University of Hertfordshire

School of Computer Science

BSc Computer Science (Networks)

Module: Computer Systems Security

Coursework 3

System Security Project Report

Connor Fanning
Level 6
Academic Year 2020 - 21
Abstract – Executive Summary
The goal of this project was to conduct a penetration test on a target computer system, with the
purpose of advising decision makers of a large corporation on system security strategies. The project
consisted of a number of tasks, which aimed at testing a computer system on the target machine
according to pre-prepared plan that was drafted prior to carrying out the penetration test, which
was to undergo some scanning and enumeration, and vulnerability identification and exploitation.

The results of the vulnerability scans on the target showed that there were eight open services; ssh,
http, netbios-ssn on two different ports, mysql, vnc and X11 on two different ports. Five
vulnerabilities were chosen to be exploited using the Metasploit Framework and other methods. The
result of the exploits and the mitigation for each of them were that access to login information,
pictures and files were possible because of some of these exploits.

The conclusions that could be drawn from this penetration project were that the target system has
many vulnerabilities, some of which can be exploited and so it is clear that this system is in need of
risk mitigation and solutions to prevent the vulnerabilities from being exploited by hackers.
Contents
Abstract – Executive Summary..............................................................................................................2
1.0 Introduction.....................................................................................................................................4
2.0 Attack Narrative...............................................................................................................................4
2.1 Information Gathering.................................................................................................................4
2.2 Scanning and Enumeration..........................................................................................................4
2.3 Vulnerability Identification..........................................................................................................5
2.4 Vulnerability Exploitation............................................................................................................7
3.0 Vulnerability Mitigation.................................................................................................................13
4.0 Conclusions....................................................................................................................................15
5.0 Overall Conclusions and Reflections..............................................................................................15
6.0 References.....................................................................................................................................16
7.0 Appendices....................................................................................................................................17
Testing the security of a Linux computer system

1.0 Introduction
This penetration testing-based project was completed for an assignment in the Computer Systems
Security module with the goal of testing the security of a computer system to discover vulnerabilities
and methods of exploitation. This consisted of using a similar approach as seen in the PTES
methodology as guidance for how to conduct a penetration test and following the pre-planned
standard operating procedure. In preparation for the pen test, the phases of the SOP that were to be
used were scanning and enumeration, vulnerability identification and exploitation, and to report and
document findings. Alongside this, a rough attack tree was created as a plan of attack prior to
carrying out any work. The main objectives of this pen test were to discover vulnerabilities through
exploitation techniques and to research ways in which these can be mitigated.

This report is a description of the work that was carried out on the five exploits and the vulnerability
mitigations that are recommended for each exploit. Also, included in this report are the conclusions
based on the findings from the pen testing work and screenshots of important steps that were
instrumental in finding vulnerabilities and exploiting them.

2.0 Attack Narrative

This section details the steps that were taken when carrying out the attack on the system as well as
explaining why each action was taken with appropriate screenshots.

2.1 Information Gathering

For this assignment, nothing was carried out in the Information Gathering phase because a
target IP address has already been assigned to attack. If this phase was needed, footprinting
would be utilised to obtain information. Some footprinting techniques that would be used
include WHOIS queries, port scanning and network enumeration.

2.2 Scanning and Enumeration

Prior to the scanning phase, the ping command was used to make sure that the target IP
exists and can accept requests (Rouse, 2019). (Figure 1).

Figure 1 - ping shows requests being sent to the IP.

Packets were received, meaning the pen testing could begin.

As part of the scanning phase, the nmap scanning tool was used in order to find out what
services are running on the network. (Figure 2).

Figure 2 - scanning of IP shows eight ports

The scan results showed that the target system was running services such as ssh, http,
netbios-ssn, mysql, vnc and X11. These services were analysed using the software version,
and research was undertaken to find out what vulnerabilities were associated with them
before a vulnerability scan could be run on the target.

2.3 Vulnerability Identification

After the scanning phase, the next step was to use vulnerability methods to discover
vulnerabilities. The methods that were used were a Nessus scan and a DIRB scan.

The aim of this step in the attack was to discover a flaw that can lead to a loss in security
(Yumpu.com, n.d.), so to do this, the Nessus network scan was used. (Figure 3).

Figure 3 - scanning of IP shows many vulnerabilities.

