Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống
1
/ 35 trang
THÔNG TIN TÀI LIỆU
Thông tin cơ bản
Định dạng
Số trang
35
Dung lượng
2,32 MB
Nội dung
PenetrationTestReport1|Page ACME, Inc WirelessSecurityAssessmentReport July15,2008 PenetrationTestReport2|Page TableofContents 1.0ExecutiveSummary 4 2.0CorporateProfile 5 3.0ReportingandAssessmentMethodology 6 3.1AssessmentMethodology 7 Methodology 7 ToolsUsed 8 3.2ReportingMethodology 9 Structure 9 UnderstandingtheFindings 9 4.0AssessmentScope 11 5.0FindingsandRecommendations 12 5.1DREADScoringCriteria(Key) 13 5.2DREADCompositeRiskCategories(Key) 14 5.3RemediationEffortLevel(Key) 14 5.4FindingsMatrix 15 5.5CriticalFindingsandVulnerabilities 16 Finding:OpenAccessPoint(ACME) 17 Finding:WEPEncryption inuse(ACMENC) 19 6.0AssessmentDetails 21 ReconPhase 22 AttackPhase 25 NetworkSurveyPhase 27 7.0AppendixA:ProjectPlan 29 8.0APPENDIXB:AttackModel 30 9.0.APPENDIXC:RangeMaps 31 BeverlyHillsHeadquarters 32 BeverlyHills DistrictOffice 34 BeverlyHillsTrainingFacility 35 PenetrationTestReport3|Page Customer Information CompanyName: ACMEInc ContactName: MichaelBolton Title: Manager Telephone: E‐mail: Michael@ACMEINC.com BusinessAddress: 2100RockefellerBoulevardSuite19BMailstop6 City: BeverlyHills State/Province CA ZIP: 90210 URL: Http://www.acme‐not‐a‐real‐domain.com Consultant Information CompanyName: Rapid7,LLC. ContactName: Title: Telephone: E‐mail: BusinessAddress: 545BoylstonSt City: Boston State/Province: MA ZIP: 02116 URL: http://www.rapid7.com ‘ PenetrationTestReport4|Page 1.0 EXECUTIVE SUMMARY OnApril 30, 2008, Acme, Inc contracted withRapid7ProfessionalServicestoperformanon‐sitewireless assessment.Thegoaloftheassessmentwastoprovide Acmewithanindependentevaluationoftheir wirelesssecurityposturefromanexternalattacker’sstandpoint.Thisdocumentcontainstheresultsof theassessment’sfindings. Rapid7beganthewirelessassessmentforAcmeonJune24,2008.ThemaincontactswasMichael Bolton.Twositeswereinscopefortheassessment(BeverlyHills HeadquartersandBeverlyHillsDistrict Office).Anothersitewasaddedmid‐assessment(BeverlyHillsTrainingFacility). TheassessmentbeganwithreconnaissanceoftheAcmenetwork.Awardrive(scan),ofthebuildings wascompleted(seerangemapsinAppendixD)todeterminepossibletargets.Rapid7noticedalarge numberofWPA/Radius(strong) encryptedaccesspointsandasmallernumberofWEP(weak) encryptedaccesspointswiththename“ACMENC.”Thepresenceofseveralopennetworkswasalso noted.ThesefindingswerelaterconfirmedbyMichael. Aftercompletingrecon,Rapid7prioritizedtargets(seeAppendixC:AttackModel),anddeterminedthat theopenand WEPencryptedaccesspointswouldbethesimplestvectorintothenetwork.Withtargets inplace,Rapid7movedontotheattackphaseoftheassessment. Thefirstmajorfindingoftheassessmentwasanopenaccesspoint,“ACME.”Thisaccesspointprovided fullaccesstotheAcmeinternalnetwork.More detailsareincludedinthefindingssection,however,the remediationisassimpleasdisablingthewirelesstransmitteronthedevice. Thesecondmajorfindingoftheassessmentwas(easilybroken)WEPencryptioninuseonaAcme (ACMENC)accesspoint.DespitethefactthatallAcmetrafficanddata passingoverthenetworkwas encryptedwitha128bitWEPkey,anexperiencedattackercouldlikelypenetratetheAcmenetwork withinanhour,andalessexperiencedattackerorsimplyacuriousobservercouldgainaccesswithina day.Moredetailsareincludedinthefindingssection. Theresultof thewirelessassessmentwastotalaccesstotheinternalnetwork.Thisaccesswas