PENETRATION TEST REPORT
<Client>
18-09-2020
John Mathew
cyberexpert@john-
[Link]
�Preface
This document, and all accompanying materials, may contain information that could severely damage or
impact the integrity and security of the organization if disclosed publicly. This document, and all
accompanying materials, should be safeguarded at all times and maintained in a secure area when not in use.
The Penetration Tester assumes no responsibility or liability for the security of this document or any
accompanying materials after delivery to the organization <Client>. It is the organization’s responsibility to
safeguard this material after delivery. This report contains proprietary information that is not to be shared,
copied, disclosed or otherwise divulged without the express written consent of <Client> or their designated
representative. Use of this reporting format by anybody other than <Client> or its subsidiaries is strictly
PROHIBITED, and may be prosecuted to the fullest extent of the law.
Disclaimer: The recommendations contained in this report are based on industry standard “Best
Practices”. Best practices are by necessity, generic in nature and may not take into account exacerbating or
mitigating circumstances. The information presented in this document is provided as is and without warranty.
Vulnerability assessments are a “point in time” analysis and as such it is possible that something in the
environment could have changed since the tests reflected in this report were run. Also, it is possible that new
vulnerabilities may have been discovered since the tests were run. For this reason, this report should be
considered a guide, not a 100% representation of the risk threatening your applications.
Contact Information:
Name Title Contact Information
<Client>
<Client_Contact> Project Lead Mob: <Mob_Number>
Name Title Contact Information
Assessor Contact
John Mathew Penetration Tester Email: cyberexpert@john-
[Link]
1
Confidential Information
�Executive Summary
Overview
John Mathew engaged in an activity to conduct Vulnerability Analysis and Penetration Testing of Click or tap
here to enter text. network. The purpose of the engagement was to utilize active exploitation techniques in
order to evaluate the security of the application against best practice criteria and to validate its security
mechanisms and identify application-level vulnerabilities.
This report details the scope of testing conducted, all significant findings along with detailed remedial advice.
The summary below provides a non-technical audience with a summary of the key findings and relates these
back to business impacts. Section two of this report relates the key findings.
Correct implementation of the recommendations contained in this report and the recommendations found in
the document will result in an improved security posture. It should be noted that the data included within this
report represents only a snapshot in time. Best practice recommends periodic security assessments to be
conducted.
Methodology
The assessment testing methodology has been adapted to cover only network misconfigurations and audit
network devices while omitting exploiting application level vulnerabilities. The objective of a security
assessment is to examine the subsystems, components, and security mechanisms composing the network
infrastructure and identify weaknesses. To that end, the security testing approach for the internal network
vulnerability assessment and penetration test consists of following key stages:
Network Mapping and Data Collection – This activity is concerned with the collection of data regarding
standard network devices, protocols, and services. The tools and techniques applied are designed to not affect
normal computer and network operations.
Host discovery scan - The methodology used to discover IP addressable devices is by means of an ICMP echo-
request and focused TCP/SYN scans, targeting the most common TCP ports used. This allows the team to find
nearly 100% of the IP addressable devices. Those devices that do not respond or those that are prevented
from responding (behind firewalls, transparent devices, etc.) to ICMP echo-requests will usually respond to
requests to initiate a session on a port that they have open. On the other hand, devices that are not running
any of the 30 most common services may still respond to ICMP echo-requests. The unique combination of
devices gathered using this technique will represent a snapshot of the IP addressable devices in scope. There
may be other devices on the network that will not be accounted for. Devices that are configured to only
respond to particular IP addresses for instance, will not respond to any of the team's queries. Obviously,
devices not connected to the network at the time of testing or are powered down will not be included in the
final report of discovery. The output of this scan will be included as an appendix to the main report.
Service scanning (port scanning)
Banner checking
Operating system identification and version information
Device data (e.g., SNMP information)
File sharing information (e.g., NFS and SMB/CIFS shares)
Accounts, passwords, security and auditing policies IP addresses (active and inactive)
Vulnerability Identification – The vulnerability identification stage of testing includes targeting specific host
and network facilities for exposure to security weaknesses (i.e., exploitation of vulnerabilities). During this
2
Confidential Information
�stage, both automated tools and manual methods are used to catalog network and system vulnerabilities
against available vulnerability databases. Sources of these vulnerability databases include, but are not limited
to, open sources such as CERT, NVD, OSVDB, BugTraq, and hacker channels.
