Network Penetration Testing

Institute of Business Administration Karachi

 VA/PT Project Report

Document Details

Document Name Network Penetration Testing

Document Type Revalidation Report
Prepared by Commtel
Approved for IBA Karachi
Date 2nd Feb, 2023

2
 VA/PT Project Report

Table of Content
Introduction ............................................................................................................................................ 4
Scope ....................................................................................................................................................... 4
Assets Covered ................................................................................................................................... 4
Techniques Covered ........................................................................................................................... 5
Scale ........................................................................................................................................................ 6
Testing Environment ............................................................................................................................... 6
Findings Summary ................................................................................................................................... 7
Detail Classification ................................................................................................................................. 7
Ineffective SOC Monitoring ................................................................................................................ 7
Ransomware Execution .................................................................................................................... 11
Man in the Middle Attack ................................................................................................................. 13
Authentication Bypass on LMS ......................................................................................................... 14
Data Confidentiality Breached.......................................................................................................... 16
Vulnerable MYSQL Version ............................................................................................................... 19
Vulnerable Apache httpd Versions ................................................................................................... 20
Configuration file Detected .............................................................................................................. 22
Outdated Operating System ............................................................................................................. 24
Potential Remote Code Execution .................................................................................................... 25
DDOS on Routers .............................................................................................................................. 27
SSH Enumeration .............................................................................................................................. 29
SNMP Enumeration .......................................................................................................................... 30
Conclusion ............................................................................................................................................. 31

3
 VA/PT Project Report

Introduction
Institute of Business Administration Karachi have procured COMMTEL VA/PT services to evaluate the
security poster of the organization. This project is held from 23rd December 2021 to 31st December
2021” at premises of IBA Karachi Main Campus.
Now, as per standards Commtel Security Team Re-Validated the targeted systems for their
vulnerabilities, along with the updated statuses for IBA Karachi
Commtel security team thoroughly Re-Assessed and Pentest the IBA infrastructure as per provided
scope for the security weaknesses and prepared this report against the findings.

Note: This is a revalidation report only intended for re-assessment for the discovered vulnerabilities
and their up to day status.

Scope
IBA have provided the below mentioned assets as a scope for the conduction of vulnerability and
penetration testing.

Equipment\Service\Application Total
Routers 3
Switches 2
Firewalls 2
Server VMs 10
DATABASE instances 6
Total assets 23

4
 VA/PT Project Report
Assets Covered
Commtel have covered all 26 assets in the re-assessment activity except of the two assets that
were not available during the assessment because of maintenance as listed below.

Assets IP Address Status Revalidation Status

Web Assets
Portal2.iba.edu.pk 172.16.4.65 Fully tested Fully tested
Portal.iba.edu.pk 172.16.4.66 Fully tested Fully tested
Webapps.iba.edu.pk 172.16.4.68 Fully tested Update in Progress
Jobportal.iba.edu.pk 172.16.4.120 Fully tested Fully tested
Onlinepayment.iba.edu.pk 172.16.4.124 Fully tested Fully tested
Hrms.iba.edu.pk 172.16.4.125 Fully tested Excluded
LMS.iba.edu.pk 172.16.4.127 Fully tested Fully tested
Financials.iba.edu.pk 172.17.4.74 Fully tested Excluded
https://lmsarchive.iba.edu.pk/portal Unreachable Out of bound Out of bound
Lmsarchive2.iba.edu.pk Unreachable Out of bound Out of bound
Routers
City Campus Router Primary Huawei AR6120 111.68.108.129 Fully tested Fully tested
City Campus Router Secondary Huawei AR6120 111.68.108.132 Fully tested Fully tested
City Voice Router Cisco ISR 4331 10.1.5.5 Fully tested Fully tested
Router Main Campus 111.68.111.129 Fully tested Fully tested
Main Campus Voice Router Cisco ISR 4331 10.2.5.5 Fully tested Fully tested
Firewall
Firewall City Campus Sangfor NGFW53 111.68.108.130 Fully tested Fully tested
Firewall Main Campus Sangfor NGFW54 111.68.111.130 Fully tested Fully tested
Switches
Core Switch City Campus 10.1.1.2 Fully tested Fully tested
Core Switch Main Campus 10.2.1.2 Fully tested Fully tested
Antivirus Servers
Server 1 172.16.1.60 Fully tested Excluded
Server 2 172.16.1.66 Fully tested Excluded
VM Servers
la-svm-host-pri6-iba-edu-pk 172.16.1.70 Fully tested Fully tested
la-svm-host-pri2-iba-edu-pk 172.16.1.71 Fully tested Fully tested
la-svm-host-pri1-iba-edu-pk 172.16.1.72 Fully tested Fully tested
la-svm-host-pri4-iba-edu-pk 172.16.1.73 Fully tested Fully tested
la-svm-host-pri3-iba-edu-pk 172.16.1.74 Fully tested Fully tested
la-svm-host-pri7-iba-edu-pk 172.16.1.75 Fully tested Fully tested
la-svm-host-pri5-iba-edu-pk 172.16.1.76 Fully tested Fully tested

