1
00:00:00,090 --> 00:00:00,510
All right.

2
00:00:00,510 --> 00:00:02,760
Welcome to the last video in this section.

3
00:00:02,760 --> 00:00:04,810
And the real report.

4
00:00:04,830 --> 00:00:06,960
So this is a real report.

5
00:00:06,960 --> 00:00:12,990
And I have obfuscated any client information out of this so you won't be able to see who the client

6
00:00:12,990 --> 00:00:13,880
was.

7
00:00:14,070 --> 00:00:19,590
But I think it's a good indication on how I write my reports and just allow you to see what a real report

8
00:00:19,590 --> 00:00:23,100
actually looks like compared to what I kind of showed you as a baseline.

9
00:00:23,760 --> 00:00:28,200
So this should all look a little bit familiar will cover if some steps a little bit quicker than the

10
00:00:28,200 --> 00:00:29,150
arrest.

11
00:00:29,310 --> 00:00:35,430
Again table of contents you could see it's more filled out because we have a lot more going on and confidentiality

12
00:00:35,430 --> 00:00:36,920
statements the same as before.

13
00:00:36,930 --> 00:00:39,330
We're gonna go ahead just skip over that skip over this.

14
00:00:39,330 --> 00:00:41,870
We did an external penetration test here.

15
00:00:42,030 --> 00:00:46,260
We did an internal penetration test and we did a web application penetration test.

16
00:00:46,290 --> 00:00:50,130
So remember when I told you last time that we would cover the different assessment components how we

17
00:00:50,130 --> 00:00:57,390
were doing them we listed external internal and web application in a brief overview of what those are.

18
00:00:57,390 --> 00:01:03,210
Now we also have the finding severity ratings just like before we have the different risk factors talking

19
00:01:03,210 --> 00:01:05,520
about how risk is measured.

20
00:01:05,520 --> 00:01:09,270
So I added this in risk as measured by likelihood and impact.

21
00:01:09,280 --> 00:01:14,470
Here's what likelihood is here's what impact is and then here's the scope.

22
00:01:14,520 --> 00:01:18,850
So we had external scope internal scope and the web application scope.

23
00:01:19,110 --> 00:01:22,700
We did not perform any denial of service or phishing and social engineering.

24
00:01:22,770 --> 00:01:26,010
All the attacks not specified above or permitted.

25
00:01:26,010 --> 00:01:31,170
And then they did provide us an allowance of internal network access for our laptop.

26
00:01:31,170 --> 00:01:32,710
So coming through here.

27
00:01:32,780 --> 00:01:34,590
Here is the executive summary right.

28
00:01:35,370 --> 00:01:41,560
So this as we evaluated the external internal web application and this is a high level overview for

29
00:01:41,590 --> 00:01:43,130
strengths and weaknesses.

30
00:01:43,200 --> 00:01:47,250
So I'm not going to read this to you if you want to read through it.

31
00:01:47,280 --> 00:01:50,420
It really just talks about here's what we did on the external OK.

32
00:01:50,420 --> 00:01:52,400
It did not lead to any access.

33
00:01:52,470 --> 00:01:56,640
We were able to identify some things like an account enumeration right.

34
00:01:56,640 --> 00:02:00,880
And we noted that the external network was actually well patched.

35
00:02:00,900 --> 00:02:05,580
There was a strong password policy and multi factor authentication was in place on log in.

36
00:02:05,610 --> 00:02:06,500
So that kudos.

37
00:02:06,510 --> 00:02:07,120
Right.

38
00:02:07,200 --> 00:02:09,470
You want to give them kudos where you can.

39
00:02:09,480 --> 00:02:11,790
Same thing with the internal what we talked about.

40
00:02:11,790 --> 00:02:13,110
And then the web application.

41
00:02:13,110 --> 00:02:14,710
And what we found there.

42
00:02:14,730 --> 00:02:16,650
So this is a high level overview.