The scan results showed that there were several vulnerabilities ranging from a low level of
vulnerability to a critical level.
Some of the vulnerabilities were regarding PHP, HTTP, Apache issues and many more.
(Figure 4).

Figure 4 - scanning of IP shows each vulnerability and its severity.

The output shows that there are many vulnerabilities, including SSH Protocol Version 1
Session Key Retrieval and Samba Badlock Vulnerability.

The DIRB scanner was also used as DIRB is a command line-based tool to brute force any
directory based on wordlists (Manoharan, 2017), therefore this was an ideal tool to use to
find out and access the directories to see if there are any vulnerabilities. (Figure 5).

Figure 5 - scanning of IP shows potential directories that could be vulnerable.

The DIRB scan showed some directories including http://192.168.1.163/base/,
http://192.168.1.163/manual, http://192.168.1.163/phpmyadmin/ and
http://192.168.1.163/true .

Furthermore, manual research on software versions of the services of the target IP was done
to provide additional methods of attack that perhaps the scanners could not find and to add
to the exploit possibilities (Figure 6).

Figure 6 - web browser search shows vulnerabilities for Openssh 4.4

Various information is available for each vulnerability including the CVE ID, the vulnerability
type, and the vulnerability score. In this instance, Openssh 4.4 has 15 vulnerabilities that are
mostly DoS related with vulnerability scores ranging from 1.2 to 7.5.

2.4 Vulnerability Exploitation

The vulnerability exploitation phase of the attack consisted of attempting methods of
exploits using the information that was gained from the previous phases and through using
exploitation tools such as the Metasploit framework.

Apache Web Server Exploit

One of the many directories that was generated by the DIRB scanner was
http://192.168.1.163/true/. This URL was entered into a web browser as it was thought that
it could provide any useful information to be able to exploit a vulnerability. Through
accessing the URL, subsequently, this proved to be useful as this led to a page containing
user credentials to be discovered (Figure 7).

Figure 7 - web page shows user credentials.

The page showed that there were four usernames and four passwords. These included the
following usernames: “frodo”, “bilbo”, “samwise” and “faramir”, and the following
passwords: “Baggins1”, “Baggins1”, “Gangee” and “T00k”.

SSH Protocol Exploit

One of the many vulnerabilities that were found using the Nessus scan (www.tenable.com,
n.d.) was the “SSH Protocol Version 1 Session Key Retrieval” and details how the remote
service offers an insecure cryptographic protocol. Based on finding user credentials
previously, access to the system was able to be gained using the username and password
(Figure 8).

Figure 8 - access to the system revealed the target system "MiddleEarth".

Through the use of ssh and the previously found vulnerability in the apache web server, the
exploitation has enabled access to the system. With access to the system, a jpg file was able
to be discovered through browsing the system.

After finding a jpg file, more browsing was carried out to see if there were any other
information that could be exploited. Therefore, access to the temp file was attempted
(Figure 9).

Figure 9 - access to the temp file revealed some files.

With access to the temp file, several files were discovered, with the “test.txt” file showing
some text. The resulting text did not prove to be of use; however, this file could have
contained a vulnerability that could have been exploited.
SFTP Exploit

After failing to find anything useful in the temp file, the next step that was taken was to try
to find a vulnerability in the image files for bilbo, faramir, frodo and samwise. To do this, the
sftp was used to open these files. (Figure 10 - 14).

Figure 10 - access to samwise revealed a png file.

Figure 11 - browser shows samwise image.

Figure 12 - browser shows faramir image.

Figure 13 - browser shows bilbo image.

Figure 14 - browser shows frodo image.

With the use of the sftp, all the user’s images were able to be seen. Although this was case,
none of the images proved to be of any use, but sftp could have helped to find a
vulnerability that could be exploited on another occasion.

MySQL Exploit

Previously there were no vulnerabilities found from the images, which led to trying to find
anymore vulnerabilities to exploit in the MiddleEarth system (Figure 15).

Figure 15 - database shows a column of information.

Through access to the MySQL monitor, a database of information was able to be shown,
however it was not yet known where this information would be useful. Furthermore, this
information was documented with the idea of it being useful in the future.

Following this, the attention was turned to using the Metasploit framework as this allows
penetration testers to execute exploit code against a target (EC-Council Official Blog, 2020).
The auxiliary scanner was used before setting the RHOST, as this IP address was required
before running the module (Figure 16).

