64 lines
21 KiB
XML
64 lines
21 KiB
XML
<?xml version="1.0" encoding="UTF-8"?><fo:root xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:fo="http://www.w3.org/1999/XSL/Format" line-height-shift-adjustment="disregard-shifts"><fo:layout-master-set><fo:simple-page-master margin-top="2cm" margin-bottom="1.8cm" margin-left="2cm" margin-right="2cm" page-height="29.7cm" page-width="21.0cm" master-name="Cover"><fo:region-body margin-top="1cm" margin-bottom="1cm" region-name="region-body"/><fo:region-before precedence="true" extent="0.6cm" region-name="region-before-cover"/><fo:region-after precedence="true" extent="0.6cm" padding="0" region-name="region-after-cover"/></fo:simple-page-master><fo:simple-page-master margin-top="2cm" margin-bottom="1.8cm" margin-left="2cm" margin-right="2cm" page-height="29.7cm" page-width="21.0cm" master-name="Content"><fo:region-body margin-top="1cm" margin-bottom="1cm" region-name="region-body"/><fo:region-before precedence="true" extent="0.6cm" region-name="region-before-content"/><fo:region-after precedence="true" extent="0.6cm" padding="0" region-name="region-after-content"/></fo:simple-page-master><fo:page-sequence-master master-name="Report"><fo:repeatable-page-master-alternatives><fo:conditional-page-master-reference master-reference="Cover" blank-or-not-blank="not-blank" page-position="first"/><fo:conditional-page-master-reference master-reference="Content" blank-or-not-blank="not-blank"/></fo:repeatable-page-master-alternatives></fo:page-sequence-master></fo:layout-master-set><fo:page-sequence master-reference="Report"><fo:static-content font-family="LiberationSansNarrow" font-size="12pt" color="black" line-height-shift-adjustment="disregard-shifts" flow-name="region-before-cover"><fo:block text-align="right" font-weight="bold">Confidential</fo:block></fo:static-content><fo:static-content font-family="LiberationSansNarrow" font-size="12pt" color="black" line-height-shift-adjustment="disregard-shifts" flow-name="region-before-content"><fo:block text-align="right" font-weight="bold">Confidential</fo:block></fo:static-content><fo:static-content font-family="LiberationSansNarrow" font-size="12pt" color="black" line-height-shift-adjustment="disregard-shifts" flow-name="region-after-cover"><fo:block text-align-last="justify"><fo:page-number/>/<fo:page-number-citation ref-id="EndOfDoc"/><fo:leader leader-pattern="space"/><fo:inline font-family="LiberationSansNarrow" font-size="8pt" color="black" line-height-shift-adjustment="disregard-shifts">Radically Open Security B.V. - 60628081</fo:inline></fo:block></fo:static-content><fo:static-content font-family="LiberationSansNarrow" font-size="12pt" color="black" line-height-shift-adjustment="disregard-shifts" flow-name="region-after-content"><fo:block text-align-last="justify"><fo:page-number/>/<fo:page-number-citation ref-id="EndOfDoc"/><fo:leader leader-pattern="space"/><fo:inline font-family="LiberationSansNarrow" font-size="8pt" color="black" line-height-shift-adjustment="disregard-shifts">Radically Open Security B.V. - 60628081</fo:inline></fo:block></fo:static-content><fo:flow font-family="LiberationSansNarrow" font-size="12pt" color="black" line-height-shift-adjustment="disregard-shifts" flow-name="region-body"><fo:block>
|
||