43
00:02:16,650 --> 00:02:20,700
Somebody can come read this executive summary and know exactly what's going on and what happened in

44
00:02:20,700 --> 00:02:21,930
their network.

45
00:02:21,930 --> 00:02:25,020
Now here are the strengths and weaknesses.

46
00:02:25,020 --> 00:02:29,430
So they were able to detect alerts on vulnerability scans.

47
00:02:29,430 --> 00:02:34,140
They were able to they had multi factor authentication in their network and they had a strong password

48
00:02:34,140 --> 00:02:35,280
policy.

49
00:02:35,280 --> 00:02:38,360
This client was actually really really sound overall.

50
00:02:38,400 --> 00:02:45,270
Their web application had section section fixation and potential denial of service.

51
00:02:45,600 --> 00:02:45,980
OK.

52
00:02:45,990 --> 00:02:48,180
And we'll talk about that in a second.

53
00:02:48,210 --> 00:02:51,920
So I like to give a nice vulnerability Summary Report Card.

54
00:02:51,930 --> 00:02:58,500
This is great for that executive level who just wants to take a look and you can see right away.

55
00:02:58,500 --> 00:02:58,740
OK.

56
00:02:58,740 --> 00:03:05,190
No critical findings no high a few moderates Lowe's informational here's what the moderates Lowe's and

57
00:03:05,190 --> 00:03:06,480
informational were.

58
00:03:06,480 --> 00:03:08,130
Here's what the recommendation was.

59
00:03:08,130 --> 00:03:10,560
Here is your final grade right.

60
00:03:10,560 --> 00:03:11,880
This is clear cut.

61
00:03:11,910 --> 00:03:14,540
And this is what you want when you're reporting you want clear cut.

62
00:03:14,550 --> 00:03:16,500
You want the executive to look at this.

63
00:03:16,500 --> 00:03:19,470
Have a nice visual aspect to it.

64
00:03:19,500 --> 00:03:21,420
So this makes a lot of sense right.

65
00:03:21,420 --> 00:03:23,170
Same thing with the web application.

66
00:03:23,190 --> 00:03:23,600
OK.

67
00:03:23,610 --> 00:03:28,740
There was a couple of high findings the rest were low and final web upgrade was B plus.

68
00:03:28,740 --> 00:03:32,510
So again very very good here.

69
00:03:32,580 --> 00:03:33,600
So coming through.

70
00:03:33,620 --> 00:03:38,430
Let's just talk about some of the findings and how it looks and my reporting.

71
00:03:38,430 --> 00:03:43,380
So identified in their network that they were vulnerable to M.S. 17 0 1 0.

72
00:03:43,380 --> 00:03:52,530
However there was a special situation here where the client was actually requiring or it was requiring

73
00:03:52,560 --> 00:03:55,110
a authenticated log in which I never got.

74
00:03:55,410 --> 00:04:01,530
So unless you had a valid log in you could not exploit this specific machine that was because there

75
00:04:01,530 --> 00:04:06,330
was no named pipes which is how the Eternal Blue actually functions.

76
00:04:06,330 --> 00:04:09,560
So to get that name Piper you had to have a log in.

77
00:04:09,600 --> 00:04:17,760
Now I give the description here the risk and the system it came on what tools I use and what references

78
00:04:17,760 --> 00:04:20,190
again and then I provide evidence.

79
00:04:20,190 --> 00:04:23,240
Here it shows that it is not past it was Windows 8 machine.

80
00:04:23,460 --> 00:04:25,620
And I say figure one not patched.

81
00:04:25,610 --> 00:04:26,730
Here's the remediation.

82
00:04:26,730 --> 00:04:28,030
Apply the patching.

83
00:04:28,050 --> 00:04:33,260
Here's a specific link that they can find on which you know which update.

84
00:04:33,280 --> 00:04:34,410
We'll do that for them.

85
00:04:34,860 --> 00:04:38,210
So you give the full overview you have to give a description.

86
00:04:38,220 --> 00:04:39,550
You talk about the risk OK.

