Penetration Testing Report

Module: CSEC2003 – Penetration Testing

Coursework: Final Penetration Testing Report
Target System: 192.168.136.128 (Victim VM – Red Hat Linux)
Tester: Saad Khan (P2836526)
Word Count: 1800
Date of Assessment: 20/03/2025

Table of Contents
1. Executive Summary
2. Methodology
3. Environment Setup
4. Reconnaissance & Scanning
5. Vulnerability Findings
o Vulnerability Summary Table
6. Exploitation & Verification Tests
7. Attack Flow Diagram
8. Conclusion & Recommendations
9. Appendices
10. References
1. Executive Summary
This security evaluation was performed to assess the risks associated with the
target system (192.168.136.128) operating on Red Hat Linux with Apache 2.0.40
and PHP 4.2.2. The main goal was to identify vulnerabilities that could make the
system susceptible to cyber threats and suggest ways to address them.
Key Findings and Business Impact
1) Outdated and unsupported Software
• The system is currently using Apache 2.0.40 and PHP 4.2.2, both of which are
outdated and no longer receiving security patches.
• Business Impact: These versions have known vulnerabilities that attackers
could exploit, resulting in data breaches, unauthorized system access, or
service downtime.
2) Weak Encryption & Insecure Protocols
• The system still allows SSLv2/SSLv3 and weak ciphers (RC4, 3DES, MD5),
which are outdated and susceptible to decryption attacks.
• Business Impact: This leaves sensitive communications open to Man-in-the-
Middle (MITM) attacks, enabling attackers to intercept login credentials,
financial transactions, or confidential data.
3) Insecure SSH Configuration
• The server permits SSH version 1 (SSHv1), which is recognized as insecure.
• Business Impact: This raises the risk of brute-force attacks and
unauthorized remote access, potentially leading to system compromise,
ransomware attacks, or operational disruptions.
4) Potential Web Security Risks
• Even though tests for Remote Code Execution (RCE) and Local File Inclusion
(LFI) did not result in successful exploitation, the outdated Apache and PHP
versions leave the system highly vulnerable to these attacks.
• Business Impact: An attacker could inject malicious code, resulting in data
theft, website defacement, or full server control.
5) Brute-Force Resistance Testing
• Efforts to brute-force SSH login using Hydra were unsuccessful due to
outdated key exchange protocols. Although authentication was not
bypassed, this confirms the system's use of insecure legacy configurations.
• Business Impact: A more advanced attack could potentially bypass this
limitation, leading to unauthorized access to the system.

2
Estimated Business Costs of a Breach
A successful breach exploiting these vulnerabilities could lead to:
i. Data Breach Costs – $150,000+ per breach (based on industry averages).
ii. System Downtime – Potential financial loss from service disruptions and
damage to customer trust.
iii. Compliance Violations – Failure to meet security compliance regulations
(e.g., GDPR, ISO 27001) resulting in fines.
iv. Brand Reputation Damage – Loss of customer trust and possible legal
consequences.

This report contains descriptive infographics and an attack flow diagram to visually
summarize the security risks and mitigation strategies. Immediate action is
strongly advised to prevent financial loss, reputational damage, and potential cyber-
attacks.

Vulnerability Distribution
2%
9%

15%

62% 12%

Critical High Medium Low Informational

2. Methodology
The penetration testing process followed these phases:
1. Reconnaissance & Scanning:
o Tools: Nmap, Nessus, Nikto
o Purpose: Identify open ports, running services, and known
vulnerabilities.
3
2. Vulnerability Analysis:
o Review scan outputs and manually verify findings using OpenSSL,
curl, and SSH tests.
3. Exploitation & post-exploitation:
o Attempt manual exploitation (e.g., testing for LFI, RCE, and SSH brute-
force).
o Document results including both successful and failed attempts.
4. Reporting:
o Prepare a detailed report with evidence (screenshots, outputs), a
vulnerability summary table, and an attack flow diagram.
o Recommendations are based on industry best practices and aligned
with MITRE ATT&CK.

3. Environment Setup
3.1 Operating System & VM Installation
• Kali Linux: Installed as one of the VMs for testing and exploitation.
• Victim VM (Red Hat Linux): Deployed as the target machine.
• Installation: Both VMs were set up using VMware Workstation Player. The
Red Hat Linux VM was installed using the default settings provided in the
coursework materials.
3.2 VM Networking Configuration
• Network Mode: Both VMs were connected using a Host-Only network in
VMware, ensuring they are on the same subnet (e.g., 192.168.136.x) to allow
direct communication.
• Verification: IP addresses were confirmed using the ip a command on Kali
Linux and similar commands on the Victim VM.
4
 Identified Kali’s IP: 192.168.136.129.
Discovered Victim VM’s IP: 192.168.136.128.