obtainedusingopensourcetools,andwell‐knownmethodsforattack(think:videosonyoutube).Given sufficienttime,itislikely anattackercouldcompromisetheentirenetworkandallAcmedata. Whileconnectedtotheinternal network,Rapid7attemptedtoauthenticatetoseveralmachines.These failedauthenticationattemptswerenoticedbyAcmestaff,however,anexperiencedattackerwith sufficienttimecouldeasilyevadesuch detection. Inshort,theonlypermanentsolutiontotheweakwirelesssecurityis toupgradealldevicesto strongerencryptionschemes.Ideally, eachWAPwouldbeWPA‐encryptedwithaRadiusserverfor authentication.Otherpotential(temporary)solutionsincludesegmentingthewirelessnetworkfromthe wirednetwork,ordisablingitalltogether. PenetrationTestReport5|Page 2.0 CORPORATE PROFILE Foundedin2006,ACMEInc.hasproductionandresearchfacilitiesacrosstheglobe. PenetrationTestReport6|Page 3.0 REPORTING AND ASSESSMENT METHODOLOGY ThissectionofthereportdetailsthemethodologyusedbyRapid7togatherresultsandtoreportthem. Itpresentstheprocess,timeline,andtoolsbehindtheassessment.Additionally,thissectiondetailsthe report’sstructureandworkflow. PenetrationTestReport7|Page 3.1 Assessment Methodology Theassessmentconsistedofthreemajorphases:Reconnaissance,Attack(PenetrationTesting),and RangeSurveying.Thesearedetailed below.Seetheassessmentdetailssectionforthewalkthroughof eachphase. Methodology Reconnaissance Phase Rapid7’sreconmethodologyisdesignedtogatherasmuchinformationaboutthetarget networkasquicklyandasquietlyaspossible.Thefollowingstepsarecompleteddurin grecon: 1. InitialObservations–Conductedonfootorinacar,using ahandhelddeviceorlaptop togathersignalstrengthanda listingofavailablewirelessnetworks 2. Analysisofavailablenetworks–SilentlygatherinformationaboutWAPsandclients usingeachWAP.Determineifnetworkisinscopefortheassessment 3. GatherNetworkandAccessPoint(AP)Information–Gatherandstoredetailsforall networksundertest.– Usepacketcapturestorecordtrafficpassingoverthenetwork. Attack (Penetration Testing) Phase Rapid7’sattackmethodologyisdesignedtogainaccesstothenetworkasquietlyand painlesslyasapossible.Thefollowingstepsarecompletedduringattack.(Thisphaseis leftintentionallyopen‐ended,theattackphasedependsonmanyfactorsandmustbe leftopen‐ended). 1. Usedatagatheredwithinthereconphasetoenumerateprioritylistoftargets. 2. Survey&sniffopenaccesspoints(ifavailable). 3. BreakWEP/WPAencryptionifavailable. 4. PreparefakeRADIUSServerforWPA/managedAP’s. 5. LaunchMiTMattacks. 6. Useotherattackpatternsasappropriate. Range Survey Phase Rapid7’srangesurveyisdesignedtogatherinformationaboutthesignalspreadofaparticular wirelessnetwork.Thisinformationisthenconsolidatedintosignalmaps 1. Surveywithtypicalwirelesscard,omni‐directionalantenna,andGPS. 2. Surveywithtypicalwirelesscard,directionalantenna,andGPS. PenetrationTestReport8|Page 3. Generatesignalmapsusinggathereddataandmappingutility. Tools Used Hardware • DellXPSM1210w/Intel3945CentrinoWireless • LenovoT60Pw/Intel3945CentrinoWireless • AlfaUSB500mWAWUS036H(WirelessAdapter) • UbiquitiSRC300mW(WirelessAdapter) • 2.4GHz12dBiRadomeEnclosedYagiAntenna • 2.4GHz7dBiVehicleMountOmniAntenna • 2.4 GHz9dBiVehicleMountOmniAntenna Software • Backtrack3.0–OS.‐Usedasahostforothertools • VMWareWorkstation–Hypervisor‐.UsedtohostBacktrackVM • Windows2003–OS.‐UsedtohostBacktrackVM • Kismet–ReconTool.‐Usedtosurveythewirelessnetworkaccesspoints&client • GPSMap– ReconTool.‐Usedtographicallydepictthewirelessaccesspoints • Wesside–AttackTool.‐Used(unsuccessfully)tobreakWEPencryption • SpoonWEP–AttackTool.