Net Ninjas LLC, 1

United Services
Automobile
Association
Penetration Test USAA Network
December 17, 2015
This Report Was Prepared by:
Net Ninjas LLC
Darren Blakely Security Analyst
Marie Whiting Security Analyst
David Savlowitz Security Analyst

Net Ninjas LLC, 2

Table of Contents
Executive Summary
Document Properties
Version History
Summary of Findings
Windows XP (Spider) (192.168.1.90)
Windows Server 2008 (Lion) (192.168.37.10)
Windows XP (Fox) 192.168.37.20)
Windows XP (Owl) (192.168.37.30)
Windows XP (Mongoose) (192.168.37.50)
Windows XP (Frog) (192.168.37.250)
Secret Files Retrieved from Network
Recommendations
Windows XP (Spider) (192.168.1.90)
Windows Server 2008 (Lion) (192.168.37.10)
Windows XP (Fox) 192.168.37.20)
Windows XP (Owl) (192.168.37.30)
Windows XP (Mongoose) (192.168.37.50)
Windows XP (Frog) (192.168.37.250)
Detailed Findings
Initial Setup and Findings
Windows XP (Spider) (192.168.1.90)
Exploitation
Subnet 192.168.37.1/24
Windows Server 2008 (Lion) 192.168.37.10
Windows XP (Fox) (192.168.37.20)
Windows XP (Owl) (192.168.37.30)
Exploitation
Windows XP (Mongoose) (192.168.37.50)
Exploitation
Windows XP (192.168.37.250)

Net Ninjas LLC, 3

Tools Utilized
Feedback

Executive Summary
Net Ninjas Security has been contracted to perform a penetration test for the
United Services Automobile Association (USAA) network. In so doing, the security
company was successful in accessing vital information located in the networks
system. The ease of penetration suggests that there are major flaws in USAAs
network that must be addressed immediately. In the section labeled, Summary of
Findings, detailed information is provided identifying the areas of vulnerability. In
addition, in the section labeled Recommendations, suggestions to address these
flaws are provided.

Document Properties
Name

Penetration Test USAA Network

Classification

Classified

Version

1.0

Authors

Darren Blakely, David Savlowitz, Marie Whiting

Reviewed By
Approved By
Date Approved

Version History
Version

Date

Purpose

Authors

1.0

12/11/20
15

Initial Findings and Research

Darren Blakely
David Savlowitz
Marie Whiting

2.0

12/14/20
15

Additions and Corrections to

Documentation

Darren Blakely
David Savlowitz
Marie Whiting

3.0

12/14/20

Finalization and Completion

Darren Blakely

Net Ninjas LLC, 4

15

David Savlowitz
Marie Whiting

Net Ninjas LLC, 5

Summary of Findings
Windows XP (Spider) (192.168.1.90)
A scan revealed three open ports (openings used for communication by a
specific service or program) on the Windows XP (Spider) system. This included one
port vulnerable to a popular exploit used to access this system. Once inside the
system a secret file was located along with password hashes for several users.
Although hashing passwords or encrypting them by changing the text to an
algorithm or set of numbers, makes passwords more difficult to decipher, this code
can easily be broken. The Web server on this machine has also been misconfigured
to allow cross-site tracing which is another well-known vulnerability.

Windows Server 2008 (Lion) (192.168.37.10)

A TCP scanner revealed the 192.168.37.10 system. Using Mimikatz it was
possible to locate and obtain all password hashes including that of the domain
administrative account. Using the psexec exploit and domain credentials collected it
was possible to gain access to this system.

Windows XP (Fox) 192.168.37.20)

Using a SYN scan, which allows a user to examine the ports without fully
connecting to the network, it was possible to find the easy chat service running on
ports 80 and 443. The efs_easychatserver_username exploit used to grant
unauthorized access to the system gave Net Ninjas the ability to find requested
information.

Windows XP (Owl) (192.168.37.30)

After finding the open FTP port on this system, which allows users to
exchange information between their home computer and network, it was possible to
initiate a buffer overflow using this port and gain access to the system. The buffer is
an area to store data on a temporary basis; however, initiating a buffer overflow
causes extra data to flow into other buffers which may reveal confidential
information or that may contain instructions that damage the networks files. Once
this was done, a secret file was found on this system containing a hint for the next
machine (Mongoose).

Windows XP (Mongoose) (192.168.37.50)

A brute force attack where software is utilized to attempt to discover the
users password and/or other personal information by generating possible
passwords through logical, sequential and well-known guesses, revealed a weak
administrative password that could be used to retrieve data from the SQL server,
which provides communication with the systems databases. This username and
password were then used to access the main system and uncover a secret file and
hint for the FROG system.