3.3 Nessus Installation and Setup

• Installation:
1. Downloaded the appropriate Nessus package for Debian/Ubuntu from
the Tenable website.
2. Installed using:
sudo dpkg -i Nessus-10.8.3-debian10_amd64.deb
• Start:
sudo systemctl start nessusd
• Access: Opened the Nessus web interface at https://localhost:8834,
configured the scanner, and registered using the DMU email credentials.

5
 •

4. Reconnaissance & Scanning

4.1 Nmap Scanning
Commands Used:
sudo nmap -p- 192.168.136.128
sudo nmap –script=vulners -p 80,22,443,3306 192.168.136.128
Findings:
• Open ports include 22 (SSH), 80 (HTTP), 443 (HTTPS), and 3306 (MySQL).
• Service versions indicate outdated software (e.g., Apache 2.0.40, PHP 4.2.2,
SSHv1 support).

6
 • Port 22 – SSH
State: Open
Description:
Provides Secure Shell access for remote login.
Could be vulnerable to brute-force attacks (e.g., using Hydra or similar
tools) if weak credentials are used.
• Port 80 – HTTP
State: Open
Description:
Hosts a web service.
Requires further scanning with tools like Nikto, Gobuster, or Burp
Suite to identify potential vulnerabilities (e.g., misconfigurations or
outdated software).
• Port 111 – RPCbind
State: Open
Description:
Used for Remote Procedure Call (RPC) services.
Its presence might indicate that Network File System (NFS) or other
RPC-related services are running, which could be exploited if
misconfigured.
• Port 443 – HTTPS
State: Open
Description:
Hosts a secure web service using SSL/TLS encryption.
Requires testing for misconfigurations, such as weak ciphers or
outdated SSL/TLS versions that might expose the service to attacks.
• Port 3306 – MySQL
State: Open
Description:
Provides access to the MySQL database service.
Could be vulnerable to SQL misconfigurations or weak credentials,
potentially allowing unauthorized database access.

7
4.2 Nessus Vulnerability Scan
• Nessus was run via the web interface (https://localhost:8834) targeting
192.168.136.128.
• Key Findings:
o SSL/TLS vulnerabilities: SSLv2/SSLv3 enabled, weak ciphers (RC4,
3DES, MD5).
o SSH misconfiguration: SSH Protocol Version 1 detected.
o Outdated web server software: Apache 2.0.40 and PHP 4.2.2.
• Nessus scan found 58 total vulnerabilities, including 1 Critical, 5 High,
and 9 Medium-risk issues.

8
• Breakdown of all important vulnerabilities

9
4.3 Nikto Web Scan

Command Used:

nikto -h http://192.168.136.128

Findings:

• The web server is running outdated software and misconfigured headers.

Nikto scan of http://192.168.136.128 found some key details:

1) Server Information
• Apache/2.0.40 running on Red Hat Linux
• PHP version: 4.2.2
This is outdated and vulnerable, a lot of exploits can be found this version

2) Security Headers Missing

• X-Frame-Options not set
This means the site is vulnerable to Clickjacking attacks.
• X-Content-Type-Options not set
This can allow MIME-type confusion attacks.

10
5. Vulnerability Findings

Vulnerability Summary Table

Risk Mitigation
Vulnerability Description Evidence
Level Recommendations
Outdated SSL
protocols allow Screenshot of Disable
SSLv2/SSLv3 attackers to nmap --script ssl- SSLv2/SSLv3;
Critical
Enabled intercept and enum-ciphers enforce TLS 1.2 or
decrypt secure output. higher.
traffic.
The use of weak
Disable weak
Weak SSL ciphers can be Nessus report
ciphers; use modern
Ciphers (RC4, High exploited to and sslscan
cipher suites (AES-
3DES, MD5) decrypt results.
GCM).
encrypted traffic.
The server
supports SSH v1,
which is known Screenshot of ssh
SSH Protocol Configure SSH to
to be insecure -v
Version 1 High allow only SSHv2;
and susceptible 192.168.136.128
Detected update OpenSSH.
to hijacking or output.
brute-force
attacks.
Running an
outdated version
of Apache can Nessus and Nmap
Outdated Upgrade Apache to a
High expose the findings; LFI test
Apache 2.0.40 supported version.
system to output.
various exploits
like LFI and RCE.
An old PHP
version that may
Outdated PHP allow remote Nessus report; Upgrade PHP to a
High
4.2.2 code execution RCE test output. supported version.
due to known
vulnerabilities.
Self-signed
certificates can
Replace with a
Self-Signed be spoofed, Nessus report
Medium certificate from a
SSL Certificate leading to trust screenshot.
trusted CA.
issues and MiTM
attacks.

11
 Risk Mitigation
Vulnerability Description Evidence
Level Recommendations
TLS 1.0 is
outdated and Disable TLS 1.0;
TLS 1.0 Nessus/Nmap
Medium vulnerable to enforce TLS 1.2 or
Detected output.
attacks such as higher.
BEAST.
Weak
configurations
OpenSSL
can allow Update OpenSSL;
Downgrade Nessus report
Medium attackers to force disable weak
Attack details.
connections to ciphers.
Vulnerability
use less secure
encryption.