5
 VA/PT Project Report

Techniques Covered
To identify security risks/vulnerabilities in IBA Karachi environment Commtel team have covered the
below listed standard use cases that used to compromise the environment along with their proof of
concepts.

 Server attacks.
 Denial of Service attacks.
 Brute Forcing.
 Access management attacks.
 Insecure communication.
 Sensitive Information leakage/disclosure.
 Broken Authentication.
 Remote code execution.

The high-level strategy for performing the in-scope activities are as follows:

 The scope of the penetration testing was only limited to IBA Karachi internal network
and their website (hosted outside network), all the activities were performed within the
premises of IBA Karachi.
 This exercise was based on white box techniques. However, Black Box techniques were
also applied in the project.
 Covered all the major potential and confirmed network compromising attacks and
vulnerabilities.

6
 VA/PT Project Report

Scale
The vulnerabilities are divided into two categories “Potential vulnerabilities” and “Confirmed
Vulnerabilities”, further the severity of those vulnerabilities is characterized into severity levels
from1 to 5, where 5 being the highest and most critical.

LEVEL SEVERITY

1 Information disclosure

2 Low

3 Medium

4 High

5 Critical

Testing Environment
Test Environment

Type Name Description

Windows Server Windows Server 2008,2016 Server Machine Operating System

Windows machine Windows 10 Microsoft Windows OS

Attacking machine Kali Linux Pen Testing suit

Security Testing Tools Nessus Professional Vulnerability Assessment Tool

Application Server Locally hosted To host and manage application

7
 VA/PT Project Report

Findings Summary
The highlights of vulnerabilities/weaknesses in the environment of IBA that have been observed by
testing the respective assets are listed below.

Web Assets and VM Servers

Attack
Outdates
Remote Code Execution
Command Shell Binding
Authentication bypass
Customized Malware Attack
Weak Encryption
Unencrypted Sensitive Data
Server information leakage
Unsigned information
Classification Status
Unpatched and vulnerable software versions Close
Remotely executing command on target machine Close
Binding target system with the attacker’s system Close
Broken authentication Close
An undetected script that encrypts target system Close
Weak hashing algorithm Close
Information Leakage Open
Information leakage Close
Information leakage Close

Network Assets
Discovery/Attack WASC Threat Classification Status
ARP Spoofing Sending falsified ARP Close
MITM Attack Man in the middle attacks Close
Fake Gateway Spoofing IP and MAC of gateway in order to make traffic flow from Close
attackers’ machine
SSH Fuzzing Series of SSH requests with malicious version strings Open

Detail Classification
Throughout the activity Commtel security team have uncovered some high-level
vulnerabilities/weaknesses in the network that were compromised for Proof-of-concept purposes,
all of them are listed below along with details.

Ineffective SOC Monitoring

As informed IBA have implemented a security operation center whose role is to rigorously monitor
the IBA infrastructure round the clock for malicious activities. The vulnerability assessment and
penetration testing is a pure malicious activity as it exactly do what an attacker would do to plan,
discover, attack and exploit network.

Commtel VA/PT team have executed 43 malicious activities over a span of week that should be
detected and responded by security operation center however after comparing the attacking
activities with SOC alert it was identified that 2 activities were detected, 5 were partially detected
while the rest 36 remain undetected throughout the activity which means the attacker can
completely compromised the IBA infrastructure and still remain undetected for current security
operation center.

8
 VA/PT Project Report

The detail analysis of SOC detection against activities is written in below table.