<fo:block text-align="center" margin-bottom="5pt"><fo:external-graphic padding-top="2cm" padding-bottom="3cm" src="url(../graphics/logo.png)" width="70mm" content-width="scale-to-fit" content-height="scale-to-fit" scaling="uniform"/></fo:block><fo:block keep-with-next.within-page="always" font-weight="bold" text-align="center" font-size="16pt" margin-bottom="1cm" background-color="orange">PENETRATION TEST MANAGEMENT SUMMARY</fo:block><fo:block text-align="center" margin-bottom="1cm">for</fo:block><fo:block keep-with-next.within-page="always" font-weight="bold" text-align="center" font-size="16pt" margin-bottom="6cm" background-color="silver" text-transform="capitalize">Sitting Duck B.V.</fo:block><fo:block break-after="page"><fo:table width="100%" table-layout="fixed"><fo:table-column column-width="proportional-column-width(66)"/><fo:table-column column-width="proportional-column-width(33)"/><fo:table-body><fo:table-row><fo:table-cell><fo:block/></fo:table-cell><fo:table-cell text-align="left"><fo:block> V1.0</fo:block><fo:block>Amsterdam</fo:block><fo:block>January 26th, 2015</fo:block></fo:table-cell></fo:table-row></fo:table-body></fo:table></fo:block><fo:block keep-with-next.within-page="always" font-weight="bold" margin-bottom="5pt">Document Properties</fo:block><fo:block margin-bottom="1.5cm"><fo:table border-width="1pt" border-style="solid" border-color="black" width="100%" table-layout="fixed"><fo:table-column background-color="orange" border-width="1pt" border-style="solid" border-color="black" column-width="proportional-column-width(25)"/><fo:table-column column-width="proportional-column-width(75)"/><fo:table-body><fo:table-row border-width="1pt" border-style="solid" border-color="black"><fo:table-cell padding="2pt"><fo:block>Client</fo:block></fo:table-cell><fo:table-cell padding="2pt"><fo:block>Sitting Duck B.V.</fo:block></fo:table-cell></fo:table-row><fo:table-row border-width="1pt" border-style="solid" border-color="black"><fo:table-cell padding="2pt"><fo:block>Title</fo:block></fo:table-cell><fo:table-cell padding="2pt"><fo:block>PENETRATION TEST MANAGEMENT SUMMARY</fo:block></fo:table-cell></fo:table-row><fo:table-row border-width="1pt" border-style="solid" border-color="black"><fo:table-cell padding="2pt"><fo:block>Target</fo:block></fo:table-cell><fo:table-cell padding="2pt"><fo:block>fishinabarrel.sittingduck.com</fo:block></fo:table-cell></fo:table-row><fo:table-row border-width="1pt" border-style="solid" border-color="black"><fo:table-cell padding="2pt"><fo:block>Version</fo:block></fo:table-cell><fo:table-cell padding="2pt"><fo:block>1.0</fo:block></fo:table-cell></fo:table-row><fo:table-row border-width="1pt" border-style="solid" border-color="black"><fo:table-cell padding="2pt"><fo:block>Pentesters</fo:block></fo:table-cell><fo:table-cell padding="2pt"><fo:block><fo:inline>Melanie Rieback</fo:inline>, <fo:inline>Aristotle</fo:inline>, <fo:inline>George Boole</fo:inline>, <fo:inline>William of Ockham</fo:inline>, <fo:inline>Ludwig Josef Johann Wittgenstein</fo:inline></fo:block></fo:table-cell></fo:table-row><fo:table-row border-width="1pt" border-style="solid" border-color="black"><fo:table-cell padding="2pt"><fo:block>Authors</fo:block></fo:table-cell><fo:table-cell padding="2pt"><fo:block><fo:inline>Patricia Piolon</fo:inline>, <fo:inline>Ernest Hemingway</fo:inline>, <fo:inline>JRR Tolkien</fo:inline>, <fo:inline>Arthur Conan Doyle</fo:inline></fo:block></fo:table-cell></fo:table-row><fo:table-row border-width="1pt" border-style="solid" border-color="black"><fo:table-cell padding="2pt"><fo:block>Reviewed by</fo:block></fo:table-cell><fo:table-cell padding="2pt"><fo:block><fo:block>Melanie Rieback</fo:block></fo:block></fo:table-cell></fo:table-row><fo:table-row border-width="1pt" border-style="solid" border-color="black"><fo:table-cell