University of Southampton [623142]

1

University of Southampton

COMP2207 Coursework 1
Network Penetration Testing

Student: [anonimizat]: Ana-Maria Schintee
Email ID: [anonimizat]
Student: [anonimizat]: 27978214

October 2016

2
Part A : Scanning the ECS DMZ subnet

The aim of the the first part is to scan the network and produce a table listing, for each
service, the number of servers running that service, the port(s) the service runs on and a brief
description of the function of that service.
For the scan, using the nmap network scanning tool the following command was runned:
nmap -sV -T4 -O -F –version -light 152.78.180.0/23:
-sV –Version detection : used to differentiate filtered ports from the open ones
-T4: used to set the speed of the scan, having the range from 0(slow) to 5(fast)
-O: used to locate the target operating system
-F – Fast Scan: sets the boundry of the scan, taking only the most common 100 ports
–version -light: used to set the intensity level of the probes tried during the scan, in
this case level 2.

Scan details:
-Date: 20th October 2016
-Time: 13:37 GMT Summer Time
-Location: Zepler Labs, Level 3
-Network: Eduroam Wi -fi
-IP range: 152.78.180.0/23
-nmap mode used: Quick scan plus
-runned on my personal machine

3

Number of
servers running
the service Port(s) the
service runs on Brief description of the
function of the service

h323q931 503 1720 H323, part of the ITU
recommendations, is a
service which provides
multimedia( audio –
visual)communication
sessions. It uses port 1720
during calls setup
negotiation.
Q931 “ is the ITU standard
ISDN connection control
signalling protocol”[10]
,used in the transmission of
call signalling messages.

http 39 80 HTTP(HyperText Transfer
Protocol) is a request –
response protocol, with
default port 80, used by
World Wide Web in order
to define how messages are
transmitted. Alternative port
8080 is used by the Node.js
express framework.
http-proxy 2 8080
https 16 443 Port 443 is used by the
HTTPS protocol for
websites which use
SSL(secure socket layer) for
security purposes.

ssh 2 22 SSH(Secure Socket Shell) is
a protocol that guarantees a
secure communication
between computers over the
Internet. It is “a
cryptographic network
protocol for operating
network services securely
over an unsecured
network.”[11]

4
Part B: Brief analysis of results
In this part we will be examining the vulnerabilities of specific services during the scan .
A. Apache httpd
1. 2.2.15((Red Hat)) CVE -2010 -2068: “mod_proxy_http.c in mod_proxy_http in the
Apache HTTP Server 2.2.9 through 2.2.15, 2.3.4 -alpha, and 2.3.5 -alpha on Windows,
NetWare, and OS/2, in certain configurations involving proxy worker pools, does not
properly dete ct timeouts, which allows remote attackers to obtain a potentially sensitive
response intended for a different client in opportunistic circumstanc es via a normal HTTP
request.”[1 ]
2. 2.4.7((Ubuntu)) CVE -2016 -0706: “Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68,
8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place
org.apache.catalina.manager.StatusManagerServlet on the
org/apache/catalina/core/RestrictedServlets.properties list, which allows remote
authenticated users to bypass intended SecurityManage r restrictions and read arbitrary
HTTP requests, and consequently discover session ID values, v ia a crafted web
application.”[2 ]
3. 2.2.22((Ubuntu)) CVE -2013 -5704: “The mod_headers module in the Apache HTTP
Server 2.2.22 allows remote attackers to bypass "Req uestHeader unset" directives by
placing a header in the trailer portion of data sent with chunked transfer coding. NOTE:
the vendor states "this is not a secu rity issue in httpd as such."”[3 ]
4. 2.4.10((Ubuntu)) CVE -2014 -3583 : “The handle_headers function in mod_proxy_fcgi.c in
the mod_proxy_fcgi module in the Apache HTTP Server 2.4.10 allows remote FastCGI
servers to cause a denial of service (buffer over -read and daemon crash) via long response
headers. ”[4]
5. 2.4.12((Ubuntu)) CVE -2015 -0228: “The lua_websocket_ read function in lua_request.c in
the mod_lua module in the Apache HTTP Server through 2.4.12 allows remote attackers
to cause a denial of service (child -process crash) by sending a crafted WebSocket Ping
frame after a Lua script has c alled the wsupgrade f unction.”[5 ]
B. Node.js
1. Express framework CVE -2014 -7205: “Eval injection vulnerability in the internals.batch
function in lib/batch.js in the bassmaster plugin before 1.5.2 for the hapi server
framework for Node.js allows remote attackers to execute arbitrary Javascript code via
unspecified vectors.”[6 ]
2. (Express middleware) CVE -2015 -1164: “Open redirect vulnerability in the serve -static
plugin before 1.7.2 for Node.js, when mounted at the root, allows remote attackers to
redirect users to arbitrary web sites and conduct phishing a ttacks via a // (slash slash)
followed by a domain in the PATH_INFO to the default URI.”[ 7]
C. Nginx
1. 1.10.1 CVE -2016 -4450: “os/unix/ngx_files.c in nginx before 1.10.1 and 1.11.x before
1.11.1 allows remote attackers to cause a denial of service (NULL pointer dereference
and worker process crash) via a crafted request, involving writing a client request body to
a temporary file.”[ 8]
2. 1.1.19 CVE -2012 -2089: “Buffer overflow in ngx_http_mp4_module.c in the
ngx_http_mp4_module module in nginx 1.0.7 through 1.0.14 a nd 1.1.3 through 1.1.18,
when the mp4 directive is used, allows remote attackers to cause a denial of service
(memory overwrite) or possibly execute arbitrary code via a crafted MP4 file.”[ 9]