87
00:04:39,570 --> 00:04:45,630
The likelihood moderate and the impact is high because we will get system level access if we do get

88
00:04:45,690 --> 00:04:53,160
into this machine so scrolling through you've seen this before L and ah I was able to capture the hashes

89
00:04:53,460 --> 00:04:55,080
was not able to crack the hashes.

90
00:04:55,110 --> 00:04:55,440
OK.

91
00:04:55,450 --> 00:05:01,770
Because because of that this is just a moderate but still recommendations are to disable the multicast

92
00:05:01,770 --> 00:05:03,450
name resolution B of the GPO.

93
00:05:03,450 --> 00:05:03,870
Right.

94
00:05:04,950 --> 00:05:08,170
So just like we talked about earlier this is something that's familiar to you.

95
00:05:08,220 --> 00:05:13,680
And then we use responder to capture this kind of gives that technical level of you know here's how

96
00:05:13,680 --> 00:05:15,060
we ran this type deal.

97
00:05:15,110 --> 00:05:19,050
And you could have proof of concept here with your pictures.

98
00:05:19,320 --> 00:05:24,360
So insufficient hardening S&amp;P signing disabled I'm not going to walk through every single one of these

99
00:05:25,080 --> 00:05:26,180
you know line by line.

100
00:05:26,190 --> 00:05:31,530
But S&amp;P signing disabled something you've seen before and just best practice right you want them to

101
00:05:31,530 --> 00:05:32,450
have that enabled.

102
00:05:32,460 --> 00:05:39,990
So we don't have the S&amp;P relay attacks here they had S&amp;P community string it was just a public string

103
00:05:39,990 --> 00:05:45,300
on S&amp;P we were able to enumerate that we're able to see a little bit of information on that.

104
00:05:45,330 --> 00:05:49,640
You should basically have these off disable S&amp;P if it's not required type deal.

105
00:05:49,650 --> 00:06:00,150
So just the best practice they also had a TFT server which was susceptible to a relatively new exploit

106
00:06:00,360 --> 00:06:07,800
the exploit was actually so new that there was not a proof of concept out there it was a Microsoft bulletin

107
00:06:07,800 --> 00:06:08,370
that was out.

108
00:06:08,370 --> 00:06:11,460
So because of that I put it as low finding.

109
00:06:11,460 --> 00:06:15,960
Had it been one that had a proof of concept and I was able to attempt it or exploit it like the MF 17

110
00:06:16,050 --> 00:06:21,840
010 then that becomes more of a moderate to high finding depending on if exploit happened or even a

111
00:06:21,840 --> 00:06:22,340
critical.

112
00:06:22,370 --> 00:06:25,430
There was machine access gain.

113
00:06:25,510 --> 00:06:35,350
And then lastly or close to lastly there was I am app running that was on a a non encrypted port so

114
00:06:35,350 --> 00:06:40,720
it is running on one forty three and you could get their webmaster email address and their password

115
00:06:40,750 --> 00:06:41,620
in clear attack.

116
00:06:41,620 --> 00:06:47,590
So I did that was able to log in their email as that password and that password worked across the network.

117
00:06:47,590 --> 00:06:51,150
Lastly I like to talk about the undetected malicious activity.

118
00:06:51,280 --> 00:06:56,200
So I go through and I say hey look I was attempting all these different things.

119
00:06:56,200 --> 00:07:02,020
You know you didn't see me doing and map you didn't see me doing any kind of poisoning attacks or brute

120
00:07:02,020 --> 00:07:07,840
force attacks or anything along those lines so you really need to work on fine tuning this and then

121
00:07:07,840 --> 00:07:08,770
coming in here.

122
00:07:08,800 --> 00:07:13,750
Also I like to give out historical accounts compromises so they were a relatively small company.

123
00:07:13,750 --> 00:07:20,420
Only one user showed up and this is actually from we leak info and I know I just like to point out you

124
00:07:20,420 --> 00:07:22,180
know this is informational to them.