Sr # Activity Description Time IP address SOC

Name Response
23rd December,2021
1 ARP ARP spoofing 11:36 10.2.90.54 Undetected
Spoofing and intercepting
entire network
traffic
2 Port Port scanning on 11:14 10.2.90.72 Detected
scanning 172.16.1.71
Port Port scanning on 3:11 10.2.90.71 Undetected
3 scanning 172.16.1.72

24th December,2021
Port Core switches 11:35 10.2.94.18 Detected
4 scanning (city and main)
Routers Scan Main campus 11:40 10.2.90.62 Undetected
5 routers
Enumeration Service 12:45 10.2.94.18 Undetected
enumeration on
6 Core switches
Enumeration Service 3:15 10.2.90.56 Partially
7 enumeration on detected
172.16.1.70 and (1 IP address
172.16.1.71 with false
time)
Port Port scanning on 3:33 10.2.90.72 Undetected
Scanning 172.16.1.72 and
8 172.16.1.73
28th December,2021
9 Port 172.16.4.68 10:46 10.2.90.159 Undetected
scanning
10 Port 172.16.1.75-76 11:24 10.2.90.63 Undetected
scanning
11 Fake Port Fake aggressive 11:27 10.2.90.70 Undetected
scanning port scanning on
10.2.90.80-90
from a fake
machine
12 Fake Port Fake aggressive 11:27 10.2.90.71 Undetected
scanning port scanning on
10.2.90.70-80
from a fake
machine
13 Fake Port Fake aggressive 11:27 10.2.90.72 Partially
scanning port scanning on detected,
172.16.1.50- only detected
60,72 from a 172.16.1.72
fake machine

9
 VA/PT Project Report

14 Port 172.16.1.74 11:29 10.2.90.168 undetected

scanning
15 Port 172.16.4.124- 11:57 10.2.90.159 undetected
scanning 125
16 Port 172.16.4.65-66 12:27 10.2.90.159 undetected
scanning
17 Vulnerability Nessus 2:46 192.168.98.132 Partially
scan vulnerability detected(only
scanning on VM one IP
servers address)
(databases)
18 Port Nessus 3:10 192.168.98.132 Undetected
scanning vulnerability
scanning on AV
servers
29th December,2021
19 Port Deep level port 11:06 10.2.90.64 undetected
scanning scanning on
firewall(main)
111.68.11.130
20 Vulnerability Core switch 11:10 192.168.98.132 undetected
scan 10.2.1.2(main)
21 Vulnerability Core switch 11:16 192.168.98.132 undetected
scan 10.1.1.1(city)
22 Port Deep level port 11:22 10.2.90.64 undetected
scanning scanning on
firewall(city)
111.68.108.130
23 Vulnerability Routers main 12:56 10.2.90.69 undetected
scan campus
24 Vulnerability Router’s city 3:03 10.2.90.69 Partially
scan campus detected
(false IP
address)
30th December,2021
25 MITM attack Traffic 10:15-55 10.2.90.71 Undetected
interception on
inbound 10 and
172 network
26 Vulnerability 172.16.4.68 3:56 192.168.98.132 Undetected
scan
27 Vulnerability 17.1.4.120 4:04 192.168.98.166 Undetected
scan
28 Vulnerability 172.16.4.127 4:13 192.168.98.134 Undetected
scan
29 Vulnerability 172.16.4.66 4:32 192.168.98.130 Undetected
scan
30th December,2021
30 Enumeration 172.17.4.74 10:57 10.2.90.63 Partially
detected

10
 VA/PT Project Report

(false IP
Address)
31 Enumeration 172.16.4.125 11:03 10.2.90.63 Undetected
32 Enumeration 172.16.4.65 11:10 10.2.90.63 Undetected
33 Log4j Web server 11:15 10.2.90.65 Undetected
scanning assets
34 Enumeration 172.16.4.124 11:18 10.2.90.63 Undetected
35 Malware Malware attack 11:57 172.15.9.248 Undetected
attack on testing server
192.168.128.129
36 Vulnerability Antivirus Servers 3:13 10.2.90.63 undetected
scan vulnerability
assessment
37 Vulnerability City routes 1:32 10.2.90.63 undetected
scan vulnerability
assessment
38 Vulnerability City campus 1:11 10.2.90.63 undetected
scan firewall
vulnerability
assessment
39 Vulnerability Main campus 12:56 10.2.90.63 undetected
scan firewall
vulnerability
assessment
40 Vulnerability Main campus 12:19 10.2.90.63 undetected
scan router
vulnerability
assessment
41 Vulnerability VM servers’ 4:20 10.2.90.148 undetected
scan vulnerability
assessment
42 Vulnerability Switches (both) 4:42 10.2.90.148 undetected
scan vulnerability
assessment
43 Enumeration Aggressive 4:43 10.2.90.63 undetected
scanning and
enumeration on
17.17.4.74