Figure 16 - scanning shows auxiliary module execution completed.

The results from this exploit were not what was expected with the feedback on the terminal
stating, “Unsupported target version of MySQL detected”, which is why the exploit did not
work. Consequently, no username or password was obtained to enable access to the mysql.

VNC Exploit

Using the results from the DIRB scan, the directories were again used to try and find
vulnerabilities that could be exploited with access to the phpMyAdmin directory being
attempted (Figure 17).

Figure 17 - web browser shows phpmyadmin login page.

After entering http://192.168.1.163/phpmyadmin/ into the web browser, multiple user and
passwords were entered, however the directory was not able to be accessed. Although
access was unable to be gained, the directory could have contained vulnerabilities that could
have been exploited.
 Furthermore, the nmap scan was again analysed before considering vulnerabilities that
could be exploited. Using the Metasploit framework, VNC was attempted to be exploited as
this was one of the services that was open as the nmap scan showed (Figure 18).

Figure 18 - show options command shows all options available.

After entering the necessary parameters and running the module, the login failed due to too
many incorrect authentication attempts. With the correct password, this exploit would have
worked, however the correct password was unable to be retrieved during the attack and so
the vulnerability was unable to be exploited. Also, all of the exploits that matched the open
ports from the nmap scan were attempted and others such as vsftpd and SAMBA, however
none of these were able to provide any desired results. This could be due to a lack of
information prior or due to the fact that versions were different or the exploit code that was
used was outdated.

3.0 Vulnerability Mitigation

Apache

Rating: High

Description: According to (Netsparker Security Team, 2019), directory listing is a feature that when
enabled the web servers list the content of a directory when there is no index file.

Impact: If the attacker were to find the secret folder, when the attacker attempts to access it
directly, they can see and download backup files containing database connection details. Therefore,
the attacker could damage the database or the web application due to these credentials.
(Netsparker Security Team, 2019).

Mitigation: For security, it is advised to disable directory listing.

SSH

Rating: High

Description: According to (www.tenable.com, n.d.), the remote SSH daemon supports connections
made using the version 1.33 and/or 1.5 of the SSH protocol.
Impact: These protocols are not completely cryptographically safe so they should not be used as
attackers can easily gain access to the system (www.tenable.com, n.d.).

Mitigation: Disable compatibility with version 1 of the SSH protocol (www.tenable.com, n.d.).

Insecure permissions

Rating: Medium

Description: According to (cwe.mitre.org, n.d.), an example of incorrect default permissions is

insecure permissions for a shared secret key file, which overlaps the cryptographic problem.

Impact: As a result, hackers could read and modify application data (cwe.mitre.org, n.d.).

Mitigation: The architecture needs to access and modification attributes for files to only those users
who actually require those actions. Also, architects and designers should rely on the principle of
least privilege to decide the appropriate time to use privileges and the time to drop privileges
(cwe.mitre.org, n.d.).

MySQL Authentication Bypass

Rating: Medium

Description: According to (cve.mitre.org, n.d.), this allows remote attackers to bypass authentication
by repeatedly authenticating with the same incorrect password.

Impact: This allows attackers access to username and password details to allow access to the
target’s mysql.

Mitigation: According to (Rapid7 Blog, 2012), a possible solution would be to not expose the MySQL
to the network and if MySQL is exposed to the network, modify the my.cnf file in order to restrict
access to the local system.

VNC Authentication Bypass

Risk: High

Description: According to (cve.mitre.org, n.d.), this allows remote attackers to bypass authentication
This is caused by the improper validation of the client authentication method which could allow an
attacker to successfully authenticate to an affected system using the null authentication method
(exchange.xforce.ibmcloud.com, n.d.).

Impact: The impact is that attackers can login with the default password and gain access to sensitive
information.

Mitigation: As stated in (exchange.xforce.ibmcloud.com, n.d.), the solution would be to upgrade to

the latest version.
4.0 Conclusions
Upon the completion of the attacks and mitigation, it can be deduced that the attacks that there
were many vulnerabilities that were found on the target system, which were able to be discovered
using research, scanning and using vulnerability identification techniques and tools. A few of these
methods include DIRB scans, nmap scans, Nessus scans and using Metasploit. These were able to
display potential vulnerabilities in the security of the Linux computer system including OpenSSH,
Apache and MySQL vulnerabilities. Using research and the results from these scans, some mitigation
methods were able to be advised in regards to preventing an attack from hackers in the future
including using the principle of the least privilege and disabling directory listing.