6. Exploitation & Verification Tests

6.1 Verification of SSL/TLS Vulnerabilities

Command:

sudo nmap --script ssl-enum-ciphers -p 443 192.168.136.128

• Observation: Weak ciphers (RC4, 3DES) detected.

• Expected Outcome: If these ciphers are accepted, an attacker could
potentially intercept and decrypt secure communications.

12
13
6.2 Manual Verification of SSH Vulnerabilities

Command:

ssh -v 192.168.136.128

• Observation: Output shows “Remote protocol version 1.99” and “OpenSSH

3.5p1,” indicating SSHv1 support.
• Expected Outcome:
With SSHv1 enabled, an attacker might exploit this to hijack sessions or
perform brute-force attacks.

14
6.3 Manual Verification of Apache and PHP Vulnerabilities

LFI Test:

Command:

curl "http://192.168.136.128/index.php?page=../../../../../etc/passwd"

Observation: The command returned the normal HTML content of the website
rather than revealing the contents of /etc/passwd. This suggests the page
parameter is either sanitized or not used for file inclusion.

15
RCE Test:

Command:

curl "http://192.168.136.128/index.php?cmd=whoami"

• Observation: The command returns normal HTML, suggesting the cmd

parameter is either sanitized or not used for command execution.

16
6.4 Additional Exploitation Attempts

Command Used:

hydra -L /path/to/users.txt -P /path/to/passwords.txt ssh://192.168.136.128

Observation: Hydra failed due to key exchange mismatches.

Action: Use of outdated and insecure protocols

Summary of Exploitation Attempts

• Successful Findings:

• Weak SSL/TLS configurations were confirmed, showing that outdated

and insecure ciphers are in use.
• SSH is running an outdated version (SSHv1 enabled), which is
insecure.

• Unsuccessful Findings:

• No Local File Inclusion (LFI) or Remote Code Execution (RCE) was

obtained through the tested parameters, suggesting those inputs are
sanitized.
• Hydra brute-force for SSH failed due to key exchange mismatches,
further confirming the use of obsolete protocols.

17
7. Attack Flow Diagram

8. Conclusion & Recommendations

8.1 Summary of Findings
• The system being targeted is using outdated software (such as Apache 2.0.40,
PHP 4.2.2) with insecure settings.
• The presence of weak encryption protocols (such as SSLv2/SSLv3, RC4,
3DES) and support for SSHv1 are making the system vulnerable to serious
risks.
• Although manual tests did not detect LFI/RCE issues, the insecure
configurations in themselves are a cause for significant concern.
8.2 Recommendations
• SSL/TLS:
• Disable SSLv2/SSLv3 and weak ciphers. Enforce TLS 1.2 or TLS 1.3
with modern cipher suites (e.g., AES-GCM).
• SSH:
• Disable SSHv1 and enforce SSHv2. Update OpenSSH to a current
version.
• Web Server:

18
 • Upgrade Apache to a supported version and update PHP to a current
release.

8.3 MITRE ATT&CK Alignment

• T1190 – Exploit Public-Facing Application: (Apache/PHP vulnerabilities)
• T1059 – Command and Scripting Interpreter: (RCE potential)
• T1078 – Valid Accounts: (SSH brute-force testing attempt)
• T1021 – Remote Services: (Weak SSH and SSL/TLS issues)

9. Appendices
Appendix : Commands Used

• sudo dpkg -i Nessus-10.8.3-debian10_amd64.deb

• sudo systemctl start nessusd
• sudo nmap -p- 192.168.136.128
• sudo nmap -A -p 22,80,443,3306 192.168.136.128
• nikto -h http://192.168.136.128
• curl "http://192.168.136.128/index.php?page=../../../../../etc/passwd"
• curl "http://192.168.136.128/index.php?cmd=whoami"
• hydra -L /path/to/users.txt -P /path/to/passwords.txt
ssh://192.168.136.128

References
1. Nmap
o Official website: https://nmap.org
o Documentation and usage examples can be found on the Nmap
website.
2. Nessus

19
 o Tenable Nessus product page:
https://www.tenable.com/products/nessus
o Nessus Essentials documentation provided by Tenable.
3. Nikto
o Nikto official page and documentation: https://cirt.net/Nikto2
4. Hydra
o THC Hydra GitHub Repository: https://github.com/vanhauser-
thc/thc-hydra
5. MITRE ATT&CK Framework
o MITRE ATT&CK official website: https://attack.mitre.org
6. OpenSSL
o OpenSSL official website: https://www.openssl.org
7. VMware Workstation Player
o VMware Workstation Player information:
https://www.vmware.com/products/workstation-player.html
8. Coursework Brief
o De Montfort University Penetration Testing Coursework Brief
(2024/25)

20