11
 VA/PT Project Report

Ransomware Execution
Ransomware are the major security threat to the organization now a days and protection against
them should be ensured however Commtel security team have successfully executed a personalized
ransomware in the network machine having “Kaspersky Endpoint Security” agent enabled. We were
able to successfully bypass the agent to deploy our ransomware on machine and encrypt complete
drive. This was a major security flaw, which should have been detected and prevented by end point
security tool.

This activity was done on a testing server provided by IBA having IP (192.168.128.129)

Impact
An attacker can encrypt entire network, resulting in sensitive data loss, service unavailability.

Solution
 Implementation of Behavior Base Detection Tool (EDR) instead of typical signature base AV.
 Strong security operation center monitoring.

Proof of Concept

Figure 1.1: Execution of Ransomware

Figure 1.2: Kaspersky Agent didn’t detect the execution

12
 VA/PT Project Report

Figure 1.3: A sample file on machine before ransomware execution

Figure 1.4: Sample file after the execution of ransomware

Figure 1.5: Ransom demand note placed on Drive

13
 VA/PT Project Report

Man in the Middle Attack

A man-in-the-middle attack is a type of eavesdropping attack, where attackers interrupt an existing

conversation or data transfer. After inserting themselves in the "middle" of the transfer, the
attackers pretend to be both legitimate participants. This enables an attacker to intercept
information and data from either party while also sending malicious links or other information to
both legitimate participants in a way that might not be detected until it is too late.

During assessment Commtel team observed that mostly IBA Karachi’s network communication is in
plain text, and Commtel team were able to successfully sniff credentials from the traffic through the
man-in-the-middle attack.

Figure 2.1: Man in the Middle Attack Flow

Impact
 Attacker can installs a packet sniffer to analyze network traffic for insecure communications and
compromised the confidentiality of data.
 Credentials can be obtained by sniffing and then used to compromise the integrity.

Solution
Although MITM attacks are a difficult task to prevent, but one can limit the magnitude of the attack
taking following precautions:
 Implementing the network flows rules over SIEM to MITM attack.
 Push browser plugins like Force TLS of HTTPS to secure the sensitive online transactions.
 Implement two-factor authentication.
 Use strong encryption over data flowing through network.

14
 VA/PT Project Report

Proof of Concept

Figure 3.1: Sniffed packet showing the credential for testing account of IBA Portal

Authentication Bypass on LMS

Vulnerability Type Authentication Bypass

Affected Assets 172.16.4.127

Severity 10

Description
During the activity Commtel security team were able to bypass authentication of the targeted
web portal via testing ID with full control of the individual portal ID, this was a security flaw
that was left opened probably after maintenance of the website.

Testing IDs are a simple attacking plot for an attacker, or one can say it is the first attacking
vector an attacker might use in order to successfully bypass any web portal (having this
vulnerability).

Impact
 Content can be edited of the account.
 Account password can be changed.
 Course outlines can be changed.
 Preferences can be change of that account.
 Account details can be modfied.

Solution
 Testing IDs should be deleted permanently after testing.
 Implantation of strict password policies.
 Implementation of rules in SIEM to monitor generic ID’s usage

15
 VA/PT Project Report

Proof of Concept

Figure 4.1: IBA learning portal account accessed

Figure 4.2: IBA learning portal account accessed

Figure 4.3: IBA learning portal account accessed

16
 VA/PT Project Report

Data Confidentiality Breached

Vulnerability Type Unauthorized access

Affected Assets 10.2.70.74

Severity 10

Description
Commtel security team have successfully performed the social engineering attack to successfully
getting hands on personal data hosted on targeted asset.

The breached data was around 3 GBs (2.96 actual) that contained network credentials, private
content and sensitive files (e.g, Midterm Papers, Quizes).

Impact
 Attacker got the access of sensitive files within the network which can be used to further
expand the attacker presence in the network and to blackmail organization and users.

Solution
 Implementation of strong password policy.
 User awareness against the social engineering attack.