125
00:07:22,270 --> 00:07:27,850
I'll provide them an Excel doc of all the users if a if they like that and you know just have it in

126
00:07:27,850 --> 00:07:28,170
there.

127
00:07:28,180 --> 00:07:33,630
And again the same remediation as last video you know train users not to use their email address unless

128
00:07:33,640 --> 00:07:43,000
they have to utilize strong passwords password rotation etc. onto the web application so here I said

129
00:07:43,000 --> 00:07:47,920
way early in the course I would show you an example of session fixation.

130
00:07:47,920 --> 00:07:55,280
So here is a finding on sessions fixation where you know we had this cookie.

131
00:07:55,280 --> 00:08:01,630
The cookie was set prior to authentication and then guess what it was set after authentication and then

132
00:08:01,630 --> 00:08:04,660
it was remaining the same after a logout.

133
00:08:04,750 --> 00:08:10,150
And so we had the recommendations here on what they should do for session fixation.

134
00:08:10,150 --> 00:08:17,470
We also have the references to that 4 0 loss we talk about the likelihood the impact etc..

135
00:08:17,500 --> 00:08:20,950
So that's one example on the web app side.

136
00:08:20,950 --> 00:08:24,950
Another one that they showed up for high was denial service.

137
00:08:25,060 --> 00:08:31,450
So they had this you know forgot password feature where we went in and we said Hey like you know here's

138
00:08:31,450 --> 00:08:32,440
our user name.

139
00:08:32,440 --> 00:08:34,870
And it said that user name doesn't exist.

140
00:08:34,870 --> 00:08:35,200
OK.

141
00:08:35,230 --> 00:08:37,990
Well that's that's user enumeration right.

142
00:08:37,990 --> 00:08:39,040
Well that's a low finding.

143
00:08:39,040 --> 00:08:40,740
Not really that big of a deal.

144
00:08:40,750 --> 00:08:48,040
Well when you combine that low finding with a account lockout feature where you cannot reset that password

145
00:08:48,850 --> 00:08:54,190
yourself or there is no time to log out then that becomes denial of service because guess what.

146
00:08:54,190 --> 00:08:58,480
We can enumerate every single user and we can lock out every single user.

147
00:08:58,480 --> 00:09:04,540
We can deny service to the entire application and that's how that becomes a finding as well.

148
00:09:04,600 --> 00:09:08,900
So scrolling through insufficient encryption we talked about this.

149
00:09:08,920 --> 00:09:09,430
Right.

150
00:09:09,430 --> 00:09:12,540
Remember we scan Tesla and it came back as all A's.

151
00:09:12,550 --> 00:09:14,770
Well not always as a come back as all A's.

152
00:09:14,770 --> 00:09:20,410
Here's an example we like to report on that just let them know hey you should stop using these deprecated

153
00:09:20,890 --> 00:09:29,620
ciphers you should know disable any depreciated DNS encryption ciphers scrolling through again information

154
00:09:29,620 --> 00:09:31,450
disclosure in headers.

155
00:09:31,450 --> 00:09:32,760
We've talked about this as well.

156
00:09:32,760 --> 00:09:33,180
Right.

157
00:09:33,190 --> 00:09:37,780
So the server here was disclosing that I was I asked ten point zero.

158
00:09:37,780 --> 00:09:45,370
It was disclosing ISP net and powered by ISP the net which is just telling us this is running on Microsoft.

159
00:09:45,700 --> 00:09:48,760
So we want to get rid of all this if we can.

160
00:09:48,760 --> 00:09:51,150
That way we don't know as an attacker.

161
00:09:51,150 --> 00:09:53,290
You know what we're up against.

162
00:09:53,330 --> 00:09:57,580
They were also doing a little bit of information disclosure through verbose error messages.

163
00:09:57,630 --> 00:09:58,370
If you've ever seen.

164
00:09:58,380 --> 00:10:00,090
I asked for four.