‐Used(unsuccessfully)tobreakWEPencryption • Aircrack‐NG–AttackToolSuite(airodump,aireplay,aircrack).‐Used(successfully)tobreak WEPencryption • Nmap4.6– SurveyingTool.‐Usedtosurveythenetworkaftergainingaccess • Wireshark–SniffingTool.‐Usedtosurvey&analyzetheinternalnetworkaftergaining access • Dsniff–SniffingTool.‐Usedtosniffforpasswords ontheinternalnetworkaftergaining access PenetrationTestReport9|Page 3.2 Reporting Methodology Structure Thereportisorganizedintothefollowingsections: 1.0ExecutiveOverview–Ahigh‐leveloverviewofthefindingsfromtheassessment.This sectiongivesthereaderaviewofthemajorissuesdiscovered. 2.0CorporateProfile–Adescriptionofthebusinessbeingtested. 3.0ReportingandMethodology–An explanationofthemethodologyusedfortheassessment andtherationalebehindthereporting.(Thissection) 4.0ScopeofAssessment–Exactspecificationonthescopeoftheassessment.Thissection detailswhatwascovered,andmoreimportantly,whatwasNOTcovered. 5.0FindingsandRecommendations–Anin‐depthrating andanalysisofkeyissuesdiscovered duringtheassessment. 6.0AssessmentDetails–Astep‐by‐stepbreakdownofworkcompletedduringtheassessment. Thissectionwalksthroughtheprocessofthewirelessassessment,detailingobservationsmade ineachphase. 7.0Appendix:ProjectPlan–Approvedprojectplanforthe assessment. 8.0Appendix:AttackModel–Attackmodelgeneratedduringtheassessment.Listspotential attackvectors 9.0Appendix:RangeMaps–Wirelessrangemapsofthesitesinscope. Understanding the Findings Ratherthanreporteachmissingpatchasvulnerability,thisreportdescribesrisksandfindingsusingthe DREADModel.Afindingisalogicalgroupingofoneormoresecurityissue(s)havingacommoncause and/oracommonresolution.Inadditiontoidentifyingtheunderlyingcause(s),eachfindingalso containshyperlinkedreferences toresourcesandprovidesdetailedremediationinformation. Aprovidedfindingsmatrixsummarizestheoverallfindingsandcanbeusedasaworkflowplanthatcan betrackedwithinthesecurityorganiza tion.Thisplanisintendedtoassisttheremediationteamin prioritizingandtrackingtheremediationeffort.Eachfindinghas beencategorizedaccordingtoits relativerisklevelandalsocontainsaratingastotheamountofworkandresourcesrequiredinorderto addressthefinding. PenetrationTestReport10|Page Itisimportanttoreiteratethatthisreportrepresentsa“snapshot”ofthesecuritypostureofthe environmentatapointintime. [...]... The next attack was to crack the WEP access point located in the Stanley Building. Rapid7 began by utilizing relatively new tools, Wesside and SpoonWEP. These tools are entirely automated attacks, designed to make cracking a network as simple as clicking a button. Below are screenshots of these attacks: [SCREENSHOT REMOVED FOR SAMPLE REPORT] Wesside failing to gather sufficient network traffic to crack the password. [SCREENSHOT REMOVED FOR SAMPLE REPORT] SpoonWEP failing to gather sufficient IV’s to crack the wireless password. ... After the scoping call and an initial on‐site meeting, it was decided to focus solely on wireless from an external attacker’s standpoint. Penetration Test Report 11 | P a g e 5.0 FINDINGS AND RECOMMENDATIONS Rapid7 has identified a number of areas where security could be improved, and recommendations have been provided for consideration. This section of the report describes the details of Rapid7 s observations, the impact associated with the vulnerabilities identified, and recommendations for ... Penetration Test Report 21 | P a g e Recon Phase The initial recon was completed on foot with a