Proof of Concept

Figure 5.1: Virtual University Paper

17
 VA/PT Project Report

Figure 5.2: IBA Assignment

Figure 5.3: Personal Documentation of IBA personals

18
 VA/PT Project Report

Figure 5.4: Sharing folder

Figure 5.3: Breached Credentials

19
 VA/PT Project Report

Vulnerable MYSQL Version

Vulnerability Type Vulnerable Version

Affected Assets  172.16.4.68

 172.16.4.124
 172.16.4.127
 172.16.4.120
 172.16.4.125
Versions Running  5.7.24
 5.7.26
 8.0.18
Severity 6

Description
The version of MySQL running on the remote host is 5.7.x prior to 5.7.35. It is, therefore, affected by
multiple vulnerabilities, versions affected are 5.7.34 and prior and 8.0.25 and prior.

Impact
 Unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of
MySQL Server.

Solution
 Upgrade MySQL to a latest stable version

Reference
https://www.oracle.com/security-alerts/cpujul2021.html#AppendixMSQL

https://www.oracle.com/a/tech/docs/cpujul2021cvrf.xml

20
 VA/PT Project Report

Vulnerable Apache httpd Versions

Vulnerability type Vulnerable Version

Affected Assets  172.16.4.68

 172.16.4.124
 172.16.4.120
 172.16.4.125
Versions running  2.4.37
 2.4.39
 2.4.41
Severity 7

Description
The version of Apache httpd running are2.4.37 to 2.4.42 which are vulnerable to multiple
vulnerabilities as listed below.

-The affected asset is vulnerable to this vulnerability ONLY if it is running one of the following
modules: mod_ssl. Review your web server configuration for validation. In Apache HTTP Server
2.4 releases 2.4.37 and 2.4.38, a bug in mod_ssl when using per-location client certificate
verification with TLSv1.3 allowed a client supporting Post-Handshake Authentication to bypass
configured access control restrictions.

-In Apache HTTP server versions 2.4.37 and prior, by sending request bodies in a slow lories
way to plain resources, the h2 stream for that request unnecessarily occupied a server thread
cleaning up that incoming data. This affects only HTTP/2 (mod_http2) connections.

-In Apache HTTP server 2.4.0 to 2.4.39, Redirects configured with mod_rewrite that were
intended to be self-referential might be fooled by encoded newlines and redirect instead to an
unexpected URL within the request URL.

-HTTP/2 (2.4.20 through 2.4.39) very early pushes, for example configured with
"H2PushResource", could lead to overwrite of memory in the pushing request's pool, leading to
crashes. The memory copied is that of the configured push link header values, not data
supplied by the client.

-In Apache HTTP Server 2.4.18-2.4.39, using fuzzed network input, the http/2 session handling
could be made to read memory after being freed, during connection shutdown.

21
 VA/PT Project Report

-Apache HTTP Server 2.4.0-2.4.39, a limited cross-site scripting issue was reported affecting the
mod_proxy error page. An attacker could cause the link on the error page to be malformed and
instead point to a page of their choice. This would only be exploitable where a server was set
up with proxying enabled but was misconfigured in such a way that the Proxy Error page was
displayed.

Impact
 Modification of some system files or information is possible, but the attacker does not
have control over what can be modified, or the scope of what the attacker can affect is
limited.
 Reduced performance or interruptions in resource availability.

Solution
 Apache httpd-2.4.52 upgrade

Reference
https://attackerkb.com/topics/cve-2019-0215

http://httpd.apache.org/security/vulnerabilities_24.html

https://www.cvedetails.com/cve/CVE-2018-17189/

22
 VA/PT Project Report

Configuration file Detected

Vulnerability Type Information leakage

Affected Assets  172.16.1.70

 172.16.1.71
 172.16.1.72
 172.16.1.73
 172.16.1.74
 172.16.1.75
 172.16.1.76
Severity 4

Description
During enumeration of HTTP and SSL services it was uncovered that default web configuration files
and server information were being disclosed via default web page. The information also contains
detailing about the security endpoint and server hashes that the server was using.
Impact
 This enables an attacker to gain deep level knowledge of the target machine to deploy attack
more efficiently, or can use a hashing tool to gain keys.

Solution
 Remove unnecessary web pages.

