1
00:00:00,090 --> 00:00:05,130
So here is a demo company security assessment findings report.

2
00:00:05,130 --> 00:00:06,720
Now I will be providing this.

3
00:00:06,720 --> 00:00:08,730
You can also find this on my github.

4
00:00:08,730 --> 00:00:10,920
I'm going to provide links to a PDA.

5
00:00:10,950 --> 00:00:15,960
I'll attach a PDA version of this and you can find the actual word doc on my get hub which I'll link

6
00:00:15,960 --> 00:00:17,530
to that as well.

7
00:00:17,550 --> 00:00:21,990
So here's the front page and I've got the zoomed in a little bit to where it doesn't cover the whole

8
00:00:21,990 --> 00:00:24,090
page only so that you can see it.

9
00:00:24,390 --> 00:00:29,210
So we're zoomed in just for visibility purposes but pretty standard front page.

10
00:00:29,220 --> 00:00:31,160
We have a table of contents right.

11
00:00:31,350 --> 00:00:34,400
And we're going to speed through this pretty quick but OK.

12
00:00:34,410 --> 00:00:35,870
So first things first.

13
00:00:35,880 --> 00:00:41,730
I have a confidentiality statement just says this document is for us and demo company and for nobody

14
00:00:41,730 --> 00:00:44,940
else can be shared with except auditors etc..

15
00:00:45,450 --> 00:00:50,310
Another thing that we need to say here too is that we have a disclaimer saying that this penetration

16
00:00:50,310 --> 00:00:52,930
test is a snapshot in time.

17
00:00:53,010 --> 00:00:56,010
We test usually for a week per segment.

18
00:00:56,070 --> 00:00:58,490
So say we do an external for a week.

19
00:00:58,530 --> 00:00:59,490
Guess what.

20
00:00:59,610 --> 00:01:01,770
During that week is when we tested.

21
00:01:01,770 --> 00:01:08,190
If a finding comes up a week later or maybe somebody opens up a port or sets up an application we're

22
00:01:08,190 --> 00:01:09,630
not responsible for that.

23
00:01:09,750 --> 00:01:15,000
And we are also under a time limited engagement meaning that we are targeting what we can't in that

24
00:01:15,000 --> 00:01:16,160
period of time.

25
00:01:16,230 --> 00:01:18,150
Some clients let's be real.

26
00:01:18,150 --> 00:01:19,980
They're gonna be cheap about some things right.

27
00:01:19,970 --> 00:01:23,220
They're going to want to pay for a week maybe when they shouldn't pay for two especially if they're

28
00:01:23,220 --> 00:01:24,360
a big client.

29
00:01:24,360 --> 00:01:29,190
You know they don't want as in-depth of review or research on a lot of their stuff.

30
00:01:29,190 --> 00:01:32,920
And when we're limited on time we're not going to find everything.

31
00:01:33,270 --> 00:01:40,300
So we have to point that out as a disclaimer other than that we have our contact information here.

32
00:01:40,350 --> 00:01:47,000
So we'll have our demo company contacts and our contacts and then here I have the assessment overview.

33
00:01:47,030 --> 00:01:53,880
So we go into a kind of a high level just saying hey look from this date to this date they engaged us

34
00:01:53,880 --> 00:01:57,220
to evaluate the security posture of its infrastructure.

35
00:01:57,330 --> 00:02:04,350
And we do testing based on a few different guidelines one is what is called nest that is related to

36
00:02:04,380 --> 00:02:10,530
the US based but there's other guidelines and here that we reference and then how we kind of you know

37
00:02:10,620 --> 00:02:16,980
attack we have the planning discovery attack reporting if we discover we go back attack we go back and

38
00:02:16,980 --> 00:02:22,050
find an attack we go back and discover again and repeat we cover here.

39
00:02:22,060 --> 00:02:27,820
Also what we're attacking or what components we have in this assessment.

40
00:02:27,820 --> 00:02:31,030
So in this assessment here we only have an external penetration test.

41
00:02:31,030 --> 00:02:36,670
So we talked about what we do in an external penetration test and it just kind of says hey it's the

42
00:02:36,670 --> 00:02:41,830
role of an attacker trying to gain access to an internal network without internal resources or inside

43
00:02:41,830 --> 00:02:42,850
knowledge.

44
00:02:42,940 --> 00:02:43,990
It just gives you an overview.

45
00:02:44,020 --> 00:02:51,320
So if we had multiple components then we would list multiple things here and talk through that.

