Devising an attack plan for the target network using the CYB 608 scans

Title

Your Name

Your Institution name

Devising an attack plan for the target network using the CYB 608 scans

For an attack plan to work, the attacker must have the knowledge of the target network (like the operating systems assets, TCP connectivity features and the nature of the server in use) (Sarraute, 2009, p. 11). The attacker, armed with this knowledge, and the aims and objectives for his/her attack, must devise the actions of his/her attack as outlined below.

Target the IP address through the control of his/her machine (box) by using a set of exploits and IG tools.

Carry out port probing (testing if given ports are open)

Start with port 80/tcp first and as soon as it is discovered that it is open carry out an exploit on it, and if the exploit fails keep probing other ports trying the exploit until it succeeds.

Exploit ssh and Wu-ftpd on an OpenSSH and linux respectively

A list of vulnerabilities that the target machine might be susceptible to

Vulnerability is a weakness on the target machine that an attacker can exploit to gain access to the system. In this case, only one IP address was scanned and below is a list of the possible vulnerabilities identifiable from the CYB 608 scan:

System specifications vulnerability (like the type and version of operating system in use-linux telnet, the type of server-apache httpd 2.2.8 and version of mySQL 5.0.51a-3ubuntu5 in use) which enables the attacker to carry out background study on the system prior to attack execution.

Race condition/Validity period/Time-of-check-to-time-of-use vulnerability at for RSA algorithm.

Specifying the programs and their versions that can be used to support Remote Procedural Calls (RPC) to the system through port 80/tcp and also Java-Remote Innovation Methods (RMI) at port 1099/tcp, hence offering homogeneous programming interface vulnerability to the system.

Specifying the authentication (login) port at port 21/tcp (FTP code 230) and making visible to the attacker (Authentication vulnerability)

Specifying the encryption algorithms (DSA and RSA) in use and even going a step further to specify the type of key for RSA algorithm type (public key type) and its bit as 1024, and even specifying the host keys for DSA and RSA () Encryption vulnerability)

Graphical User Interface (GUI) errors at open port 8009/tcp (ajp-auth: ERROR: Failed to connect to AJP server ajp-methods: ERROR: Failed to connect to server) and port 6000/tcp (access denied).

The CVE or OSVDB number for the vulnerabilties, the metasploit exploit name (if available) and the mitigation which would correct the vulnerability.

Name: Authentication vulnerability, CVE Number: CVE-1999-0014-Caused by unauthorized privileged access or denial of service and can be rectified through hiding the authentication port and GUI from the public network

Name: Explicit system specification vulnerability in telnet, CVE Number: CVE-1999-0073- “Telnet allows a remote client to specify environment variables including LD_LIBRARY_PATH, allowing an attacker to bypass the normal system libraries and gain root access.” (CVE Organisation, 2014) It can be avoided by hiding the system specification in the network or declaring them implicitly in relation to the network the system is in.

Name: Race condition in Linux mailx, CVE Number: CVE-1999-0123- allows local users to read user files. It can be mitigated by hiding the validity period of all the software in use win the system.

References

Sarraute, C. (2007). Probabilistic Attack Planning in Network and WebApps Scenarios. Core

Security Technologies

Kak, A. (2014). Port and Vulnerability Scanning, Packet Sniffing, Intrusion Detection, and

Penetration Testing. Lecture Notes on “Computer and Network Security”, Purdue University

CVE Organisation. (2014). Common Vulnerabilities and Exposure. Retrieved from

http://cve.mitre.org/data/downloads/allitems.html