Proof of Concepts

Figure 8.1: Configuration files

23
 VA/PT Project Report

Figure 8.2: Configurations

Figure 8.3: Configuration files

Figure 8.4: Configuration

24
 VA/PT Project Report

Outdated Operating System

Vulnerability Type Outdated OS

Affected Assets  172.16.4.65
 172.16.4.66
 172.16.4.68
 172.17.4.74
Versions running Microsoft Windows Server 2008 R2
Severity 8

Description
It was discovered that the targeted servers were running an outdated Microsoft server 2008 having
numbers of exploitable vulnerabilities.
Support for this version of MS-Server was ended on 14 January, 2020, so it not advised to use this
version.

Impact
 The vulnerabilities associated results in remote code execution, authentication bypasses,
and buffer over flows and DDOS attacks.

Solution
It is remediated to use latest stable version of windows server 2016-2019

References
https://www.cvedetails.com/product/11366/Microsoft-Windows-Server-2008.html?vendor_id=26

25
 VA/PT Project Report

Potential Remote Code Execution

Vulnerability Type Remote Code Execution

Affected Assets 172.17.4.74

Severity 10

Description
IT was discovered that the outdated version of Microsoft server 2008 is vulnerable to this high
severity vulnerability which can lead to remote code execution as per below details.

The RDP termdd.sys driver improperly handles binds to internal-only channel MS_T120, allowing a
malformed Disconnect Provider Indication message to cause use-after-free. With a controllable
data/size remote nonpaged pool spray, an indirect call gadget of the freed channel is used to achieve
arbitrary code execution. Windows 7 SP1 and Windows Server 2008 R2 are the only currently
supported targets. Windows 7 SP1 should be exploitable in its default configuration, assuming your
target selection is correctly matched to the system's memory layout.
HKLM\SYSTEM\CurrentControlSet\Control\TerminalServer\Winstations\RDP-Tcp\fDisableCam
*needs* to be set to 0 for exploitation to succeed against Windows Server 2008 R2. This is a non-
standard configuration for normal servers, and the target will crash if the aforementioned Registry key
is not set! If the target is crashing regardless, you will likely need to determine the non-paged pool
base in kernel memory and set it as the GROOMBASE option

Impact
 A successful exploit can result in unauthenticated remote access.

Solution
It is recommended to update the MS OS Server to 2016 till 19 versions if it is not possible due to some
dependency undermentioned procedure should be implemented.
o Enable Network Level Authentication (NLA) on systems running supported editions of
Windows 7, Windows Server 2008, and Windows Server 2008 R2
You can enable Network Level Authentication to block unauthenticated attackers
from exploiting this vulnerability. With NLA turned on, an attacker would first need
to authenticate to Remote Desktop Services using a valid account on the target
system before the attacker could exploit the vulnerability.
o Block TCP port 3389 at the enterprise perimeter firewall
TCP port 3389 is used to initiate a connection with the affected component. Blocking
this port at the network perimeter firewall will help protect systems that are behind

26
 VA/PT Project Report

that firewall from attempts to exploit this vulnerability. This can help protect
networks from attacks that originate outside the enterprise perimeter. Blocking the
affected ports at the enterprise perimeter is the best defense to help avoid Internet-
based attacks. However, systems could still be vulnerable to attacks from within
their enterprise perimeter.

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2019-0708

Proof of Concepts

Figure 10.1: BlueKeep Vulnerability

27
 VA/PT Project Report

DDOS on Routers

Vulnerability Type Remote Denial of Service

Affected Assets 10.2.5.5, 10.1.5.5

Severity 7.5

Description
It was observed during the activity that Secure Shell server (SSH) implementation in Cisco IOS contains
multiple vulnerabilities that allow unauthenticated users the ability to generate a spurious memory
access error or, in certain cases, reload the device.
The IOS SSH server is an optional service that is disabled by default, but its use is highly recommended
as a security best practice for management of Cisco IOS devices. SSH can be configured as part of the
AutoSecure feature in the initial configuration of IOS devices, AutoSecure run after initial
configuration, or manually. SSH is enabled any time RSA keys are generated such as when a http
secure-server or trust points for digital certificates are configured. Devices that are not configured to
accept SSH connections are not affected by these vulnerabilities.
Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-1159 has been assigned to this
vulnerability.
This advisory is posted at
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20080521-ssh.

Impact
 Memory overflow and unavailability of services.