165
00:10:00,090 --> 00:10:02,850
This is a very generic four four four I guess.

166
00:10:02,910 --> 00:10:06,050
So we ding them there as well.

167
00:10:06,060 --> 00:10:13,830
Lastly I think that we have here a autocomplete and this is a slow finding but you know this could get

168
00:10:14,070 --> 00:10:17,610
a password stored on a user's browser.

169
00:10:17,730 --> 00:10:21,360
And if we were able to hijack that browser we could log in as that user.

170
00:10:21,360 --> 00:10:30,720
So we always recommend that autocomplete is disabled and then we've got actually these insecure response

171
00:10:30,720 --> 00:10:31,440
headers.

172
00:10:31,450 --> 00:10:36,790
So this is that security headers that I Io or security headers dot com that you can run but I always

173
00:10:36,790 --> 00:10:41,710
like to look at them see what they're running and then I'll say hey like you're missing content security

174
00:10:41,710 --> 00:10:46,150
policy strict transport security X cross-eyed scripting protection etc..

175
00:10:46,360 --> 00:10:48,250
So this will come up when you're doing brb sweep.

176
00:10:48,250 --> 00:10:53,470
But again you can run it on security headers dot com security headers the IO and that'll work as well

177
00:10:53,470 --> 00:10:58,730
and I have that as a reference here to kind of tell you what you have what you should have as best practice.

178
00:10:58,810 --> 00:11:05,170
And then again that undetected malicious activity so that they are aware of what we ran on the attacks

179
00:11:05,230 --> 00:11:08,940
and you know that they weren't able to detect those attacks.

180
00:11:10,460 --> 00:11:17,390
And then last page here additional scan reports and details I provided the external summary in an Excel

181
00:11:17,390 --> 00:11:22,570
format a full PDA F and an executive o PD F and these are just NASA's polls.

182
00:11:22,580 --> 00:11:26,380
All right here and then this here is from Barb sweet.

183
00:11:26,390 --> 00:11:31,940
Burps she is able to run reports as well as I listed them and I'm authenticated report and authenticated

184
00:11:31,940 --> 00:11:32,330
report.

185
00:11:32,330 --> 00:11:36,610
So they have all this available to review so.

186
00:11:36,650 --> 00:11:38,420
Lastly last page here.

187
00:11:38,840 --> 00:11:40,600
So I went through that kind of quick.

188
00:11:40,640 --> 00:11:43,340
I just wanted a overview I wanted you to see a report.

189
00:11:43,340 --> 00:11:46,250
I wanted you to put things together right.

190
00:11:46,270 --> 00:11:50,420
Like everything that you saw in that report was everything that we've covered in this class.

191
00:11:50,420 --> 00:11:56,510
There wasn't one thing really out of place and that just hopefully will give you an idea of what report

192
00:11:56,510 --> 00:11:57,320
looks like.

193
00:11:57,320 --> 00:11:59,460
Give you a little bit of confidence that like yeah.

194
00:11:59,480 --> 00:12:03,920
You know like these are things that he's talked about and now I know that they are findings and how

195
00:12:03,920 --> 00:12:09,200
to kind of present those findings and if at any point you felt like it went too fast this video just

196
00:12:09,200 --> 00:12:13,340
hit the pause button read through what was on that page and if you want to take it slower read through

197
00:12:13,340 --> 00:12:15,220
it have fun with it.

198
00:12:15,350 --> 00:12:17,270
That is that's it for this.

199
00:12:17,270 --> 00:12:21,440
So we're we're in the homestretch just a couple of more videos left.

200
00:12:21,440 --> 00:12:24,470
So now we're going to talk about career advice in the next section.

201
00:12:24,470 --> 00:12:26,850
And then we're we're out of here man.

202
00:12:26,870 --> 00:12:27,890
So let's do this.

203
00:12:27,920 --> 00:12:29,680
Let's go ahead and cut over to the next section.

204
00:12:29,690 --> 00:12:31,130
I will see over there.