5
Part C: Describing shortcomings of a network penetration test

The use of a network penetration test is that it identifies the vulnerabilities or the
security weaknesses of a computer system that could potentially be exploit by an attacker.
Among the most popular tools used in pen -testing we can find Nmap, which is ab le to scan
the ports and identify the operating system of the target computer.
However a network penetration test has its shortcomings and that is one of the reasons
why a complete test of a network security posture should not fully rely on a it. Some of the
shortcomings of a pen -testing are listed below:
 This type of testing can only scan the ports but cannot fix the issues found.
Moreover it cannot cover all the services used, since this ones can vary over
time
 The time allocated to professionals to p erform a pen -test is usually shorter
than the time spent by attackers planning their scheme on a network
 The quality of a test depends on the skills owned by the testers. An a ttacker
can own different abilities which can help him target technologies different
from those exploited by the testers
 Although it can give a good idea of how an attacker may exploit the
vulnerabilities, it can’t identify viruses or internal issues/attacks on the
network
 It can’t detect weak password policies for services that require authentication
 It can’t identify phishing emails/websites. A good example would be an
employee receiving a phishing email in which it is requested to provide
sensitive information that shouldn’t be leaked outside the company .
 Malicious code stored on a USB stick can be inserted into the user’s or
company’s computer and affect the network, without being identified by the
test . For example, an employee may find a USB stick containing malicious
code , placed by an attacker near the company , and introduce it into the
company’s computer. In this way the network’s security is affected, if not
compromised.

6
References
[1] CVE, Common Vulnerabilities and E xposures , 2016 [Online] Available at:
https://cve.mitre.org/cgi -bin/cvename.cgi?name=CVE -2010 -2068 [Accessed: 29th October
2016]
[2] CVE ,Common Vulnerabilities and E xposures , 2016 [Online] Available at:
https://cve.mitre.org/cgi -bin/cvename.cgi?name=CVE -2016 -0706 [Accessed: 29th October
2016]
[3] CVE, Common Vulnerabilities and E xposures , 2016 [Online] Available at:
https://cve.mitre.org/cgi -bin/cvename.cgi?name=CVE -2013 -5704 [Accessed: 29th October
2016]
[4] CVE, Common Vulnerabilities and E xposures , 2016 [Online] Available at:
https://cve.mitre.org/cgi -bin/cvename.cgi?name=CVE -2014 -3583 [Accessed: 29th October
2016]
[5] CVE, Common Vulnerabilities and E xposures , 2016 [Online] Available at:
https://cve.mitre.org/cgi -bin/cvename.cgi?name=CVE -2015 -0228 [Accessed: 29th October
2016]
[6] CVE, Common Vulnerabilities and E xposures, 2016 [Online] Available at:
https://cve.mitre.org/cgi -bin/cvename.cgi?name=CVE -2014 -7205 [Accessed: 29th October
2016]
[7] CVE, Common Vulnerabilities and E xposures , 2016 [Online] Available at:
https://cve.mitre.org/cgi -bin/cvename.cgi?name=CVE -2015 -1164 [Accessed: 29th October
2016]
[8] CVE, Common Vulnerabilities and E xposures , 2016 [Online] Available at:
https://cve.mitre.org/cgi -bin/cvename.cgi?name=CVE -2016 -4450 [Accessed: 29th October
2016]
[9] CVE, Common Vulnerabilities and E xposures , 2016 [Online] Available at:
https://cve.mitre.org/cgi -bin/cvename.cgi?name=CVE -2012 -2089 [Accessed: 29th October
2016]
[10] Q931, Wikiped ia [Online] Available at: https://en.wikipedia.org/wiki/Q.931 [Accessed:
30th October ]
[11] Secure Shell , W ikipedia [Online] Available at:
https://en.wikipedia.org/wiki/Secure_Shell [Accessed: 30th October ]

7
Bibliography
Port 5101 , SpeedGuide [Online] Available at:
http://www.speedguide.net/port.php?port=5101 [Accessed: 2nd November]
H.323 , Wikipedia [Online] Available at: https://en.wikipedia.org/wiki/H.323 [Accessed: 2nd
November]
What is H.323? – Definition from WhatIs.com, SearchNetworking, 2006 [Online ] Available
at: http://searchnetworking.techtarget.com/definition/H323 [Accessed: 2nd November]
What is Q.931? – Definition from WhatIs.com, SearchUnifiedCommunications, 2008 [Online]
Available at: http://searchunifiedcommunications.techtarget.com/definition/Q931 [Accessed:
2nd November]
Hypertext Transfer Protocol, Wikipedia [Online] Available at:
https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol [Accessed: 2nd November]
HTTPS, Wikipedia [Online] Available at: https://en.wi kipedia.org/wiki/HTTPS [Accessed:
2nd November]
Steve Gibson, GRC| Port Authority, for Internet Port 1720, Grc.com [Online] Available at:
https://www.grc.com/port_1720.htm [Accessed: 2nd November]
Limitations of Penetration Testing| Penetration Testing Tools, Pen -tests.com [Online]
Available at: http://www.pen -tests.com/limitations -of-penetration -testing.html [Accessed: 2nd
November]
The Pros and Cons of attacking Your Own Network with Penetration Testing, Technology
news blog , 2013 [Online] Available at: http://technewsarm.com/2013/03/the -pros-and-cons-
of-attacking -your-own-network -with-penetration -testing/ [Accessed: 2nd November]
https://www.sans.org/reading -room/whitepapers/analyst/penetration -testing -assessing –
security -attackers -34635
Henry Kenyon, Found thumb drives: another way employees are a security menace – GCN,
GCN, 2011 [Online] Available at: https://gcn.com/articles/2011/06/30/dhs -test-found -thumb –
drives -disks -network.aspx [Accessed: 2nd November]