5.0 Overall Conclusions and Reflections

In the scanning and enumeration phase, information such as the services that were running and
their version were collected using the nmap scan on the target IP. This was a solid base on which to
continue with the attack. During the vulnerability identification phase, a combination of results from
the DIRB scan, Nessus scan and through research provided potential vulnerabilities that could be
exploited. This information proved useful as the vulnerability exploitation phase involved using
results from previous steps to exploit the vulnerabilities and attempt to gain access to the system.
The metasploit framework was instrumental in carrying out these attacks.

There are numerous lessons that were learned from the process of the testing of the security of the
target system. Invaluable knowledge on how to strategically carry out a plan for penetration testing
was acquired during this experience whether it be following an attack plan or learning how to use
tools for scanning, vulnerability identification and exploitation. If in industry doing something similar,
then the experience gained and the fact that the information will not be completely perplexing will
result in an advantage in understanding and implementation in a future job role.
6.0 References
ping? (2019). What is ping? - Definition from WhatIs.com. [online] SearchNetworking. Available at:
https://searchnetworking.techtarget.com/definition/ping [Accessed 6 Jan. 2021].

Yumpu.com (n.d.). Secrets of Vulnerability Scanning: Nessus, Nmap and More - Sharkfest. [online]
yumpu.com. Available at: https://www.yumpu.com/en/document/read/3505564/secrets-of-
vulnerability-scanning-nessus-nmap-and-more-sharkfest [Accessed 6 Jan. 2021].

Manoharan, A. (2017). Dirb — A web content scanner. [online] Medium. Available at:
https://medium.com/tech-zoom/dirb-a-web-content-scanner-bc9cba624c86. [Accessed 6 Jan.
2021].

Kali.org. (2014). DIRB. [online] Available at: https://tools.kali.org/web-applications/dirb [Accessed 6

Jan. 2021].

www.cvedetails.com. (n.d.). Openbsd Openssh version 4.4 : Security vulnerabilities. [online]

Available at: https://www.cvedetails.com/vulnerability-list/vendor_id-97/product_id-585/
version_id-38080/Openbsd-Openssh-4.4.html [Accessed 6 Jan. 2021].

www.tenable.com. (n.d.). SSH Protocol Version 1 Session Key Retrieval. [online] Available at:
https://www.tenable.com/plugins/nessus/10882 [Accessed 7 Jan. 2021].

EC-Council Official Blog. (2020). What is Metasploit and how is it used in penetration testing? | EC-
Council Blog. [online] Available at: https://blog.eccouncil.org/what-is-metasploit-and-how-is-it-used-
in-penetration-testing/ . [Accessed 7 Jan. 2021].

Netsparker Security Team (2019). How to Disable Directory Listing on Your Web Server. [online]
Netsparker.com. Available at: https://www.netsparker.com/blog/web-security/disable-directory-
listing-web-servers/. [Accessed 8 Jan. 2021].

cwe.mitre.org. (n.d.). CWE - CWE-276: Incorrect Default Permissions (4.3). [online] Available at:
https://cwe.mitre.org/data/definitions/276.html [Accessed 8 Jan. 2021].

cve.mitre.org. (n.d.). CVE - CVE-2012-2122. [online] Available at:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2122. [Accessed 8 Jan. 2021].

Rapid7 Blog. (2012). CVE-2012-2122: A Tragically Comedic Security Flaw in MySQL. [online] Available
at: https://blog.rapid7.com/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-
mysql/. [Accessed 8 Jan. 2021].

cve.mitre.org. (n.d.). CVE - CVE-2006-2369. [online] Available at:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2369 [Accessed 8 Jan. 2021].

exchange.xforce.ibmcloud.com. (n.d.). RealVNC authentication bypass CVE-2006-2369 Vulnerability

Report. [online] Available at: https://exchange.xforce.ibmcloud.com/vulnerabilities/26445 [Accessed
8 Jan. 2021].
7.0 Appendices

