Information Security Penetration Test

Merideth Moore
March 25, 2019
 TABLE OF CONTENTS
INTRODUCTION: .................................................................................................................................4
PREPARATION: ...................................................................................................................................5
ENGAGEMENT SUMMARY: ...................................................................................................................6
DETAILED FINDINGS: ......................................................................................................................8
RECONNAISSANCE FINDINGS: ........................................................................................................8
SCANNING FINDINGS: .................................................................................................................... 11
VULNERABILITY SCANNING FINDINGS: ...................................... 15
CONCLUSION: ........................................................... 19
APPENDIX A: CARELINE SCREENSHOTS ...................................... 20

CareLine | 2
 1
INTRODUCTION

CareLine | 3
INTRODUCTION:
In a world that is dependent on technology and web
applications, cybersecurity attacks have been on the rise.
According to Positive Technologies Security, in 2017 there were
350,000 various cybersecurity attacks. Of these 350,000
attacks, web applications in the healthcare industry were the
most targeted due their confidential patient data and the
ability of hackers to hold this information for blackmail.

While cybersecurity attacks and statistics are alarming, this

has not stopped the growth of web applications. Of the many new
web applications that are developed yearly, CareLine was
released in 2018. CareLine is a sleek and modern web
application that features built-in calendar updates for office
appointments, text and video chat and email notifications with
automated updates. CareLine was created as a Senior Design
project by Merideth Moore, Garrett Souders, and Jeremy Thomas.
Merideth, Garrett, and Jeremy built the application as a way to
increase the amount of communication between not only the
family and their relatives in long term care situations, but
also the family and facilities’ caretakers.

As with any release of a web application, running a penetration

test on the application is a critical aspect to ensure the it
is secured with modern application tools and is not vulnerable.
Additionally, this test was used to ensure that CareLine met
the defined security requirements for all roles and that
application was ready for production deployment.

CareLine | 4
PREPARATION:

To complete the CareLine Information Security Penetration Test,

I (Merideth Moore) worked closely with Jeremy, our Testing Lead
on the project to develop a concise and adequate spreadsheet
with detailed security activities that would allow us to
evaluate the risk of a breach for CareLine.

Preparing the spreadsheet involved evaluating multiple security

techniques from various education resources as well as
analyzing the correlated Health Information Privacy
Accountability Act (HIPAA) standard. Together, after analyzing
this critical information, I compiled a final set of standards
that would be followed for the test:

Upon having a completed set of standards for the test and as

well as conditions that needed to be met, I set up my initial
virtual machines that were used to execute the test. Overall,
one virtual machine running Kali Linux was configured to run a
significant portion of the test and second virtual machine
running Windows 10 was configured to run secondary tasks that
Kali Linux could not handle. Together, all of this preparation
allowed for me to be prepared for the test and execute it at
the highest rate.

CareLine | 5
ENGAGEMENT SUMMARY:
During the course of 28 days, I (Merideth Moore) conducted a
penetration test to evaluate CareLine. My test began on
February 18, 2019 and concluded on March 17, 2019.

The scope of my penetration test included completing several

exercises through various security methods as well as intensive
research through useful security documents. OSINT (Open Source
Intelligence Network Tools) gathering was executed on
CareLine’s website (www.carelinetechnology.com) via Passive
Reconnaissance. Active Reconnaissance was utilized on Nmap
Security Scanner Projects free service of www.scanme.nmap.org

During the execution of this test, I utilized multiple sandbox

systems (Kali Linux and Windows) to gather results.
Additionally, the tools of Google Dorks and Nmap were utilized
during the process of penetration test.

CareLine | 6
 2
DETAILED
FINDINGS

CareLine | 7
DETAILED FINDINGS:

The following sections of Reconnaissance, Scanning,

Vulnerability Scanning, Traffic Analysis, and Exploitation of
present the detailed description of findings for each method
that was utilized during my penetration test as well as
background on the use of each technique and the tools involved.