padding="2pt"><fo:block>Approved by</fo:block></fo:table-cell><fo:table-cell padding="2pt"><fo:block>Melanie Rieback</fo:block></fo:table-cell></fo:table-row></fo:table-body></fo:table></fo:block><fo:block keep-with-next.within-page="always" font-weight="bold" margin-bottom="5pt">Version control</fo:block><fo:block margin-bottom="1.5cm"><fo:table border-width="1pt" border-style="solid" border-color="black" width="100%" table-layout="fixed"><fo:table-column border-width="1pt" border-style="solid" border-color="black" column-width="proportional-column-width(25)"/><fo:table-column border-width="1pt" border-style="solid" border-color="black" column-width="proportional-column-width(25)"/><fo:table-column border-width="1pt" border-style="solid" border-color="black" column-width="proportional-column-width(25)"/><fo:table-column border-width="1pt" border-style="solid" border-color="black" column-width="proportional-column-width(25)"/><fo:table-body><fo:table-row background-color="orange" border-width="1pt" border-style="solid" border-color="black"><fo:table-cell padding="2pt"><fo:block>Version</fo:block></fo:table-cell><fo:table-cell padding="2pt"><fo:block>Date</fo:block></fo:table-cell><fo:table-cell padding="2pt"><fo:block>Author</fo:block></fo:table-cell><fo:table-cell padding="2pt"><fo:block>Description</fo:block></fo:table-cell></fo:table-row><fo:table-row border-width="1pt" border-style="solid" border-color="black"><fo:table-cell padding="2pt"><fo:block> 0.1</fo:block></fo:table-cell><fo:table-cell padding="2pt"><fo:block>January 19th, 2015</fo:block></fo:table-cell><fo:table-cell padding="2pt"><fo:block><fo:inline>Patricia Piolon</fo:inline></fo:block></fo:table-cell><fo:table-cell padding="2pt"><fo:block>Initial draft</fo:block></fo:table-cell></fo:table-row><fo:table-row border-width="1pt" border-style="solid" border-color="black"><fo:table-cell padding="2pt"><fo:block> 0.2</fo:block></fo:table-cell><fo:table-cell padding="2pt"><fo:block>January 20th, 2015</fo:block></fo:table-cell><fo:table-cell padding="2pt"><fo:block><fo:inline>Ernest Hemingway</fo:inline></fo:block></fo:table-cell><fo:table-cell padding="2pt"><fo:block>Structure & contents revision</fo:block></fo:table-cell></fo:table-row><fo:table-row border-width="1pt" border-style="solid" border-color="black"><fo:table-cell padding="2pt"><fo:block> 0.3</fo:block></fo:table-cell><fo:table-cell padding="2pt"><fo:block>January 21st, 2015</fo:block></fo:table-cell><fo:table-cell padding="2pt"><fo:block><fo:inline>Patricia Piolon</fo:inline></fo:block></fo:table-cell><fo:table-cell padding="2pt"><fo:block>Added threat levels and recommendations</fo:block></fo:table-cell></fo:table-row><fo:table-row border-width="1pt" border-style="solid" border-color="black"><fo:table-cell padding="2pt"><fo:block> 0.4</fo:block></fo:table-cell><fo:table-cell padding="2pt"><fo:block>January 22nd, 2015</fo:block></fo:table-cell><fo:table-cell padding="2pt"><fo:block><fo:inline>Patricia Piolon</fo:inline>, <fo:inline>JRR Tolkien</fo:inline></fo:block></fo:table-cell><fo:table-cell padding="2pt"><fo:block>Revision</fo:block></fo:table-cell></fo:table-row><fo:table-row border-width="1pt" border-style="solid" border-color="black"><fo:table-cell padding="2pt"><fo:block> 0.5</fo:block></fo:table-cell><fo:table-cell padding="2pt"><fo:block>January 23rd, 2015</fo:block></fo:table-cell><fo:table-cell padding="2pt"><fo:block><fo:inline>Patricia Piolon</fo:inline></fo:block></fo:table-cell><fo:table-cell