- 8th June 2015
- Posted by: Binoy
- Category: Case Studies, Penetration Testing, UAE
Penetration Testing in Dubai
One of our partners have recently engaged us for a large penetration testing, an internal VAPT, in Dubai. The scope of the engagement was to perform an internal VAPT on the business side of the IT infrastructure. The scope included more than 200 servers, 200+ network devices, 50+ applications and about 2000 workstations. The objective of the penetration testing was to simulate an attacker who controls an endpoint at the client network through covert channels.
How did we execute the project?
4 Security testing teams were formed to complete the project in less than 30 days. The first teams focus was on the end user workstation penetration testing. The second team focused on bypassing the access controls and performing network penetration testing. The 3rd focused on the penetration testing of servers and the 4th team performed the application penetration testing. The teams shared the results of their VAPT to enable other team members to make use of the information for effective and faster penetrations.
The most challenged team members were that of application penetration testing and server penetration testing as the environment is production and any downtime would have a negative impact on the customers operations.
During our initial identification phase ValueMentor team has found a group of Windows XP machines (relatively small in number), unused but connected to the network. ValueMentor analysts, took control of these XP system exploiting some well known vulnerabilities. Analysis of the system configuration provided many critical information related to the servers. The collected information were passed onto the servers and application penetration testing team.
The application pen testing team, with the new knowledge, were able to access some of the applications using a low privileged user accounts. Careful examination of the applications proved SQL injection vulnerabilities in some applications. Exploiting the SQL injection vulnerabilities helped the analysts to obtain some critical business information in addition to the critical application information. (Good that these applications are accessible only from internal network).
Our network penetration testing team used some of the files found by the workstation pen testing team, in addition to the information obtained using network surveillance, which provided detailed information about the network configurations. The team were able to find weak configurations which they exploited for bypassing the network access controls.
Combined with the network and application penetration testing, the server team were able to reach the core of the network. The team had exploited atleast 2 servers to obtain the super administrator privileged
- We have found a number of insecure protocols, such as FTP and Telnet, in use. This would allow an internal user to obtain critical information using tools like wireshark
- Weak asset management. A number of unused systems still connected to the production network. Unused systems are normally out of sight as far as the busy system administrators are concerned
- Weak password policy enforcement. Strong password policy, but not enforced well is as bad as a weak password policy
- Insecure web applications. Some web applications fetches information from other systems using ftp where authentication credentials are sent over clear text
- Patch management not being consistent
A combination of the above set of weaknesses allowed our team to exploit many servers and control part of the IT infrastructure as part of the engagement.
We have submitted our report highlighting the weakest links present in the environment and how a compromise of the relatively low value, desktops, environment can lead to organization wide compromise.
Would you like to get a serious penetration testing? Get in touch with us.