simple ‘wireless finder’device. After locating the Beverly Hills Headquarters, Rapid7 mapped and confirmed the existence of 2.4Ghz networks in the area. The three buildings at the headquarters were each assessed for wireless access points. After confirming that each building had a wireless access point, Rapid7 proceeded to enumerate access points in each area. ... ng.org/doku.php?id=simple_wep_crack/. Needless to say, the attack can be done by anyone with enough free time to read the documentation and buy the necessary hardware (read: almost anyone). A screenshot of the successful key crack is shown below: [SCREENSHOT REMOVED FOR SAMPLE REPORT] Penetration Test Report 25 | P a g e After moving to the aircrack‐ng suite, the attack took approximately 1 hour. In total, the attack phase consisted of approximately a day.This attack was completed from within the Stanley building, at ... Hopefully this indicates the danger of running WEP encryption. Although there was only ONE (detected) AP running WEP, Rapid7 was able to crack & obtain access to the internal network. It is highly suggested that the WEP encryption be replaced with WPA managed encryption, similar to the other Acme access points. Penetration Test Report 26 | P a g e Network Survey Phase After successfully completing the attack phase, Rapid7 proceeded to again wardrive the perimeter of ... HotSpotting (MiTM) 1.3 Sniffing Maintain Access (Optional) Debriefing (06/27/08) Occurs on‐site. Prepare results in the form of a presentation. Analysis / Report (06/30/08) Occurs off‐site. Prepare results in form of a final report. Penetration Test Report 29 | P a g e 8.0 APPENDIX B: ATTACK MODEL Below is the attack model (or attack tree) generated for the assessment. This attack model shows paths ... The results of the preliminary recon are provided below. More information can be obtained by viewing the XLS file (recon.xls) accompanying the report. Note: This list was originally provided to Michael via email. In that email, Shelby and Stanley APs were swapped. This has been corrected. Penetration Test Report 22 | P a g e Headquarters - Main Office: • [unknown SSID] - WEP40 (2) • [unknown SSID] - WEP (2) • [unknown... ACMENC – TC_TR_AP ‐ Main Building – WPA/MGD Encryption After narrowing the possible attack vectors, an attack model (or attack tree) was generated. This attack tree is included in Appendix C. Penetration Test Report 24 | P a g e Attack Phase Rapid7 determined the best attack vector into the network was the open access point, ACME. As expected, this AP provided full access to the internal Acme network. This vector was quickly disregarded ... MODERATE One to several days requiring moderate amounts of resources LOW Less than a day requiring only a minimal amount of resources Penetration Test Report 14 | P a g e 5.4 Findings Matrix This table summarizes the findings documented in this report. The findings are ordered based on a weighed score of the severity of the risk and the effort of remediation. FINDING DREAD SCORE REMEDIATION EFFORT ... Penetration Test Report 16 | P a g e Finding: Open Access Point (ACME) DREAD Score Summary Damage Potential Reproducibility Exploitability Affected Users Discoverability Total Risk Rating 7 10 10 10 7 44 Critical Proof Below are two screenshots depicting connections to the open access point ‘ACME.’ The first screenshot shows airodump and wireshark capturing packets on the network: Penetration Test Report 17 | P