Net Ninjas LLC, 6

Windows XP (Frog) (192.168.37.250)

Hydra, a password cracking tool, was utilized in finding logon information
from the Windows Spider Web Server. It was then possible to SSH or gain access to
the system, and specifically into the 192.168.37.250 machine. Net Ninjas was then
able to disable the firewall which is designed to prevent unauthorized access and to
gain system level privileges. This system was then used to route to the Lion
machine.

Secret Files Retrieved from Network

(Spider)

(Fox)

(Owl)

(Mongoose)

Net Ninjas LLC, 7

(FROG)

(Lion)

Net Ninjas LLC, 8

Recommendations
Windows XP (Spider) (192.168.1.90)
This machine is vulnerable to the popular exploit ms08_067_netapi. This is
fixable by updating the machine to a version of Windows that has patched
ms08_067_netapi such as Windows 7 or newer. Windows XP is no longer supported
by Microsoft and will not have a patch for this vulnerability in the future. It is also
recommended the administrator account utilize password protection in the near
future to better protect the network. Finally, the Web Server should be altered to
protect against cross-site tracing.

Windows Server 2008 (Lion) (192.168.37.10)

System administrators should delete old or unfamiliar user accounts while
utilizing strong and complex passwords. All accounts and users should be monitored
at all times.

Windows XP (Fox) 192.168.37.20)

It is recommended the Windows XP operating system be updated to a
currently supported operating system by Microsoft. If this is not possible then
placing, it on an isolated network is recommended. Users should also use stronger
and more complex passwords in the future. It is also recommended a more secure
alternative to the current web service to help prevent sensitive information from
would be attackers.

Windows XP (Owl) (192.168.37.30)

It is always recommended machines be patched to the best extent possible
while upgrading to a supported operating system by Microsoft. If the FTP port on
this system is unneeded then System Administrators should close this port.

Windows XP (Mongoose) (192.168.37.50)

This secret file was retrieved due to the system being vulnerable to brute
force attacks and exploits while also have a weak administrative password. As a
result, this system should be updated and patched to avoid this method of attack
while assigning a more complex password to the sa user.

Windows XP (Frog) (192.168.37.250)

It is recommended this operating system be updated to a currently supported
Microsoft system if possible, if not then place on isolated network away from public.
Users should utilize stronger passwords to better protect their accounts.

Net Ninjas LLC, 9

Detailed Findings
Initial Setup and Findings
Upon starting this Black Box assessment, it was determined the Kali Linux
machine provided resided on the 192.168.1.1/24 network. This is an important fact
as it lets Net Ninjas know what the network range they will be working with. In this
case a scope was undefined with the exception of the router on 192.168.1.1.

An initial Nmap Scan revealed 3 hosts currently on the 192.168.1.1/24

Network. There is a router sitting on 192.168.1.1 while net Ninjas use 192.168.1.10.
The only host in scope at this time is 192.168.1.90.

Net Ninjas LLC, 10

Windows XP (Spider) (192.168.1.90)

A SYN scan with OS detection and version detection enabled was run using
nmap on the IP address 192.168.1.90 to detect the Operating system type, open
ports and the current version of services running on the machine.

The SYN scan revealed a Windows XP machine with an Apache, Microsoft

Directory Services, and Microsoft netbios-ssn running.

Net Ninjas LLC, 11

Net Ninjas LLC, 12

A basic nmap scan also revealed the hostname to be Spider. This

information could be useful at a later time as we can now identify this machine by
its hostname.

After noting there was indeed a web server running on this system Net Ninjas
navigated to the web page to find an interesting web site devoted to Horse,
Alpaca, Camel, Koala, and Marlin Emporium. While browsing through the tabs
there appeared to be nothing useful to Net Ninjas at this time.

Net Ninjas LLC, 13

A Nikto scan revealed a major vulnerability within this apache service. This
allows Net Ninjas and anyone else with this knowledge to navigate the directory for
any information that may be stored within.

Net Ninjas LLC, 14

Net Ninjas LLC, 15

Exploitation
Most Windows XP machines are vulnerable to the ms08_067_netapi exploit.
Upon a success this would grant Net Ninjas unauthorized remote access to the
machine.

The Ms08_067_netapi exploit was successful and allowed an unauthorized

remote connection to the system. Net Ninjas was then able to use the get system
command to achieve system level privileges on the machine.

Net Ninjas LLC, 16

Net Ninjas was able to dump all user password hashes currently on the
system including the administrator using the hash dump command.

Once inside the system Net Ninjas began parsing through the C:\ drive where
a suspicious file was located. secretfile0.txt. Upon investigation it revealed an odd
message directed toward whoever found the file.

Using the command route it is also possible to see routes the system knows
of. In this case the Windows XP (192.168.1.90) knows of another route to the
192.168.37.1/24 subnet. There are no IPv6 routes known to the machine.

Net Ninjas LLC, 17

Net Ninjas then confirmed the compromised machine had a connection to the
192.168.37.90 subnet and prepared to pivot in the desired subnet
(192.168.37.1/24).