46
00:02:51,420 --> 00:02:57,200
Here we talk quickly about the findings severity because we're going to rate things based on their severity

47
00:02:57,210 --> 00:03:02,010
so we might have a critical finding all the way down to something that's informational for the client

48
00:03:02,250 --> 00:03:04,420
and you're going to see that here in just a minute.

49
00:03:04,530 --> 00:03:08,260
And when we go in the next video we cover a real report that I've done in the past.

50
00:03:08,340 --> 00:03:16,840
You're going to see that in a lot more clear form what these look like so from here we have our scope

51
00:03:16,870 --> 00:03:23,020
we just say OK here's our scope we attacked two IP addresses and I listed internal IP addresses.

52
00:03:23,020 --> 00:03:27,980
Even though we didn't external does just a demo dock so here's a couple of IP addresses.

53
00:03:28,150 --> 00:03:33,650
And then if we had full scope information I report that in an Excel document and attach that.

54
00:03:33,650 --> 00:03:35,620
So I just have this here just in case I need that.

55
00:03:36,430 --> 00:03:39,030
So we also have scope exclusions.

56
00:03:39,190 --> 00:03:44,680
You see here we did not perform any denial of service attacks during testing and then any client allowances.

57
00:03:44,680 --> 00:03:48,390
So did the client have to assist us in any way in this instance.

58
00:03:48,400 --> 00:03:49,940
They did not.

59
00:03:49,940 --> 00:03:50,360
All right.

60
00:03:50,870 --> 00:03:55,150
So we then break down our report and here's where we start getting into the meat.

61
00:03:55,250 --> 00:04:00,520
We break down our report into an executive summary and we break down our report into a technical summary.

62
00:04:00,590 --> 00:04:07,700
The executives are four executives think about the sea level the CISO or the CEO or whoever is going

63
00:04:07,700 --> 00:04:08,980
to be reviewing this.

64
00:04:09,020 --> 00:04:11,280
They might not come from a technical background.

65
00:04:11,330 --> 00:04:15,080
So if you throw technical things at them they might get lost.

66
00:04:15,080 --> 00:04:20,300
You have to have an explain like I'm five years old attitude when you write your executive summary and

67
00:04:20,300 --> 00:04:27,210
then you have a technical summary where you can then share how you gained access in certain ways and

68
00:04:27,270 --> 00:04:32,120
you know that can help somebody like a network engineer or somebody else repeat that that has a more

69
00:04:32,120 --> 00:04:33,820
technical mindset.

70
00:04:33,830 --> 00:04:40,490
So here again this talks about OK well we evaluated their external network from the 20th to the twenty

71
00:04:40,490 --> 00:04:41,300
ninth.

72
00:04:41,300 --> 00:04:46,760
And by leveraging a series of attacks we found critical vulnerabilities that allowed full internal access

73
00:04:46,760 --> 00:04:47,920
to the network.

74
00:04:48,200 --> 00:04:51,670
And then we just kind of have an attack summary and recommendations here for the client.

75
00:04:51,670 --> 00:04:52,040
Right.

76
00:04:52,430 --> 00:04:58,400
OK well we did breach account credentials and we looked through those we did credential stuffing and

77
00:04:58,400 --> 00:05:05,510
we were unsuccessful but we had username enumeration through outlook which allowed us to further validate

78
00:05:05,630 --> 00:05:12,320
usernames using that we were able to do a password spraying attack with some or 2018 exclamation.

79
00:05:12,350 --> 00:05:16,600
And got in with that into the outlook web application here.

80
00:05:16,700 --> 00:05:20,250
And then finally we leverage those credentials to log into the VPN.

81
00:05:20,340 --> 00:05:22,600
Well on this side we have all the recommendations right.

82
00:05:22,910 --> 00:05:28,580
Well for breach account data your employees shouldn't be using their work e-mails as log in credentials

83
00:05:28,580 --> 00:05:31,100
to other services unless it's absolutely necessary.

84
00:05:31,580 --> 00:05:38,030
When it comes to credentials stuffing and Outlook Web Access you should be you know Synchronizing your

85
00:05:38,030 --> 00:05:39,830
valid invalid account messages.

86
00:05:39,830 --> 00:05:44,300
There shouldn't be username enumeration outlook is a little bit special about that one.

87
00:05:44,300 --> 00:05:45,230
It's a feature.

88
00:05:45,230 --> 00:05:46,520
Believe it or not.