Solution
Following workarounds can be done to mitigate this issue if disabling the SSH is not possible.
1. VTY Access Class
It is possible to limit the exposure of the Cisco device by applying a VTY access class to allow only
known, trusted hosts to connect to the device via SSH.
For more information on restricting traffic to VTYs, please
consult: http://www.cisco.com/en/US/docs/ios/12_2/ipaddr/command/reference/1rfip1.html#wp1
017389.

2. Infrastructure ACLs (iACL)

28
 VA/PT Project Report

Although it is often difficult to block traffic transiting your network, it is possible to identify traffic that
should never be allowed to target your infrastructure devices and block that traffic at the border of
your network. Infrastructure ACLs are considered a network security best practice and should be
considered as a long-term addition to good network security as well as a workaround for this specific
vulnerability. The ACL example shown below should be included as part of the deployed infrastructure
access-list, which will protect all devices with IP addresses in the infrastructure IP address range.

3. Control Plane Policing (CoPP)

The Control Plane Policing (CoPP) feature may be used to mitigate these vulnerabilities. In the
following example, only SSH traffic from trusted hosts and with 'receive' destination IP addresses is
permitted to reach the route processor (RP).
Note: Dropping traffic from unknown or untrusted IP addresses may affect hosts with dynamically
assigned IP addresses from connecting to the Cisco IOS device.

4. Fixed Software
When considering software upgrades, also consult http://www.cisco.com/go/psirt and any
subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the devices to be upgraded contain
sufficient memory and that current hardware and software configurations will continue to be
supported properly by the new release. If the information is not clear, contact the Cisco Technical
Assistance Center ("TAC") or your contracted maintenance provider for assistance.
Each row of the Cisco IOS software table (below) describes a release train and the platforms or
products for which it is intended. If a given release train is vulnerable, then the earliest possible
releases that contain the fix (the "First Fixed Release") and the anticipated date of availability for each
are listed in the "Rebuild" and "Maintenance" columns. A device running a release in the given train
that is earlier than the release in a specific column (less than the First Fixed Release) is known to be
vulnerable. The release should be upgraded at least to the indicated release or a later version (greater
than or equal to the First Fixed Release label).
For more information on the terms "Rebuild" and "Maintenance," consult the following
URL: http://www.cisco.com/warp/public/620/1.html.

References
https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-20080521-ssh.html

https://nvd.nist.gov/vuln/detail/CVE-2008-1159#vulnCurrentDescriptionTitle

29
 VA/PT Project Report

SSH Enumeration

Vulnerability Type SSH Fuzzing

Affected Assets  10.1.1.2

 10.2.1.2
Severity 7.5

Description
It is observed during the activity that the assets are Vulnerable to SSH fussing in which devices
receive a series of SSH requests with malicious version strings.

Impact
 This can allow in certain configurations, a remote attacker to decrypt and/or alter traffic via
a "Bleichenbacher attack".

Solution
Upgrade to stable ssh version is needed

Proof of Concept

Figure 12.1: SSH Fuzzer

30
 VA/PT Project Report

Figure 12.2: SSH Fuzzer

SNMP Enumeration

Vulnerability type SNMP information leakage

Affected assets  10.1.1.2

 10.2.1.2
Versions running SNMPv1

Severity 5

Description
It is observed during the activity that the targeted assets are vulnerable to
SNMP Route Enumeration which is a medium risk vulnerability that is one of the most frequently
found on networks around the world. This issue has been around since at least 1990 but has proven
either difficult to detect, difficult to resolve or prone to being overlooked entirely.

The original SNMP protocol, which only supports 32-bit counters. SNMPv1 is easy to set up but is only
protected by a community string. A plain text community string is sent from devices within a range of
permitted IP addresses.

So if malicious entities gain access to the network then they’ll be able to discover the community string
in plain text. Once they have the community string they can create a spoofed IP address and interact
with your network. The best way to control this risk is by restricting devices to SNMP read-only access
unless absolutely necessary to provide write access.

Impact
 An attacker may use this information to gain more knowledge about the network topology.

31
 VA/PT Project Report

Solution
 If not in use, disable the SNMP service or filter incoming UDP packets going to this port.
 Change the community string from “public” to “private”.
 It is advised to upgrade to SNMPv3 as it supports encryption and privacy mode.

Proof of Concepts

Figure 13.2: VLANs Information leakage

Conclusion
It was concluded that the overall security of IBA infrastructure is at stack and have multiple issues
that should be remediated as per suggestions and the End Point Protection and Monitoring services
capacity should be increased.

32