Penetration Testing – The goal of penetration testing is to determine if the protective controls of a given
system can be bypassed. At this stage of testing, attempts are made to circumvent security controls by
devising penetration profiles using acquired target information and vulnerability identification results.
Network Segmentation Testing – Segmentation testing is conducted to confirm the needed isolation between
subnets/networks. Network segmentation is evaluated from the perspective of a normal user outside of the
segment of concern. This assessment ensures systems that store, process, or transmit sensitive data are
isolated from those that do not.
Analysis and Reporting – Test results are analysed and incorporated into a report addressing the
vulnerabilities present in the network, network devices, and specific systems. The potential impact of
vulnerability will be discussed and may be used as input for further risk analyses. In addition to describing the
security posture of the network, the report will provide recommendations for safeguarding systems to ensure
continued secure operations including tools, policies, procedures, and information sources.
Summary of Findings
The graph below shows a summary of the number of vulnerabilities found for each impact level for the Web
Application Security Assessment.
Web Application Vulnerabilities by Severity
10
9
8
7
6
5
4
3
2
1
0
Critical High Medium Low
3
Confidential Information
�Table of Contents
Preface ......................................................................................................................1
Executive Summary ...................................................................................................2
1. Introduction..........................................................................................................5
Overview .......................................................................................................5
Purpose and Scope ........................................................................................5
Document Overview ......................................................................................5
Finding severity ratings ..................................................................................6
Exploitation Confidence Classifications ..........................................................6
2. Assessment Findings .............................................................................................7
Overview .......................................................................................................7
Summary of Findings .....................................................................................7
Tools ..............................................................................................................7
3. Technical Details ...................................................................................................7
Default user credentials for CISCO managed switches....................................7
srw2024p/tdp/2347109 ...............................................................................8
VoIP phones using default credentials ...........................................................8
Appendix A – Supporting Information .....................................................................10
Appendix B – Assignment of Risk Levels ..................................................................10
4
Confidential Information
�1. Introduction
Overview
This report documents the findings for the Network Security Assessment of Click or tap here to enter text.
conducted from 5th April 2024 to 7th April 2024. All testing performed is based on the NIST SP 800-115
Technical Guide to Information Security Testing and Assessment, and customized testing frameworks. Phases
of penetration testing activities include the following:
• Planning – Customer goals are gathered, and rules of engagement obtained.
• Discovery – Perform scanning and enumeration to identify potential vulnerabilities, weak areas, and
exploits.
• Attack – Confirm potential vulnerabilities through exploitation and perform additional discovery upon
new access.
• Reporting – Document all found vulnerabilities and exploits, failed attempts, and company strengths
and weaknesses.
Purpose and Scope
The purpose of the engagement was to utilize exploitation techniques in order to identify and validate
potential vulnerabilities across all systems within scope.
Activity performed a Network Security Assessment of Core Network and defined the following application IPs
as in scope:
• [Link]/22
• [Link]/22
• [Link]/23
Network Information
Address [Link]
Server Nginx
Operating System Linux
Identified Technologies Angular
Responsive Yes
Document Overview
5
Confidential Information
�Section 2, Assessment Findings, includes details concerning the vulnerabilities identified during this testing
effort, as well as recommendations. Section 3, Technical Details, provides in depth information of the
recommendations to remedy the vulnerabilities.
Finding severity ratings
Level CVSS V3 Description
score range
Critical Exploitation is straightforward and usually results in system-level
9.0 – 10.0 compromise. It is advised to form a plan of action and patch immediately.
High Exploitation is more difficult but could cause elevated privileges and
7.0 – 8.9 potentially a loss of data or downtime. It is advised to form a plan of action
and patch as soon as possible.
Medium Vulnerabilities exist but are not exploitable or require extra steps such as
4.0 – 6.9 social engineering. It is advised to form a plan of action and patch after
high-priority issues have been resolved.