89
00:05:46,640 --> 00:05:52,670
So there's not much clients can do about that one but there's other ways to enumerate information as

90
00:05:52,670 --> 00:05:55,120
you've seen in this series.

91
00:05:55,190 --> 00:06:00,740
So from here you know we're able to get into the outlook application and the VPN mainly because of poor

92
00:06:00,740 --> 00:06:06,370
password policies and not utilizing multi factor authentication once we logged in we weren't prevented

93
00:06:06,380 --> 00:06:08,140
we were given access to the network.

94
00:06:08,150 --> 00:06:13,700
This is a very very real world scenario by the way this happens quite a bit.

95
00:06:13,790 --> 00:06:18,880
So scrolling through again in the executive summary I like to point out the strengths and the weaknesses.

96
00:06:19,190 --> 00:06:23,270
And this is a very empty document just because it's a demo you're going to see a little bit more in

97
00:06:23,270 --> 00:06:29,330
the next video on how more complete this will look and how readable it does become.

98
00:06:29,330 --> 00:06:33,790
So in this example we just give them kudos where they where they need it you know.

99
00:06:33,830 --> 00:06:40,070
So let's say we were scanning and their SIM identified our scans and it alerted somebody in interior

100
00:06:40,100 --> 00:06:46,190
on the internal side and allowed them to detect us and they could have blacklisted our IP address right

101
00:06:46,190 --> 00:06:47,080
then and there.

102
00:06:47,090 --> 00:06:48,110
So we give them kudos.

103
00:06:48,500 --> 00:06:54,170
But you know we had that missing multi factor that's a security weakness the weak password policy and

104
00:06:54,170 --> 00:06:57,650
we were able to brute force attempt the log in page as many times as we wanted.

105
00:06:57,650 --> 00:07:00,240
So these are big security weaknesses right.

106
00:07:00,440 --> 00:07:04,970
And we want to identify those at a high level so the client understands it so the executive understands

107
00:07:04,970 --> 00:07:08,570
it scrolling through here we always like to put pretty charts in.

108
00:07:08,590 --> 00:07:11,500
I'm only reporting one vulnerability here.

109
00:07:11,620 --> 00:07:14,950
We could report many vulnerabilities and this would look a lot more full.

110
00:07:14,980 --> 00:07:18,760
But for this instance you'll see one critical vulnerability.

111
00:07:18,760 --> 00:07:23,940
We have a nice chart they can look at it and say Wow we did well while we didn't do we did we did bad

112
00:07:23,950 --> 00:07:24,310
right.

113
00:07:25,030 --> 00:07:27,740
So onto the technical findings.

114
00:07:27,790 --> 00:07:30,450
So I like to give a proof of concept.

115
00:07:30,460 --> 00:07:37,960
If there is a chain exploit of attacks and here's the insufficient lockout policy on Outlook Web App

116
00:07:38,290 --> 00:07:42,610
and it kind of gives a description and says look you know unlimited logging attempts here.

117
00:07:42,670 --> 00:07:47,200
This allowed us to brute force password guessing attacks in which we were able to gain access into the

118
00:07:47,200 --> 00:07:48,040
network.

119
00:07:48,040 --> 00:07:50,970
This impact is critical because we gained access.

120
00:07:50,970 --> 00:07:52,930
Here is the system that it happened on.

121
00:07:53,110 --> 00:07:54,090
And here are references.

122
00:07:54,120 --> 00:07:59,800
So I like to provide nest references compliance references so they can go back and look at the compliance

123
00:08:00,280 --> 00:08:01,620
regulations behind this.

124
00:08:01,630 --> 00:08:04,690
And then they can go and patch this as well.

125
00:08:04,720 --> 00:08:12,550
So here we look at the exploitation proof of concept we gathered breached account data through credential

126
00:08:12,550 --> 00:08:12,860
dumps.

127
00:08:12,870 --> 00:08:15,650
So here's that looks like you should be familiar with that.

128
00:08:15,700 --> 00:08:18,730
We use that to spray the oh I log in.

129
00:08:18,730 --> 00:08:19,760
So Outlook Web App.

130
00:08:19,780 --> 00:08:21,250
This is kind of what it looks like.

131
00:08:21,370 --> 00:08:26,020
And it'll say something like this failed log in but username is valid and you can see that I'm spraying

132
00:08:26,020 --> 00:08:29,410
with user names and I've got this blurred out because these are real pictures.

133
00:08:29,650 --> 00:08:34,920
But it says summer 2018 explanation we are trying that didn't work.

