As we continued further with the External penetration testing of Live IPs- 52.74.81.8/52.76.233.247, we found some potential high risk network vulnerabilities, details of which can be seen below-
1)FTP credentials transmitted unencrypted (ftp-plaintext-auth:)
The server supports authentication methods in which credentials are sent in plaintext over unencrypted channels. If an attacker were to intercept traffic between a client and this server using sniffing tools like Wireshark , the credentials would be exposed.
Affected nodes:52.74.81.8:21 ,52.76.233.247:21
Additional information: Running FTP serviceConfiguration item ftp.plaintext.authentication set to 'true' matched
Steps to reproduce:
a)Log in on FTP using command prompt(CMD)
b)Open wireshark and capture the log in request
c)Observe
Proof of concept:Refer the below screenshot
cid:image001.png@01D2D4C3.FE0E0A90
cid:image002.png@01D2D4C3.FE0E0A90
2.X.509 Certificate Subject CN Does Not Match the Entity Name (certificate-common-name-mismatch)
Description: The subject common name (CN) field in the X.509 certificate does not match the name of the entity presenting the certificate. Before issuing a certificate, a Certification Authority (CA) must check the identity of the entity requesting the certificate, as specified in the CA's Certification Practice Statement (CPS). Thus, standard certificate validation procedures require the subject CN field of a certificate to match the actual name of the entity presenting the certificate. For example, in a certificate presented by "https://www.example.com/", the CN should be "www.example.com". In order to detect and prevent active eavesdropping attacks, the validity of a certificate must be verified, or else an attacker could then launch a man-in-the-middle attack and gain full control of the data stream. Of particular importance is the validity of the subject's CN, that should match the name of the entity (hostname). A CN mismatch most often occurs due to a configuration error, though it can also indicate that a man-in-the-middle attack is being conducted.
Affected nodes:52.74.81.8:443 ,52.76.233.247:443
Additional information: The subject common name found in the X.509 certificate does not seem to match the scan target: Subject CN www.oxfordmaths.co.in does not match target name specified in the site. Subject CN www.oxfordmaths.co.in does not match DNS name specified in the site. Subject CN resolved IP address differs from node IP address specified in the site. Subject CN resolved IP address differs from node IP address specified in the site. Subject Alternative Name www.oxfordmaths.co.in does not match target name specified in the site. Subject Alternative Name oxfordmaths.co.in does not match target name specified in the site. Subject Alternative Name www.oxfordmaths.co.in does not match DNS name specified in the site. Subject Alternative Name oxfordmaths.co.in does not match DNS name specified in the site
Steps to reproduce:
Open the Nexpose vulnerability assessment tool
Run scan for the given IP
Observe
Proof of concept:
Description:
This system does not allow SMB signing. SMB signing allows the recipient of SMB packets to confirm their authenticity and helps prevent man in the middle attacks against SMB. SMB signing can be configured in one of three ways: disabled entirely (least secure), enabled, and required (most secure).
Steps to reproduce:
Open the Nexpose vulnerability assessment tool
Run scan for the given IP
Observe
Proof of concept:
cid:image005.png@01D2D4C3.FE0E0A90
Along with the above high risk vulnerabilities, we have also found some other vulnerabilities, risk of which we are still evaluating as the process is ongoing.
We shall continue to evaluate and validate above vulnerabilities in tandem with the other network vulnerabilities.
As we continued further with the External penetration testing of Live IPs- 52.74.81.8/52.76.233.247, we found some potential high risk network vulnerabilities, details of which can be seen below- 1)FTP credentials transmitted unencrypted (ftp-plaintext-auth:)
The server supports authentication methods in which credentials are sent in plaintext over unencrypted channels. If an attacker were to intercept traffic between a client and this server using sniffing tools like Wireshark , the credentials would be exposed.
Affected nodes:52.74.81.8:21 ,52.76.233.247:21
Additional information: Running FTP serviceConfiguration item ftp.plaintext.authentication set to 'true' matched
Steps to reproduce:
a)Log in on FTP using command prompt(CMD)
b)Open wireshark and capture the log in request
c)Observe
Proof of concept:Refer the below screenshot
cid:image001.png@01D2D4C3.FE0E0A90
cid:image002.png@01D2D4C3.FE0E0A90
2.X.509 Certificate Subject CN Does Not Match the Entity Name (certificate-common-name-mismatch)
Description: The subject common name (CN) field in the X.509 certificate does not match the name of the entity presenting the certificate. Before issuing a certificate, a Certification Authority (CA) must check the identity of the entity requesting the certificate, as specified in the CA's Certification Practice Statement (CPS). Thus, standard certificate validation procedures require the subject CN field of a certificate to match the actual name of the entity presenting the certificate. For example, in a certificate presented by "https://www.example.com/", the CN should be "www.example.com". In order to detect and prevent active eavesdropping attacks, the validity of a certificate must be verified, or else an attacker could then launch a man-in-the-middle attack and gain full control of the data stream. Of particular importance is the validity of the subject's CN, that should match the name of the entity (hostname). A CN mismatch most often occurs due to a configuration error, though it can also indicate that a man-in-the-middle attack is being conducted.
Affected nodes:52.74.81.8:443 ,52.76.233.247:443
Additional information: The subject common name found in the X.509 certificate does not seem to match the scan target: Subject CN www.oxfordmaths.co.in does not match target name specified in the site. Subject CN www.oxfordmaths.co.in does not match DNS name specified in the site. Subject CN resolved IP address differs from node IP address specified in the site. Subject CN resolved IP address differs from node IP address specified in the site. Subject Alternative Name www.oxfordmaths.co.in does not match target name specified in the site. Subject Alternative Name oxfordmaths.co.in does not match target name specified in the site. Subject Alternative Name www.oxfordmaths.co.in does not match DNS name specified in the site. Subject Alternative Name oxfordmaths.co.in does not match DNS name specified in the site
Steps to reproduce:
Open the Nexpose vulnerability assessment tool Run scan for the given IP Observe Proof of concept:
cid:image003.png@01D2D4C3.FE0E0A90
cid:image004.png@01D2D4C3.FE0E0A90
3.SMB signing disabled (cifs-smb-signing-disabled)
Description: This system does not allow SMB signing. SMB signing allows the recipient of SMB packets to confirm their authenticity and helps prevent man in the middle attacks against SMB. SMB signing can be configured in one of three ways: disabled entirely (least secure), enabled, and required (most secure).
Steps to reproduce:
Open the Nexpose vulnerability assessment tool Run scan for the given IP Observe Proof of concept:
cid:image005.png@01D2D4C3.FE0E0A90
Along with the above high risk vulnerabilities, we have also found some other vulnerabilities, risk of which we are still evaluating as the process is ongoing. We shall continue to evaluate and validate above vulnerabilities in tandem with the other network vulnerabilities.