Sample Penetration Test Report PurpleSec
sales@purplesec.us 1.1 Overview
Yüklə 1,24 Mb. Pdf görüntüsü
|
|
5 sales@purplesec.us 1.1 Overview 1.0 Executive Summary Example Institute (CLIENT) engaged PurpleSec, LLC to conduct penetration testing against the security controls within their information environment to provide a practical demonstration of those controls’ effectiveness as well as to provide an estimate of t heir susceptibility to exploitation and/or data breaches. The test was performed in accordance with PurpleSec Information Security Penetration Testing Method. PurpleSec’s Information Security Analyst (ISA) conducted all testing in coordination with CLIENTs Information Technology (IT) staff members to ensure safe, orderly, and complete testing within the approved scope. CLIENT’s information environment is protected by endpoint antivirus and administrative controls managed by an Active Directory. The environment contains numerous vulnerabilities, including some very serious security flaws such as EternalBlue which makes them susceptible to data breaches and system takeovers. Highly important files which contain HIPAA and payment information are easily accessible and very visible; putting the CLIENT at great risk to compliance violation and potentially subject to large fines and/or loss of business reputation. 1.2 High-Level Test Outcomes Internal penetration test: Intended to simulate the network-level actions of a malicious actor who gained a foothold within the internal network zone. Overall, CLIENT presents a high-risk attack surface with major critical vulnerabilities that allowed complete root access to multiple systems exist within CLIENT’s critical infras tructure. The EPO server and the Remote Desktop Server were both susceptible to EternalBlue; a shell was opened on both remotely by exploiting the SMBv1 vulnerability using a Publicly available exploit module which remotely attacked the spoolsv.exe service via port 445 (SMB). The Remote Desktop server contained numerous user files of CLIENT’s staff members. Traversing the user profile data revealed many files that contained private patient healthcare information including diagnostics, health insurance information, and transaction receipts. The ability to control the system as NT Authority makes data exfiltration trivial as any user specific permissions are not applied to NT Authority user. Two other systems had the SChannel (CVE-2014-6321) vulnerability which makes them susceptible to DoS via code over Schannel. A script can be written to exploit this vulnerability and cause the receiving system to open multiple threads and lockout the processor. This was not exploited as PurpleSec does not use DDOS in its testing. |