System Vulnerabilities and Penetration Testing Report

John the Ripper password cracker

Vulnerability

John the ripper (JrR) is in the category of free open source software for cracking passwords (Chou, Lee, Yu, Lai, Huang & Hsueh, 2013). Attackers use JrR to detect weak UNIX passwords by combining a list of words (dictionary) with rules to manipulate the dictionary of words in a CPU-intensive process. UNIX systems store user names and passwords in the etc/shadow (read by the superuser) file for root-level access, etc/passwd file for user-level public file access. The root-level access to the machine provides actual access to the password hash stored in the etc/shadow file. The passwords in the shadow file are encrypted using a hash message-digest algorithm (MD5) to make them computationally infeasible (Chou et al., 2013).

According to Chou et al. (2013), a single file is created from the /etc/passwd and /etc/shadow using the unshadow command, which contains the details of the passwords and usernames to be cracked and the results are shown in a list containing all cracked passwords.

An attacker takes a string of text from the wordlist in the dictionary of the password to crack and compares it wilt a list of passwords that were successfully cracked. The string of text is encrypted in the format of the password that is cracked using an encryption algorithm with a key and the results are compared with the encrypted string of text (Weber et al., 2008). If the password does not appear in the dictionary, the software uses character frequency tables to try plaintexts containing frequently used characters (Weber et al., 2008).

Prevention

Users are advised to use passwords with 6 to 8 characters long that are combined in upper and lower case. It is advisable to change passwords frequently to give formal proof for authentication and to store passwords in the /etc/shadow file that allows programs with system privileges to access the passwords (Weber et al., 2008). Using the bcrypt key derivation function for passwords derived with the blowfish algorithm, the scrypt password-based key derivation function, and the md5-crypt with a 24-bit salt makes it harder for an attacker successfully compromise the system for password cracking.

SQL injection

The vulnerabilities of SQL injection occur when an attacker inserts malicious code to modify the SQL queries at the back-end database to access the user’s credentials. This attack is commonly used on web-based applications (Kahtan, Bakar, Nordin & Abdulgabber, 2014). The common vulnerabilities include browser sending malicious input to the server, CSRF –Cross-site request forgery, and XSS –Cross-site scripting (Boyd & Keromytis, 2004).

SQL prevention

The first method to prevent SQL injection is to use well-written web-based applications to detect unexpected SQL commands, patch and update servers, use a one-way hashing method to encrypt passwords, ensure comprehensive data sanitization, avoid building SQL queries with user input, and avoid using clear text when coding in SQL (Boyd & Keromytis, 2004). The input field lengths of passwords should be restricted to avoid using an unlimited length of input from the user. Restrictions make it difficult for an attacker to run a malicious query to access a system. It is important to give limited privileges using the ‘superuser/Admin’ with full administrative rights to limit access to an application (Kahtan et al., 2014).

The second method is to use the SQL string escaping mechanism to thwart an attack using the following commands.

• ‘ → ’ and “ → ”
• mysql_real_escape_string()

In addition, it is advisable to use web-based application firewalls that use a sophisticated set of rules to detect and filter potentially dangerous requests (Boyd & Keromytis, 2004).

Penetration testing

OpenVas

OpenVas (Open Vulnerability Assessment System) is a network vulnerability assessment or network auditing tool that combines different tools for scanning the security of a network. The software consists of Network Vulnerability Test (NVTs) modules in a server component for vulnerability assessment in local or remote applications. Openvas products are accessed for free under the GNU General Public License (GNU GPL). The software offers vulnerability management solutions.

According to Kashyap and Bhattacharyya (2012), the client machine provides the platform on which the software is installed to act as a scanning server, which runs on port 1241 (Weber et al., 2008). Frequent scanning is recommended when using OpenVas for network vulnerability scanning. The software enables incident reporting by generating HTML reports, which are saved on the filer server audit trail. Openvas does local security checks and unauthenticated checks to test the security of a system.

Nmap

Nmap is a network scanning tool used for network security auditing by conducting host discovery or for identifying active hosts to solicit a response from a host on a single or a range of IP addresses or a list of existing IP addresses (Kashyap & Bhattacharyya, 2012). The tool can be used by system administrators to detect unauthorized applications; web services installed on the De-militarized zones, discover unauthorized File Transfer Protocol (FTP), and for asset inventory management.

The discovery of open ports can be done using ICMP ECHO request, ICMP Address Mask Request, TCP ping, ICMP timestamp, or UDP ping. Once the hosts are connected to the network and the host operating systems are discovered, the program can easily discover vulnerabilities in the host device (Boyd & Keromytis, 2004). Attackers use stealth mode scanning techniques to evade intrusion detection systems and firewalls because it is easy to detect and discover unauthorized scanning activities on a network. Stealth scanning methods include source ports, IP options, advanced techniques, fragmentation, spoofing, and decoys (Kashyap & Bhattacharyya, 2012).

An attacker uses the vulnerabilities that have been discovered to successfully compromise the system. To address the problem, firewalls and IPTABLES can be used to identify fake or false destination ports and give access to ports with legitimate IP addresses.

Denial-of-service

Denial-of-Service (DoS) attack is also known as Distributed Denial of Service (DDoS) attack (Boyd & Keromytis, 20040. According to Kashyap and Bhattacharyya (2012), DDoS is a technique attackers use to make computational resources to be infinitely unavailable to deny services to the users. DDoS attacks can disrupt routing information, resist TCP sessions, trigger errors in the CPU, and crash the operating system. DDoS attacks use Smurf attacks to spoof many IP addresses and broadcast those addresses using Internet Control Message Protocol (ICMP) packets on the network. All computers on a network respond to the requests, making the target computer unavailable because it is overwhelmed by the number of requests (Kashyap & Bhattacharyya, 2012).

Solutions for DDoS attacks include:

• Hosts and routers should be configured to identify and respond to ICMP requests.
• Configuring routers to send packets to legitimate destinations and avoid broadcast addresses.
• Configuring network devices to determine and block requests from single-origin sources.
• Use available tools to detect DDoS attacks.

References

Boyd, S. W., & Keromytis, A. D. (2004). SQLrand: Preventing SQL injection attacks. Applied Cryptography and Network Security, 1(1), 292-302.

Chou, H.C., Lee, H.C., Yu, H.J., Lai, F.P., Huang, K.H., & Hsueh, C.W. (2013). Password cracking based on learned patterns from disclosed passwords. Int. Journal of Innovative Computing, Information and Control, 9(2), 1-10.

Kahtan, H., Bakar, N. A., Nordin, R., & Abdulgabber, M. A. (2014). Vulnerability Assessments Tools. Information Technology Journal, 13(14), 2240-2249.

Kashyap, H. J., & Bhattacharyya, D. K. (2012). A DDoS attack detection mechanism based on protocol specific traffic features. In Proceedings of the Second International Conference on Computational Science, Engineering and Information Technology, 1(1), 194-200.

Weber, J. E., Guster, D., Safonov, P., & Schmidt, M. B. (2008). Weak password security: An empirical study. Information Security Journal: A Global Perspective, 17(1), 45-54.