padding="2pt"><fo:block>Revision</fo:block></fo:table-cell></fo:table-row><fo:table-row border-width="1pt" border-style="solid" border-color="black"><fo:table-cell padding="2pt"><fo:block>1.0</fo:block></fo:table-cell><fo:table-cell padding="2pt"><fo:block>January 26th, 2015</fo:block></fo:table-cell><fo:table-cell padding="2pt"><fo:block><fo:inline>Arthur Conan Doyle</fo:inline></fo:block></fo:table-cell><fo:table-cell padding="2pt"><fo:block>Finalizing</fo:block></fo:table-cell></fo:table-row></fo:table-body></fo:table></fo:block><fo:block keep-with-next.within-page="always" font-weight="bold" margin-bottom="5pt">Contact</fo:block><fo:block margin-bottom="5pt">For more information about this Document and its
|
||
contents please contact Radically Open Security B.V.</fo:block><fo:block break-after="page"><fo:table border-width="1pt" border-style="solid" border-color="black" width="100%" table-layout="fixed"><fo:table-column background-color="orange" border-width="1pt" border-style="solid" border-color="black" column-width="proportional-column-width(25)"/><fo:table-column column-width="proportional-column-width(75)"/><fo:table-body border-width="1pt" border-style="solid" border-color="black"><fo:table-row><fo:table-cell padding="2pt"><fo:block>Name</fo:block></fo:table-cell><fo:table-cell padding="2pt"><fo:block>Melanie Rieback</fo:block></fo:table-cell></fo:table-row><fo:table-row border-width="1pt" border-style="solid" border-color="black"><fo:table-cell padding="2pt"><fo:block>Address</fo:block></fo:table-cell><fo:table-cell padding="2pt"><fo:block>Zieseniskade 21</fo:block><fo:block>1017 RT Amsterdam</fo:block><fo:block>The Netherlands</fo:block></fo:table-cell></fo:table-row><fo:table-row border-width="1pt" border-style="solid" border-color="black"><fo:table-cell padding="2pt"><fo:block>Phone</fo:block></fo:table-cell><fo:table-cell padding="2pt"><fo:block>+31 6 10 21 32 40</fo:block></fo:table-cell></fo:table-row><fo:table-row border-width="1pt" border-style="solid" border-color="black"><fo:table-cell padding="2pt"><fo:block>Email</fo:block></fo:table-cell><fo:table-cell padding="2pt"><fo:block>info@radicallyopensecurity.com</fo:block></fo:table-cell></fo:table-row></fo:table-body></fo:table></fo:block>
|
||
|
||
<fo:block keep-with-next.within-page="always" font-weight="bold" font-size="16pt" margin-bottom="0cm" background-color="orange">Table of Contents</fo:block><fo:block break-after="page"><fo:block><fo:table width="100%"><fo:table-column/><fo:table-column column-width="7mm"/><fo:table-body>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<fo:table-row><fo:table-cell text-align-last="justify"><fo:block><fo:basic-link internal-destination="methodology">1 Methodology</fo:basic-link> <fo:leader leader-pattern="dots" leader-alignment="reference-area" leader-length.maximum="21cm"/></fo:block></fo:table-cell><fo:table-cell padding-right="3pt" display-align="after"><fo:block text-align="right"><fo:basic-link internal-destination="methodology"><fo:page-number-citation ref-id="methodology"/></fo:basic-link></fo:block></fo:table-cell></fo:table-row><fo:table-row><fo:table-cell text-align-last="justify"><fo:block><fo:basic-link internal-destination="planning">1.1 Planning</fo:basic-link> <fo:leader leader-pattern="dots" leader-alignment="reference-area" leader-length.maximum="21cm"/></fo:block></fo:table-cell><fo:table-cell padding-right="3pt" display-align="after"><fo:block text-align="right"><fo:basic-link internal-destination="planning"><fo:page-number-citation