Net Ninjas LLC, 18

Subnet 192.168.37.1/24
Using the ARP Scanner script found in meterpreter other machines on the
192.168.37.1/24 subnet were located. This method revealed five (5) new machines
not including a router. The 192.168.37.90 machine is the system Net Ninjas is
currently pivoting off of (Spider).

Net Ninjas LLC, 19

Windows Server 2008 (Lion) 192.168.37.10

In order to communicate with the Lion system a static route to 192.168.37.10
via 192.158.37.250 was added to the Kali Linux ARP cache. This enabled the TCP
port scanner to find the 192.168.37.10 machine and locate open ports. Open ports
on the system included 53, 88, 135, 139, 389, 445 and 464.

Using the Mimikatz tool on the FROG system it was possible to retrieve user
credentials including that of the domain admin to gain access to this machine using
the psexec exploit. Once inside the getsystem command granted Net Ninjas system level
access and find the final secret file.

The final file on the network was a congratulations message from the network
creator.

Net Ninjas LLC, 20

Windows XP (Fox) (192.168.37.20)

Using nmap to perform a SYN scan utilizing the OS detection and version
detection options it was possible to find ports 80 and 443 open. This machine was
running the Easy Chat service; Net Ninjas targeted this service during the attack.

The Easy Chat Service is vulnerable to the efs_easychatserver_username exploit.

This was the exploit utilized in the attack granting Net Ninjas access to the system, system level
access was acquired shortly after.

The Secret file was located in the C:\ drive using a similar naming convention
as the others.

Net Ninjas LLC, 21

Windows XP (Owl) (192.168.37.30)

After a SYN scan of the 192.168.37.20 host two (2) open ports were found, An
FTP port on 21 running Easy FTP Server FTPD and an http-proxy on 8080.

Exploitation
Easy FTP is vulnerable to buffer overflow exploits. As a result Net Ninjas
chose an exploit to utilize this and achieved access to this system.

System level access was gained via technique 1 (get system)

Net Ninjas LLC, 22

Checking the same location C:\ the next Secret file was located. This one was
named secretfile2.txt. The information from this file was retrieved shortly before
the session died. This file apparently revealed a hint for the Mongoose machine.

The name of this machine is Owl as found after exploitation.

Net Ninjas LLC, 23

Windows XP (Mongoose) (192.168.37.50)

Using the information gathered from nmap it is possible to see three (3) open
ports on this machine. These include Microsoft ESMTP on port 25, Microsoft IIS on
port 80 and finally Microsoft SQL on port 1433.

A brute force attempt was made to the SQL server revealing the password to
be password1. This username and password was then used to retrieve the
database schema allowing Net Ninjas to find information on the Web App
database.

Net Ninjas LLC, 24

The SQL database was then quarried for the contents of the table revealing
vital user information such as username and password.

Exploitation
This ms-sql was vulnerable to SQL Payload execution using the login
information gathered from earlier (sa, password1) it was possible to gain access to
the system. Following that technique 1 granted system level privileges.

Secret File was located in the usual location.

Hostname verified Mongoose

Net Ninjas LLC, 25

Windows XP (192.168.37.250)
The same scan used on the previous machines for information was utilized on
this machine. This revealed the system to be running a Windows XP operating
system with a SSH port open.

Using the Hydra tool on the SSH service it was possible to find the username
and password combination from the Web Server 192.168.1.90.

Net Ninjas LLC, 26

Once inside the system the C:\ drive housed the next secret file. This file
congratulated Net Ninjas on making it this far and contained information on a final
system along with the hint to pivot to it.

From here Net Ninjas used the netsh utility to disable the firewall.

Net Ninjas LLC, 27

Net Ninjas LLC, 28

Disabling the firewall allowed Net Ninjas to launch the MS08_067_NETAPI

exploit and gain System Level privileges to pivot off the system.

Net Ninjas LLC, 29

It was later determined another utility Mimikatz was required to gain access
to the Lion system. This utility was loaded onto the FROG machine to dump user
account information including passwords in plain text.

Net Ninjas LLC, 30

Tools Utilized
Kali Linux (Provided by client)
Nmap (Version 6.40)
Metasploit (Version 4.8.0-2013112001)
Meterpreter (Version
Nikto (Version 2.1.5)
Open Vas (Version 3.0.3)
Mimikatz (Version 1.0)

Net Ninjas LLC, 31

Feedback
The final was Exactly Right, as it both challenged and increased our
skillsets allowing us to surpass our own perceived limits and achieve new heights.
Net Ninjas spent around 6 hours throughout this engagement. Although Net
Ninjas did run into a technical issue with one of the target systems, a member of
the team was able to create a custom Kali Linux image providing the perfect
environment to run the exploit. Net Ninjas recommends that the Kali Linux template
for this engagement be replaced with the one created by a Net Ninjas team member
to prevent future teams from running into the same technical issues.