The report consists of 2 questions
• Qn1 being to assess the attack surface of the machine, network level attack and physical attacks and improve security.
• Qn2, provide the vulnerability of the scenario, how it may be exploited and reduce the risk of the vulnerability.
Vulnerabilities – Refer to any type of weakness in a computer system itself that leaves information security exposed to a threat.
Tools: We’ll be using Nmap, known as Network Mapper. This is a useful tool which can determine which ports are open, which operating system and version running, and what firewalls are used. It was designed to scan large networks, as well as against single host.
Basic command helps for reference
Scan using TCP connect Nmap -sT 192.168.227.3
Scan using TCP SYN scan (default) nmap -sS 192.168.227.3
Scan UDP ports nmap -sU -p 123,161,162 192.168.227.3
Scan selected ports – ignore discovery nmap -Pn -F 192.168.227.3
Qn1 Attack Surface Modelling
Identify Network Level
Before anything else, make sure we configure our network interface to the same as the victim, which in this case is Host-Only Adapter. Make sure we enable the DHCP server.
To find our ip address, we can use command #ifconfig
To determine other ip address in the same network, we can use nmap commands, #nmap 192.168.227.0/24
To find open ports, in this case, 192.168.227.3 is the target, by inserting the command #nmap -sS 192.168.227.3 (refer to fig1 for command reference), it will show the ports which are open. Hence these ports may be vulnerable to attackers.
Identify physical attack
There are several vulnerable services, and I will discuss 10 most critical from my findings. Below attached is an example of finding vulnerabilities.
1. Driver Improper Interaction with Windows Kernel Vulnerability (CVE-2010-4398) Critical- By using a stack-based buffer overflow, local users can gain privileges and bypass the User Account Control feature through a specially crafted binary value for a system registry key.
2. Windows MFC Document Title Updating Buffer Overflow Vulnerability (CVE-2010-3227)Critical – This vulnerability involves the potential for stack-based buffer overflows too. Attackers will exploit arbitrary code executed by way of a long window title, created at the request of the application by the library.
3. Windows Hyper-V Remote Code Execution (CVE-2018-0965) Critical – The root cause these bugs goes back to the failure to properly validate user input. The attacker or malware will have the ability to execute code to the guest OS, results in impacting other guest OS as well.
4. Remote Code Execution Vulnerability (CVE-2018-11776) Critical – A critical remote code execution vulnerability affecting popular web application framework Apache Struts has been discovered. The vulnerability is in the main impotency of the application and exists due to low value of validation of user-provided inputs under given configurations.
5. CVSS v3.0 Severity and Metrics (CVE-2018-0500) Critical – Buffer overflow that might be exploitable by an attacker who can control the data that curl transmits over SMTP with certain settings.
6. Linux Kernel TCP Vulnerability (CVE-2018-5309) Critical – A new security vulnerability in the Linux Kernel known as Segment Smack allows attackers to trigger the most resource-intensive code paths for TCP stream reassembly with low rates of specially crafted packets. This will lead to a remote denial of service.
7. Linux Kernel Vulnerability (CVE-2016-0728) Critical – Caused by a reference leak in the keyrings facility and it affects any Linux Kernel v3.8 and higher.
8. OpenSSL OCSP Status Request Extension Unbounded Memory Growth (CVE-2016-6304) Critical – A memory leak flaw was found in the way OpenSSL handled TLS status request extension data during session renegotiation. A remote attacker could cause a TLS server using OpenSSL to consume an excessive amount of memory and, possibly, exit unexpectedly after exhausting all available memory, if it enabled OCSP stapling support.
9. Critical SQL Injection Vulnerability in SMG (CVE-2018-12464) Critical – A SQL injection vulnerability in the web administration and quarantine components in versions of Micro Focus Secure Messaging Gateway prior to 471 allows an unauthenticated remote attacker to execute arbitrary SQL statements against the database. This can be exploited to create an administrative account and used in conjunction to achieve unauthenticated remote code execution.
10. Mitigation for Remote Access Execution Vulnerability (CVE-2018-9091) Critical – Unknown remote attacker can access security protections, gain system privileges and execute elevated commands such as ls, ps, cat, hence compromising the system. Through this remote execution, the exposure of sensitive system data such as certificates, private keys and other information regarding the system may be possible.
• Install decent Anti-virus software
• Keep your computer up to date by installing patches. This will likely to be compromised because of the updates of the regular operating system. Also, to schedule regular maintenance every now and then. This makes attackers a hard time to exploit through the system.
• Reduce the level of permissions for network users, this is because it may be exposed to the public. The smaller the administration of the system, the safer it is from being exploited.
• Wide open database is vulnerable to the system, hence segmenting the database helps to reduce the exposure to many people, leads to better security.
Qn2 Legacy code
Type of vulnerability
An example of vulnerability is a SQL Injection Attack. It consists of insertion or in other words “injection” of a SQL query via the input data from the client to the application. In this case, a fake credit card number will be inserted successfully because injection exploit can read sensitive data from the database, modify database data via inserting, updating and deleting. Attackers will execute the operations on the database such as shutting off the DBMS, recover the content of a given file on the file system. SQL injection attacks are a type of injection attack which SQL commands are injected into input to affect the execution of premade SQL commands.
SQL injection attacks allow attackers to deceive their identity, causing damage with existing data, causing repudiation issues such as cancelling the transactions or changing balances, destroy the data or make it unavailable for the users.
From the cc validation folder, when we open the exe application file straight, it will terminate when we enter the values. To prevent, other alternative is to open the exe file from command prompt as shown below. It will validate the the values we keyed in.
Attached below shows number of values more than the required 16 characters.
Reduce risk of the vulnerability
• Use of Stored Procedures
Another benefit is security. With sensitive data, such as financial, human resource, or medical information, you can’t just give anyone access to tables directly. Running the stored procedures allows for querying, but also provides logs and history of the actions, so you can trace who was looking at what data. That is, you can allow the end user (or other program) to input specific criteria for running the procedure. For example, if a stored procedure is built to query data for a certain payroll cycle, a parameter can be added to input the check date. The check date is passed into the SQL statements.
• White List Input Validation
White list input Validation is an approach to input that is known to be good. This can involves validating values, length , size, or any format before accepting the input for further processing. In this example, the credit card value is supposed to be 16 digits long.
• Escaping All User Supplied Input
Each DBMS supports one or more-character escaping schemes specific to certain kinds of queries. If you then escape all user supplied input using the proper escaping scheme for the database you are using, the DBMS will not confuse that input with SQL code written by the developer, thus avoiding any possible SQL injection vulnerabilities.
Every day, vulnerabilities are found used software products. A network scanner like Nmap, which is used to scan the network and report any identi?ed vulnerabilities, can be critical, high, medium and low risk. It is deals with two important aspect of network security, which is network scanning and vulnerability assessment.
Network scanning includes identi?cation of active hosts in the network, which OS is installed on them, and what services are running on them. This project was an excellent primer when implementing network security, but it was not without its challenges.
In conclusion, to prevent any types of attacks, we should uphold a high security measures in our system, like insa