ref-id="planning"/></fo:basic-link></fo:block></fo:table-cell></fo:table-row><fo:table-row><fo:table-cell text-align-last="justify"><fo:block><fo:basic-link internal-destination="riskClassification">1.2 Risk Classification</fo:basic-link> <fo:leader leader-pattern="dots" leader-alignment="reference-area" leader-length.maximum="21cm"/></fo:block></fo:table-cell><fo:table-cell padding-right="3pt" display-align="after"><fo:block text-align="right"><fo:basic-link internal-destination="riskClassification"><fo:page-number-citation ref-id="riskClassification"/></fo:basic-link></fo:block></fo:table-cell></fo:table-row>
|
||
|
||
|
||
|
||
|
||
|
||
</fo:table-body></fo:table></fo:block></fo:block>
|
||
|
||
|
||
|
||
<fo:block margin-bottom="1.5cm" id="methodology" break-before="page">
|
||
<fo:block keep-with-next.within-page="always" font-weight="bold" font-size="16pt" margin-bottom="1cm" background-color="orange"><fo:inline>1</fo:inline> Methodology</fo:block>
|
||
<fo:block margin-bottom="1.5cm" id="planning">
|
||
<fo:block keep-with-next.within-page="always" font-weight="bold" font-style="italic" font-size="14pt" margin-bottom="0.8cm" background-color="silver"><fo:inline>1.1</fo:inline> Planning</fo:block>
|
||
<fo:block margin-bottom="5pt">Our general approach during this penetration test was as follows:</fo:block>
|
||
<fo:list-block provisional-distance-between-starts="0.85cm" provisional-label-separation="2.5mm" margin-bottom="1.5cm" space-after="12pt" start-indent="1cm"><fo:list-item margin-bottom="5pt"><fo:list-item-label end-indent="label-end()"><fo:block>1. </fo:block></fo:list-item-label><fo:list-item-body start-indent="body-start()"><fo:block><fo:inline font-weight="bold">Reconnaissance</fo:inline><fo:block/>We attempted to gather as much information as possible about the
|
||
target. Reconnaissance can take two forms: active and passive. A
|
||
passive attack is always the best starting point as this would normally defeat
|
||
intrusion detection systems and other forms of protection, etc., afforded to the
|
||
network. This would usually involve trying to discover publicly available
|
||
information by utilizing a web browser and visiting newsgroups etc. An active form
|
||
would be more intrusive and may show up in audit logs and may take the form of a
|
||
social engineering type of attack.</fo:block></fo:list-item-body></fo:list-item><fo:list-item margin-bottom="5pt"><fo:list-item-label end-indent="label-end()"><fo:block>2. </fo:block></fo:list-item-label><fo:list-item-body start-indent="body-start()"><fo:block><fo:inline font-weight="bold">Enumeration</fo:inline><fo:block/>We used varied operating system fingerprinting tools to determine
|
||
what hosts are alive on the network and more importantly what services and operating
|
||
systems they are running. Research into these services would be carried out to
|
||
tailor the test to the discovered services.</fo:block></fo:list-item-body></fo:list-item><fo:list-item margin-bottom="5pt"><fo:list-item-label end-indent="label-end()"><fo:block>3. </fo:block></fo:list-item-label><fo:list-item-body start-indent="body-start()"><fo:block><fo:inline font-weight="bold">Scanning</fo:inline><fo:block/>Through the use of vulnerability scanners, all discovered hosts would be tested
|
||
for vulnerabilities. The result would be analyzed to determine if there any
|
||
vulnerabilities that could be exploited to gain access to a target host on a
|
||
