Information Security Penetration Test Merideth Moore March 25, 2019
TABLE OF CONTENTS INTRODUCTION: .................................................................................................................................4 PREPARATION: ...................................................................................................................................5 ENGAGEMENT SUMMARY: ...................................................................................................................6 DETAILED FINDINGS: ......................................................................................................................8 RECONNAISSANCE FINDINGS: ........................................................................................................8 SCANNING FINDINGS: .................................................................................................................... 11 VULNERABILITY SCANNING FINDINGS: ...................................... 15 CONCLUSION: ........................................................... 19 APPENDIX A: CARELINE SCREENSHOTS ...................................... 20
CareLine | 2
1
INTRODUCTION
CareLine | 3
INTRODUCTION: In a world that is dependent on technology and web applications, cybersecurity attacks have been on the rise. According to Positive Technologies Security, in 2017 there were 350,000 various cybersecurity attacks. Of these 350,000 attacks, web applications in the healthcare industry were the most targeted due their confidential patient data and the ability of hackers to hold this information for blackmail. While cybersecurity attacks and statistics are alarming, this has not stopped the growth of web applications. Of the many new web applications that are developed yearly, CareLine was released in 2018. CareLine is a sleek and modern web application that features built-in calendar updates for office appointments, text and video chat and email notifications with automated updates. CareLine was created as a Senior Design project by Merideth Moore, Garrett Souders, and Jeremy Thomas. Merideth, Garrett, and Jeremy built the application as a way to increase the amount of communication between not only the family and their relatives in long term care situations, but also the family and facilities’ caretakers. As with any release of a web application, running a penetration test on the application is a critical aspect to ensure the it is secured with modern application tools and is not vulnerable. Additionally, this test was used to ensure that CareLine met the defined security requirements for all roles and that application was ready for production deployment.
CareLine | 4
PREPARATION: To complete the CareLine Information Security Penetration Test, I (Merideth Moore) worked closely with Jeremy, our Testing Lead on the project to develop a concise and adequate spreadsheet with detailed security activities that would allow us to evaluate the risk of a breach for CareLine. Preparing the spreadsheet involved evaluating multiple security techniques from various education resources as well as analyzing the correlated Health Information Privacy Accountability Act (HIPAA) standard. Together, after analyzing this critical information, I compiled a final set of standards that would be followed for the test:
Upon having a completed set of standards for the test and as well as conditions that needed to be met, I set up my initial virtual machines that were used to execute the test. Overall, one virtual machine running Kali Linux was configured to run a significant portion of the test and second virtual machine running Windows 10 was configured to run secondary tasks that Kali Linux could not handle. Together, all of this preparation allowed for me to be prepared for the test and execute it at the highest rate.
CareLine | 5
ENGAGEMENT SUMMARY: During the course of 28 days, I (Merideth Moore) conducted a penetration test to evaluate CareLine. My test began on February 18, 2019 and concluded on March 17, 2019. The scope of my penetration test included completing several exercises through various security methods as well as intensive research through useful security documents. OSINT (Open Source Intelligence Network Tools) gathering was executed on CareLine’s website (www.carelinetechnology.com) via Passive Reconnaissance. Active Reconnaissance was utilized on Nmap Security Scanner Projects free service of www.scanme.nmap.org During the execution of this test, I utilized multiple sandbox systems (Kali Linux and Windows) to gather results. Additionally, the tools of Google Dorks and Nmap were utilized during the process of penetration test.
CareLine | 6
2
DETAILED FINDINGS
CareLine | 7
DETAILED FINDINGS: The following sections of Reconnaissance, Scanning, Vulnerability Scanning, Traffic Analysis, and Exploitation of present the detailed description of findings for each method that was utilized during my penetration test as well as background on the use of each technique and the tools involved.