134
00:08:34,950 --> 00:08:35,170
Okay.

135
00:08:35,200 --> 00:08:40,920
But we did have some user name enumeration and then eventually we got all the valid user names down.

136
00:08:40,930 --> 00:08:47,470
We tried summer 2018 exclamation against the valid user names and summer 2018 explanation did work but

137
00:08:47,470 --> 00:08:48,770
this sets a log in.

138
00:08:48,850 --> 00:08:53,340
And then finally allowed us to gain access to the VPN which we have a picture here.

139
00:08:53,350 --> 00:08:55,570
Unfortunately I wasn't able to sanitize that picture.

140
00:08:56,530 --> 00:09:01,600
So here on the remediation side we would say OK who should remediate this.

141
00:09:01,600 --> 00:09:04,530
Well the I.T. team what's the vector.

142
00:09:04,540 --> 00:09:05,710
Well it's remote.

143
00:09:05,710 --> 00:09:07,000
They don't have to do this.

144
00:09:07,010 --> 00:09:11,330
You know this can be done remote or we attacked remotely right.

145
00:09:11,410 --> 00:09:15,270
And there's several items here from this one exploit.

146
00:09:15,640 --> 00:09:21,460
Well there wasn't multi factor authentication we recommend that you do use multi factor unlimited logging

147
00:09:21,490 --> 00:09:22,330
attempts.

148
00:09:22,330 --> 00:09:23,890
We recommend that you restrict that.

149
00:09:24,430 --> 00:09:25,000
OK.

150
00:09:25,000 --> 00:09:31,090
They permitted successful log in the password spraying meaning there's a weak password policy.

151
00:09:31,360 --> 00:09:36,020
Here's a recommendation on password policy with a permitted username enumeration.

152
00:09:36,040 --> 00:09:37,410
Here's how to patch that.

153
00:09:37,510 --> 00:09:42,880
And then we recommend you know you train your employees on how to create a proper password to check

154
00:09:42,970 --> 00:09:48,300
your credentials against known breach passwords and to discourage employees from using their work emails

155
00:09:48,730 --> 00:09:51,390
on Web sites and they need to do so.

156
00:09:51,430 --> 00:09:55,490
And then lastly here we've got additional reports and scans.

157
00:09:55,630 --> 00:10:01,720
I always like to provide all of the output so I will take the NSA data and convert it into Excel and

158
00:10:01,720 --> 00:10:06,700
I will give them full findings of vulnerability scan report in a F and an Excel document.

159
00:10:06,700 --> 00:10:11,050
That way they have everything because there's times where you have an assessment and the assessment

160
00:10:11,050 --> 00:10:13,680
is going really bad for the client unfortunately.

161
00:10:13,810 --> 00:10:20,610
And what you can attack is the high level or the low the low hanging fruit the high and critical vulnerabilities

162
00:10:20,620 --> 00:10:21,390
right.

163
00:10:21,430 --> 00:10:27,370
Well if you do that then reporting on the moderate and low just doesn't really make sense it's not worth

164
00:10:27,430 --> 00:10:32,560
writing a really really long report at that point you're going to say hey look you need to go check

165
00:10:32,560 --> 00:10:38,110
the scans make sure that you look through everything because we only reported on critical and high vulnerabilities

166
00:10:38,110 --> 00:10:38,890
here.

167
00:10:38,920 --> 00:10:43,390
So you want to note that and make sure that they're aware that there's more things going on the scans

168
00:10:43,390 --> 00:10:44,740
a lot of the times.

169
00:10:44,920 --> 00:10:47,950
And then here we have lastly the last page.

170
00:10:47,950 --> 00:10:49,390
Now we went through that pretty quick.

171
00:10:49,390 --> 00:10:54,760
I want you to just download this with the attached references and just kind of go through it make it

172
00:10:54,760 --> 00:10:56,610
your own do whatever you want.

173
00:10:56,620 --> 00:11:00,820
Meet me in the next video when we kind of cover a real assessment and you get to see kind of what it

174
00:11:00,820 --> 00:11:01,980
looks like more in detail.

175
00:11:01,990 --> 00:11:06,820
We'll talk through the client with a client as well what they did bad and you can see some of the vulnerabilities

176
00:11:06,820 --> 00:11:11,890
pop up from how I would report it and you know how I did report it.

177
00:11:11,920 --> 00:11:15,820
So I'll see you next video and we actually cover a real penthouse report.