10 4 Conclusion The central research question reads: What is the state of the security of the OS3 network and how can it be improved without creating an unworkable environment for students? Three sub-questions are set in order to answer this question. What vulnerabilities are present in the OS3 network? The vulnerabilities described in this report are a selection of the scan results after verification. Most of them are information leakage vulnerabilities. This means that they expose sensitive data which can help an attacker in launching further attacks. Among the attack vectors are the OS3 core systems. Some of them run outdated software, which makes them vulnerable for exploits. What is the risk for the vulnerabilities that were found? The outdated and unpatched software constitutes the highest risk for OS3. The risks for the systems that are not reachable from the outside are lower. However, those core systems are reachable when another system network is compromised. The information leakage vulnerabilities have a medium or low risk depending on the information that is leaked. How can the vulnerabilities be mitigated? It is advised to update the outdated systems and apply security patches automatically. Priority should be given to the systems that are reachable from the outside. However, exposure to the outside should be minimised in order to reduce the attack vector. This can be achieved by configuring a firewall. A VPN can be setup in order to keep access to the OS3 systems from outside the network. This results in an environment that is still workable for students. Another recommendation is to perform a periodic scan of the network in order to have an up-to-date knowledge about the state of its security. 7

11 References [1] National Institute of Standards and Technology. Common Vulnerability Scoring System Version 2 Calculator url: cvss.cfm?calculator&version=2. [2] Rapid7. Nexpose Vulnerability Information. [3] National Institute of Standards and Technology. Vulnerability Summary for CVE url: detail?vulnid=cve [4] OWASP. Full Path Disclosure url: https : / / www. owasp. org / index.php/full_path_disclosure. [5] Open Sourced Vulnerability Database (OSVDB). 3092: Multiple Web Server Interesting Web Document Found url: osvdb/

12 A OS3 core systems Table 2: OS3 core servers Remarks N. Sijm Address Name OS3 CSR router.serv.os3.nl Yin yin.os3.nl Yang yang.os3.nl Tummi dns1.serv.os3.nl mail.serv.os3.nl ldap1.serv.os3.nl tummi.os3.nl ns1.os3.nl imap.os3.nl smtp.os3.nl Zummi intranet.os3.nl dns2.serv.os3.nl ldap2.serv.os3.nl zummi.os3.nl hp4u.os3.nl hosted4u.os3.nl info4test.os3.nl ns2.os3.nl Sunni sunni.os3.nl VM on Sunni shell.staff.os3.nl VN on Sunni vpnsmurf.os3.nl Grammi nfs.serv.os3.nl software.serv.os3.nl grammi.os3.nl SuperMicro NAS storage.serv.os3.nl 9

13 B Services state from outside $ nmap /24 Starting Nmap 5.51 ( ) at :54 CEST Nmap scan report for router.serv.os3.nl ( ) Host is up (0.0017s latency). Not shown: 999 closed ports 23/tcp open telnet Nmap scan report for ipv6launch.nl ( ) Host is up ( s latency). Not shown: 997 closed ports Nmap scan report for intranet.os3.nl ( ) Host is up ( s latency). Not shown: 995 closed ports 443/tcp open https Nmap scan report for nfs.serv.os3.nl ( ) Host is up ( s latency). Not shown: 997 closed ports 8002/tcp open teradataordbms Nmap scan report for software.serv.os3.nl ( ) Host is up ( s latency). Not shown: 996 closed ports 8002/tcp open teradataordbms Nmap scan report for dns1.serv.os3.nl ( ) Host is up ( s latency). Not shown: 996 closed ports 10

14 21/tcp open ftp 53/tcp open domain Nmap scan report for dns2.serv.os3.nl ( ) Host is up ( s latency). Not shown: 996 closed ports 53/tcp open domain Nmap scan report for mail.serv.os3.nl ( ) Host is up ( s latency). Not shown: 995 closed ports 21/tcp open ftp 25/tcp open smtp 465/tcp open smtps Nmap scan report for ldap1.serv.os3.nl ( ) Host is up ( s latency). Not shown: 995 closed ports 21/tcp open ftp 389/tcp open ldap 636/tcp open ldapssl Nmap scan report for ldap2.serv.os3.nl ( ) Host is up ( s latency). Not shown: 997 closed ports Nmap scan report for yin.os3.nl ( ) Host is up ( s latency). Not shown: 998 closed ports Nmap scan report for yang.os3.nl ( ) 11

15 Host is up (0.0026s latency). Not shown: 986 filtered ports 22/tcp closed ssh 53/tcp closed domain 113/tcp closed auth 443/tcp open https 631/tcp closed ipp 2049/tcp closed nfs 5900/tcp closed vnc 5901/tcp closed vnc /tcp closed vnc /tcp closed vnc /tcp closed unknown 32768/tcp closed filenet-tms Nmap scan report for tummi.os3.nl ( ) Host is up ( s latency). Not shown: 997 closed ports 21/tcp open ftp Nmap scan report for zummi.os3.nl ( ) Host is up ( s latency). Not shown: 997 closed ports Nmap scan report for sunni.os3.nl ( ) Host is up (0.0011s latency). Not shown: 998 closed ports 8002/tcp open teradataordbms Nmap scan report for grammi.os3.nl ( ) Host is up ( s latency). Not shown: 997 closed ports 8002/tcp open teradataordbms Nmap scan report for shell.staff.os3.nl ( ) 12

16 Host is up (0.0010s latency). Not shown: 995 closed ports 5222/tcp open xmpp-client 5269/tcp open xmpp-server 5280/tcp open xmpp-bosh Nmap scan report for vpnsmurf.os3.nl ( ) Host is up ( s latency). Not shown: 999 closed ports 443/tcp open https Nmap scan report for ns1.os3.nl ( ) Host is up ( s latency). Not shown: 996 closed ports PORT 21/tcp open ftp STATE SERVICE 53/tcp open domain Nmap scan report for ( ) Host is up ( s latency). Not shown: 995 closed ports 443/tcp open https Nmap scan report for hp4u.os3.nl ( ) Host is up ( s latency). Not shown: 996 closed ports Nmap scan report for hosted4u.os3.nl ( ) Host is up ( s latency). Not shown: 996 closed ports 13

17 2049/tcp open nfs Nmap scan report for ftp.os3.nl ( ) Host is up ( s latency). Not shown: 996 closed ports 21/tcp open ftp Nmap scan report for info4test.os3.nl ( ) Host is up ( s latency). Not shown: 995 closed ports 443/tcp open https Nmap scan report for ns2.os3.nl ( ) Host is up ( s latency). Not shown: 996 closed ports 53/tcp open domain Nmap scan report for storage.serv.os3.nl ( ) Host is up ( s latency). Not shown: 995 closed ports 443/tcp open https Nmap scan report for imap.os3.nl ( ) Host is up ( s latency). Not shown: 993 closed ports 21/tcp open ftp 25/tcp open smtp 443/tcp open https 14

18 993/tcp open imaps Nmap scan report for smtp.os3.nl ( ) Host is up ( s latency). Not shown: 994 closed ports 21/tcp open ftp 25/tcp open smtp 465/tcp open smtps 587/tcp open submission Nmap done: 256 IP addresses (28 hosts up) scanned in seconds 15

19 C Risk calculation Finding CVSS score Risk Outdated software 2-10 High NSEC zone walking 5 Medium LDAP anonymous directory access permitted 5 Medium Anonymous FTP access N/A* Low Web application information leakage 5 Medium Install.php with full path disclosure 4.3 Medium Directory indexing enabled 2.1 Low Table 3: Calculated risk for each finding * Not a vulnerability and no measurable impact 16