RECONNAISSANCE FINDINGS: The beginning of my Penetration Test involved utilizing open source intelligence gathering. Otherwise known as Reconnaissance, this is the process of intelligence collection by finding, selecting, organizing, and analyzing information that is available via a public source. Reconnaissance includes three different types of techniques which are passive, semipassive, and active. Passive Reconnaissance is the technique of ensuring you are not being discovered by the target organization while gathering information. This would include doing activities such as browsing Google cache or examining public forums to see where technologists describe issues of their technology while using their work email address. Semi-passive Reconnaissance is utilizing popular website applications and its capabilities such as Shodan.io, Censys, or ZoomEye to gather information that is detectable in banners for searching. Active Reconnaissance is the technique of ensuring that you are discoved by the target when gathering information. Activities that are Active Reconnaissance would include doing DNS reverse lookups, zone transfers, and searching for unpublished directories. During this specific test, I utilized the Passive and SemiPassive Reconnaissance techniques to gather information regarding CareLine’s website of www.carelinetechnology.com Screenshot 1:
CareLine | 8
As presented in Screenshot 1, I was able to immediately uncover CareLine’s exact domain through the use of the following queries: -
site: filters results to return certain websites/domains
- inurl: filters results to return phrase of words in the designated URL In addition to utilizing Google Dorks, I also made use of the Semi-Passive Reconnaissance techniques of Shodan.io and WHOIS to gather additional critical information on CareLine’s website and how it is being hosted. Screenshot 2:
CareLine | 9
Screenshot 3:
As presented in Screenshots 2 and 3, Shodan.io and WHOIS were utilized to gather raw data on the domain of CareLine. This information was important as it presented the public information on the domain that could be used again the website in an attack. However, since the domain was bought and privately protected, I was only able to uncover very general information on the web application such as where the domain name was purchased (Name Cheap), domain expiration date (October 25, 2019), and the server platform (Digital Ocean). While this information was helpful in understanding the background of the web application, it also displayed how secure the web application truly is. CareLine is protected on the outside and is challenging for any excellent security analyst to hack or corrupt.
CareLine | 10
SCANNING FINDINGS: The second part of my Penetration Test involved utilizing various scanning techniques to identify open ports and the operating system for CareLine. There are three types of common scanning techniques to identify open ports which are Nmap, Masscan, and Xprobe2. Nmap is a popular free scanning tool (open source) that is utilized for discovering networks and security auditing services. Nmap allows penetration testers to gather information via scanning large networks or singular hosts. Masscan is the an extremely fast Internet port scanner that utilizes a custom TCP/IP stack for for server and switch detection. Xprobe2 is an active tool which aims to interact and analyze remote systems. Xprobe2 also focuses on comparing returned signatures to known databases and proving operating system detection. During this test, I utilized the common technique of Nmap which allowed me to scan and identify the open ports against the target and as well the operating system and host. Screenshots 4,5,6, and 7 below present my findings: Screenshot 4:
CareLine | 11
Screenshot 5:
Screenshot 6:
CareLine | 12
Screenshot 7:
As presented in the Screenshot: 4, I ran the command of nmap T4 -F www.carelinetechnology.com which allowed for me to determine that the target carelinetechnology.com has 97 filtered ports and the ports of 22 (SSH), 443 (HTTP over SSL), and 1433 (MS-SQL-S) are all open. Of these ports, ports 22 and 443 were opened to pass secure traffic and 1433 was used for database purposes as SQL is defined as the database. Having port 1433 open presents a vulnerability for the application as that provides direct access to the database and gives potential hacker an additional route to hack the application. In regard to Screenshot 5, the command of nmap -p 1-65535 -T4 -A -v www.carelinetechnology was execute a general informational scan on the application that was intense and included all TCP ports. This was critical as it allowed me to see which TCP ports were left open and presented vulnerabilities. In this case and after viewing the results, there were no major ports open and no concerns for CareLine.
CareLine | 13
Lastly for Screenshots 6 and 7, upon the completion of the scans, general information was returned on the host of the application. As visible in Screenshot 6, I was able to gather a “fish eye” view of the application and how it is being hosted. Given in the screenshot, we can tell that the application is being hosted on one singular computer with the IP Address of 69.55.55.228. This information is important and fairly alarming as it gives an potential in for a hacker. Additionally, in Screenshot 7, were also able to gather additional details on the rest of the ports and the operating system (Not Available). This was great and showed extreme security as the application didn’t have any major opened ports or an operating system that could be exploited easily. With Nmap and several commands being utilized above, A TCP scan was conducted compared to using a UDP scan. Using a TCP scan was desirable as it is faster compared to a UDP scan. A TCP scan can be executed quickly and is able to scan thousands of ports in seconds without being impeded by firewalls or other barriers. UDP scanning is considered to be undesirable since it typically includes sending a packet to each targeted port and this causes it to be extremely slow in comparison to TCP.