network.</fo:block></fo:list-item-body></fo:list-item><fo:list-item margin-bottom="5pt"><fo:list-item-label end-indent="label-end()"><fo:block>4. </fo:block></fo:list-item-label><fo:list-item-body start-indent="body-start()"><fo:block><fo:inline font-weight="bold">Obtaining Access</fo:inline><fo:block/>Through the use of published exploits or weaknesses found in
|
||
applications, operating system and services access would then be attempted. This may
|
||
be done surreptitiously or by more brute force methods.</fo:block></fo:list-item-body></fo:list-item></fo:list-block>
|
||
</fo:block>
|
||
<fo:block margin-bottom="1.5cm" id="riskClassification">
|
||
<fo:block keep-with-next.within-page="always" font-weight="bold" font-style="italic" font-size="14pt" margin-bottom="0.8cm" background-color="silver"><fo:inline>1.2</fo:inline> Risk Classification</fo:block>
|
||
<fo:block margin-bottom="5pt">Throughout the document, each vulnerability or risk identified has been labeled and
|
||
categorized as:</fo:block>
|
||
<fo:list-block provisional-distance-between-starts="0.75cm" provisional-label-separation="2.5mm" space-after="12pt" start-indent="1cm"><fo:list-item margin-bottom="5pt"><fo:list-item-label end-indent="label-end()"><fo:block>•</fo:block></fo:list-item-label><fo:list-item-body start-indent="body-start()"><fo:block><fo:inline font-weight="bold">Extreme</fo:inline><fo:block/>Extreme risk of security controls being compromised with the possibility
|
||
of catastrophic financial/reputational losses occurring as a result.</fo:block></fo:list-item-body></fo:list-item><fo:list-item margin-bottom="5pt"><fo:list-item-label end-indent="label-end()"><fo:block>•</fo:block></fo:list-item-label><fo:list-item-body start-indent="body-start()"><fo:block><fo:inline font-weight="bold">High</fo:inline><fo:block/>High risk of security controls being compromised with the potential for
|
||
significant financial/reputational losses occurring as a result.</fo:block></fo:list-item-body></fo:list-item><fo:list-item margin-bottom="5pt"><fo:list-item-label end-indent="label-end()"><fo:block>•</fo:block></fo:list-item-label><fo:list-item-body start-indent="body-start()"><fo:block><fo:inline font-weight="bold">Elevated</fo:inline><fo:block/>Elevated risk of security controls being compromised with the potential
|
||
for material financial/reputational losses occurring as a result.</fo:block></fo:list-item-body></fo:list-item><fo:list-item margin-bottom="5pt"><fo:list-item-label end-indent="label-end()"><fo:block>•</fo:block></fo:list-item-label><fo:list-item-body start-indent="body-start()"><fo:block><fo:inline font-weight="bold">Moderate</fo:inline><fo:block/>Moderate risk of security controls being compromised with the potential
|
||
for limited financial/reputational losses occurring as a result.</fo:block></fo:list-item-body></fo:list-item><fo:list-item margin-bottom="5pt"><fo:list-item-label end-indent="label-end()"><fo:block>•</fo:block></fo:list-item-label><fo:list-item-body start-indent="body-start()"><fo:block><fo:inline font-weight="bold">Low</fo:inline><fo:block/>Low risk of security controls being compromised with measurable negative
|
||
impacts as a result.</fo:block></fo:list-item-body></fo:list-item></fo:list-block>
|
||
<fo:block margin-bottom="1.5cm">Please note that this risk rating system was taken from the Penetration Testing Execution
|
||
Standard (PTES). For more information, see:
|
||
http://www.pentest-standard.org/index.php/Reporting. </fo:block>
|
||
</fo:block>
|
||
</fo:block>
|
||
|
||
|
||
|
||
|
||
|
||
</fo:block><fo:block id="EndOfDoc"/></fo:flow></fo:page-sequence></fo:root> |