Low Vulnerabilities are non-exploitable but increase an organisation’s attack
0.1 – 3.9 surface. It is advised to form a plan of action and patch during the next
maintenance window.
Informational No known vulnerability exists. Additional information is provided regarding
N/A items noticed during testing, strong controls, and additional documentation.
Exploitation Confidence Classifications
Confidence Description
High Exploitation methods are well-known and can be performed using publicly available
tools. Low-skilled attackers and automated tools could successfully exploit the
vulnerability with minimal difficulty.
Medium Exploitation methods are well-known, may be performed using public tools, but
require configuration. Understanding of the underlying system is required for
successful exploitation.
Low Exploitation requires deep understanding of the underlying systems or advanced
technical skills. Precise conditions may be required for successful exploitation.
6
Confidential Information
�2. Assessment Findings
Overview
This section discusses the vulnerabilities and areas of concern discovered during the Click or tap here to enter
text. Network security assessment. The first section, titled Summary of Findings, provides a concise list of the
most severe vulnerabilities and areas of concern identified during the assessment. The section titled tools lists
down the tools used for the assessment.
Summary of Findings
The assessment identified a few areas of concern during the assessment. A summary of these concerns is given
below:
• Default user credentials for CISCO managed switches
• VoIP phones using default credentials
Tools
The assessment team utilized various commercial and open-source tools to scan the URLs in scope for
vulnerabilities and attempted to exploit identified vulnerabilities. Tools used include:
• nmap
• zenmap
• Kali Linux
• Nessus Professional
• Web Browsers (Internet Explorer, Firefox, Chrome)
3. Technical Details
Default user credentials for CISCO managed switches
Description
The CISCO managed switches are using default credentials to login as admin.
Severity: Medium
Confidence: High
CVSS Score:
MITRE ATT&CK ID:
URL:
[Link]
7
Confidential Information
�[Link]
[Link]
[Link]
[Link]
Evidence:
Solution:
Change the default credentials and use a strong password.
Reference:
[Link]
srw2024p/tdp/2347109
VoIP phones using default credentials
Description
The VoIP phone can be logged in via web interface using default credentials.
Severity: Medium
Confidence: High
CVSS Score:
MITRE ATT&CK ID:
URL:
[Link]
[Link]
8
Confidential Information
�Evidence:
Solution:
Change the default credentials and use a strong password.
Reference:
[Link]
srw2024p/tdp/2347109
9
Confidential Information
�Appendix A – Supporting Information
Figure 1
Figure 1 shows the list of open ports.
Appendix B – Assignment of Risk Levels
Risk to an information system can be expressed as the expected loss as a result of:
Potential attacks to the information system
Vulnerabilities of the information system to those attacks; and
Consequences of the attacks succeeding.
The risk assessment is the evaluation of these potential attacks and vulnerabilities taken together with the
resulting consequences if an attack were to succeed. The risk assessment process involves a study of these
aspects to determine the likelihood of loss or consequence, and the expected effectiveness of security
measures. The risk assessment allows managers to develop more effective security programs.
The risk levels associated with vulnerabilities in this report should be considered in the context of the
application environment and perceived threat. These identifiers are not intended to be absolute values of risk;
rather, these identifiers are intended as an indicator of severity of vulnerability.
10
Confidential Information
�Five levels of risk are used:
Critical Risk – A vulnerability that is trivial to exploit (requires no special access conditions), and whose
exploitation could have a catastrophic impact on the confidentiality, integrity, or availability of a critical system
or application.
High Risk – A vulnerability that is easy to exploit, and whose exploitation could result in a compromise of an
application’s confidentiality, integrity, or availability.
Medium Risk – A vulnerability that is complex to exploit (may require specialized access conditions, may
require authentication), or may result in only a partial impact on an application’s confidentiality, integrity, or
availability upon exploitation.
Low Risk – A vulnerability that is more difficult to exploit (has a significant number of access conditions), or
whose exploitation results in only a minor impact on an application’s confidentiality, integrity, or availability.
11
Confidential Information