CareLine | 14
VULNERABILITY SCANNING FINDINGS: It is important to acknowledge that there are three common network vulnerability scanning tools which are Nessus, Nexpose (InsightVM), and OpenVAS. Each of these tools has a unique set of features that provide security professionals and penetration testers with the ability to identify vulnerabilities. Having a good grasp and an ability to utilize common network vulnerability scanning tools is critical for anyone since a penetration tester can utilize a payload such as Meterpreter to exploit the vulnerabilities on any system. Common network vulnerability scanning tools can help us identify these vulnerabilities early before they eventually become exploited. In addition to common network vulnerability scanning tools, there are also three common web vulnerability scanning tools which are Appscan, AppSpider, and Acunetix WVS. For CareLine, several vulnerability scanning techniques were used against the application to test its security in addition to the scan. As shown in Screenshot 8, the login page of CareLine was tested used various different password cracking techniques and login information. Unsuccessfully, there was no way to exploit the login screen and gain access to the application without having a created username and password. Screenshot 8:
CareLine | 15
In addition to attempting to get access to the application, three other attacks were attempted against CareLine. The first attack was Cross Site Scripting (XSS). XSS is the process of using a malicious injection to attack the code of the web application and insert malicious code. In this particular test, a simple injection was created and executed against CareLine, but was not successful. The results of this test concluded the CareLine was secure from XSS attacks. The second attempted attack on CareLine was a SQL Injection. Just like XSS, this is another form of utilizing malicious code to disrupt the web application. In the case of CareLine and this test, a SQL Injection was attempted because the primary database for CareLine is SQL. Any potential SQL Injection that comes from outside hackers could potentially destroy the entire web application and doing a pre-test of this before a real occurrence is critical. As displayed in Screenshot 9, the final results of our test were that we utilized a modified SQL Injection code and ran this against the application. Overall, CareLine was able to withstand the modified SQL Injection and displayed great security for the future. Screenshot 9:
CareLine | 16
The last and final attack that was performed was a directory traversal. A directory traversal is a specialized Hyper Text Transfer Protocol (HTTP) attack that allows for hackers to gain access to the critical directories of a web application. For CareLine, the heart of the project rests within the directories and ensuring that they are secure is important. An attempted directory traversal attack was ran against CareLine and did not succeed. The attack was not able to gain access to the critical directories and there was no disruption to the application. In total, this was a very unsuccessful attack for the directory traversal but justified that CareLine is secured.
CareLine | 17
3 CONCLUSION AND APPENDIX
CareLine | 18
CONCLUSION: In conclusion, a penetration test was conducted that included utilizing various technical methods such as OSINT and performing Passive Reconnaissance and as well as Active Reconnaissance. Additionally, intensive research and written answers were provided to answer general penetration testing questions. This experience was very successful in displaying the strong security of the web application and allowed for me to attempt new security techniques that were closely related to what I’ve been learning in school over the past five years. As I continue to move forward with my career, I feel that this experience will allow me to display the importance of security professionals like myself, but also allow others to see how important it is to use and care about information security. This application if not secured properly could easily have been attacked very easy. Having an understanding of the techniques and valuing this in any organization is critical and demonstrates an extreme reason for all parties to care. Overall, this was a great and fun way to turn the last of my Senior Project into a security project as well. I believe that the execution and research of techniques that I was able to do was important and it allowed for me to grow in a personal and professional sense. It was great completing this project and I look forward to doing more of these in my future career.
CareLine | 19
APPENDIX A: CARELINE SCREENSHOTS The following screenshots are a general overview into the CareLine Application that was built for the senior project. Home/Marketing Page:
Caretaker Dashboard:
CareLine | 20
Patient Page:
Clinic Page:
CareLine | 21
CareLine | 22