Nessus Scan

192.168.1.163

1 10 11 3 34

CRITICAL HIGH MEDIUM LOW INFO

Vulnerabilities Total: 59

SEVERITY CVSS PLUGIN NAME

CRITICAL 10.0 58987 PHP Unsupported Version Detection

HIGH 7.5 42411 Microsoft Windows SMB Shares Unprivileged Access

HIGH 7.5 24906 PHP < 4.4.5 Multiple Vulnerabilities

HIGH 7.5 29833 PHP < 4.4.8 Multiple Vulnerabilities

HIGH 7.5 33849 PHP < 4.4.9 Multiple Vulnerabilities

HIGH 7.5 41014 PHP < 5.2.11 Multiple Vulnerabilities

HIGH 7.5 35067 PHP < 5.2.8 Multiple Vulnerabilities

HIGH 7.5 58988 PHP < 5.3.12 / 5.4.2 CGI Query String Code Execution

HIGH 7.5 57537 PHP < 5.3.9 Multiple Vulnerabilities

HIGH 7.5 10882 SSH Protocol Version 1 Session Key Retrieval

HIGH 7.5 34460 Unsupported Web Server Detection

MEDIUM 6.8 43351 PHP < 5.2.12 Multiple Vulnerabilities

MEDIUM 6.8 58966 PHP < 5.3.11 Multiple Vulnerabilities

MEDIUM 6.8 90509 Samba Badlock Vulnerability

MEDIUM 6.4 44921 PHP < 5.3.2 / 5.2.13 Multiple Vulnerabilities

MEDIUM 5.1 39480 PHP < 5.2.10 Multiple Vulnerabilities

MEDIUM 5.0 11213 HTTP TRACE / TRACK Methods Allowed

MEDIUM 5.0 35750 PHP < 5.2.9 Multiple Vulnerabilities

MEDIUM 5.0 142591 PHP < 7.3.24 Multiple Vulnerabilities

192.168.1.163 5

MEDIUM 5.0 57608 SMB Signing not required

MEDIUM 4.3 17696 Apache HTTP Server 403 Error Page UTF-7 Encoded XSS

MEDIUM 4.3 90317 SSH Weak Algorithms Supported

LOW 2.6 70658 SSH Server CBC Mode Ciphers Enabled

LOW 2.6 71049 SSH Weak MAC Algorithms Enabled

LOW 2.6 10407 X Server Detection

INFO N/A 48204 Apache HTTP Server Version

INFO N/A 39520 Backported Security Patch Detection (SSH)

INFO N/A 45590 Common Platform Enumeration (CPE)

INFO N/A 54615 Device Type

INFO N/A 10107 HTTP Server Type and Version

INFO N/A 24260 HyperText Transfer Protocol (HTTP) Information

INFO N/A 117886 Local Checks Not Enabled (info)

INFO N/A 10397 Microsoft Windows SMB LanMan Pipe Server Listing Disclosure

INFO N/A 10394 Microsoft Windows SMB Log In Possible

INFO N/A 10785 Microsoft Windows SMB NativeLanManager Remote System Information

Disclosure

INFO N/A 11011 Microsoft Windows SMB Service Detection

INFO N/A 100871 Microsoft Windows SMB Versions Supported (remote check)

INFO N/A 106716 Microsoft Windows SMB2 and SMB3 Dialects Supported (remote check)

INFO N/A 10719 MySQL Server Detection

INFO N/A 11219 Nessus SYN scanner

INFO N/A 19506 Nessus Scan Information

INFO N/A 11936 OS Identification

INFO N/A 48243 PHP Version Detection

INFO N/A 66334 Patch Report

192.168.1.163 6

INFO N/A 70657 SSH Algorithms and Languages Supported

INFO N/A 10881 SSH Protocol Versions Supported

INFO N/A 10267 SSH Server Type and Version Information

INFO N/A 25240 Samba Server Detection

INFO N/A 104887 Samba Version

INFO N/A 96982 Server Message Block (SMB) Protocol Version 1 Enabled (uncredentialed

check)
INFO N/A 22964 Service Detection

INFO N/A 110723 Target Credential Status by Authentication Protocol - No Credentials

Provided

INFO N/A 10287 Traceroute Information

INFO N/A 10758 VNC HTTP Server Detection

INFO N/A 19288 VNC Server Security Type Detection

INFO N/A 65792 VNC Server Unencrypted Communication Detection

INFO N/A 10342 VNC Software Detection

INFO N/A 135860 WMI Not Available

INFO N/A 10150 Windows NetBIOS / SMB Remote Host Information Disclosure