Network Penetration Test Report
Executive Summary
From November 11th to December 9th, 2024, SS Pentesting conducted a Network Penetration test for Example Corporation to assess its Network security. The assessment included vulnerability scanning of all provided IPs to evaluate patching health, along with various network-based attacks to identify misconfigurations and security gaps. The test uncovered multiple critical vulnerabilities, including WebDAV misconfigurations, default credentials, and weak authentication controls, which could allow attackers to gain unauthorized access and execute remote code. This report provides an in-depth analysis of these weaknesses, their potential impact, and recommendations for remediation. For further details, refer to the Technical Findings section.
Confidentiality Statement
This document is the exclusive property of Example Corporation. This document contains proprietary and confidential information. Duplication, redistribution, or use, in whole or in part, in any form requires consent of Example Corporation or SS Pentesting. Example Corporation may share this document with auditors under non-disclosure agreements to demonstrate penetration test requirement compliance.
Disclaimer
A penetration test is considered a snapshot in time. The findings and recommendations reflect the information gathered during the assessment and not any changes or modifications made outside of that period. Time-limited engagements do not allow for a full evaluation of all security controls. SS Pentesting prioritized the assessment to identify the weakest security controls an attacker would exploit. SS Pentesting recommends conducting similar assessments on an annual basis by internal or third-party assessors to ensure the continued success of the controls.
Contact Information
Assessment Overview
The penetration test included the following phases:
- Planning – Customer goals are gathered, and rules of engagement obtained.
- Discovery – Perform scanning and enumeration to identify potential vulnerabilities, weak areas, and exploits.
- Attack – Confirm potential vulnerabilities through exploitation and perform additional discovery upon new access.
- Reporting – Document all found vulnerabilities and exploits, failed attempts, and company strengths and weaknesses.
Finding Severity Ratings
The following table defines severity levels and their corresponding CVSS score ranges, which are used throughout this document. These severity levels help assess risk by evaluating the likelihood and impact of each vulnerability.
Risk Factors
Risk is measured by two factors, Likelihood and Impact.
Likelihood: Likelihood measures the potential of a vulnerability being exploited. Ratings are given based on the difficulty of the attack, the available tools, attacker skill level, and client environment.
Impact: Impact measures the potential vulnerability’s effect on operations, including confidentiality, integrity, and availability of client systems and/or data, reputational harm, and financial loss.
Scope
Scope Exclusions Per client request, SS Pentesting did not perform any of the following attacks during testing:
- Denial of Service (DoS)
- Phishing/Social Engineering
All other attacks not specified above were permitted by Example Corporation.
Client Allowances
Example Corporation provided SS Pentesting the following allowances:
- Access to the internal network via physical workstation within the facility.
Key Strength and Weaknesses
The following identifies a key strength found during this assessment:
- Responsive intrusion detection systems.
The following identifies the key weaknesses found during this assessment:
- Outdated third party software.
- Misconfiguration of services.
Vulnerability Summary & Report Card
The following table categorizes the vulnerabilities found by severity. Remediation recommendations are also provided.
Network Penetration Test Findings
Finding INT-001: WebDAV Misconfiguration Critical
Figure 1.1: Shows that php files can be uploaded and executed without needing a username/password.
Figure 1.2: Shows that remote code execution is achieved by uploading a malicious web shell.
<?php echo system($_GET['anything']) ?>
Remediation: Require authentication for all WebDAV file uploads.
Reference: How to Configure WebDAV Access with Apache on Ubuntu
Finding INT-002: Default Credentials on Tomcat High
Figure 2.1: Shows default credentials found on tomcat using Metasploit.
Figure 2.2 & 2.3: Shows remote code execution obtained by uploading a war file in tomcat manager.
Remediation: Change default credentials on tomcat to a complex password that includes a minimum character length 0f 16, a mix of uppercase and lowercase letters, special characters, and numbers.
Reference: How can I change the password for Tomcat?
Finding INT-003: CVE-2007-2447 Remote Command Injection Vulnerability High
Figure 3.1: Show a version of Samba being used.
Figure 3.2: Shows remote code execution obtained as the root user through the current version of Samba.
Remediation: Update Samba to version 3.0.24.
Reference: Samba - Security Updates and Information?
Finding INT-004: Weak Login Credentials Medium
Figure 4.1: Shows cracked credentials against an ftp server via brute force.
hydra -L passwords.txt -P passwords.txt ftp://10.0.1.3:2121 -vfI
Remediation: Ensure accounts use strong, complex passwords and implement a password policy requiring regular password updates.
Reference: How To Protect FTP Passwords From Brute Force Attacks
Finding INT-005: SMTP Enumeration Vulnerability Low
Figure 5.1: Shows 168 valid usernames found given the wordlist that was supplied.
Remediation: Disable VRFY and EXPN commands to prevent enumeration of usernames.
Reference: Disabling VRFY and EXPN commands
Conclusion
During testing, a recurring theme was server misconfigurations. We recommend that Example Corporation regularly update third party software that is used, require credentials when interacting with servers, and implement input validation and sanitization for uploading files to servers.
We recommend that the Example Corporation team thoroughly review the recommendations made in this report, correct the findings, and re-test annually to improve their overall security posture.