RECONNAISSANCE FINDINGS:

The beginning of my Penetration Test involved utilizing open

source intelligence gathering. Otherwise known as
Reconnaissance, this is the process of intelligence collection
by finding, selecting, organizing, and analyzing information
that is available via a public source. Reconnaissance includes
three different types of techniques which are passive, semi-
passive, and active.

Passive Reconnaissance is the technique of ensuring you are not

being discovered by the target organization while gathering
information. This would include doing activities such as
browsing Google cache or examining public forums to see where
technologists describe issues of their technology while using
their work email address. Semi-passive Reconnaissance is
utilizing popular website applications and its capabilities such
as Shodan.io, Censys, or ZoomEye to gather information that is
detectable in banners for searching. Active Reconnaissance is
the technique of ensuring that you are discoved by the target
when gathering information. Activities that are Active
Reconnaissance would include doing DNS reverse lookups, zone
transfers, and searching for unpublished directories.

During this specific test, I utilized the Passive and Semi-

Passive Reconnaissance techniques to gather information
regarding CareLine’s website of www.carelinetechnology.com

Screenshot 1:

CareLine | 8
As presented in Screenshot 1, I was able to immediately
uncover CareLine’s exact domain through the use of the
following queries:

- site: filters results to return certain websites/domains

- inurl: filters results to return phrase of words in the

designated URL

In addition to utilizing Google Dorks, I also made use of the

Semi-Passive Reconnaissance techniques of Shodan.io and WHOIS
to gather additional critical information on CareLine’s
website and how it is being hosted.

Screenshot 2:

CareLine | 9
Screenshot 3:

As presented in Screenshots 2 and 3, Shodan.io and WHOIS were

utilized to gather raw data on the domain of CareLine. This
information was important as it presented the public
information on the domain that could be used again the website
in an attack.

However, since the domain was bought and privately protected, I

was only able to uncover very general information on the web
application such as where the domain name was purchased (Name
Cheap), domain expiration date (October 25, 2019), and the
server platform (Digital Ocean). While this information was
helpful in understanding the background of the web application,
it also displayed how secure the web application truly is.
CareLine is protected on the outside and is challenging for any
excellent security analyst to hack or corrupt.

CareLine | 10
SCANNING FINDINGS:

The second part of my Penetration Test involved utilizing

various scanning techniques to identify open ports and the
operating system for CareLine.

There are three types of common scanning techniques to identify

open ports which are Nmap, Masscan, and Xprobe2. Nmap is a
popular free scanning tool (open source) that is utilized for
discovering networks and security auditing services. Nmap allows
penetration testers to gather information via scanning large
networks or singular hosts. Masscan is the an extremely fast
Internet port scanner that utilizes a custom TCP/IP stack for
for server and switch detection. Xprobe2 is an active tool which
aims to interact and analyze remote systems. Xprobe2 also
focuses on comparing returned signatures to known databases and
proving operating system detection.

During this test, I utilized the common technique of Nmap which

allowed me to scan and identify the open ports against the
target and as well the operating system and host. Screenshots
4,5,6, and 7 below present my findings:

Screenshot 4:

CareLine | 11
Screenshot 5:

Screenshot 6:

CareLine | 12
Screenshot 7:

As presented in the Screenshot: 4, I ran the command of nmap -

T4 -F www.carelinetechnology.com which allowed for me to
determine that the target carelinetechnology.com has 97
filtered ports and the ports of 22 (SSH), 443 (HTTP over SSL),
and 1433 (MS-SQL-S) are all open. Of these ports, ports 22 and
443 were opened to pass secure traffic and 1433 was used for
database purposes as SQL is defined as the database. Having
port 1433 open presents a vulnerability for the application as
that provides direct access to the database and gives potential
hacker an additional route to hack the application.

In regard to Screenshot 5, the command of nmap -p 1-65535 -T4

-A -v www.carelinetechnology was execute a general
informational scan on the application that was intense and
included all TCP ports. This was critical as it allowed me to
see which TCP ports were left open and presented
vulnerabilities. In this case and after viewing the results,
there were no major ports open and no concerns for CareLine.

CareLine | 13
Lastly for Screenshots 6 and 7, upon the completion of the
scans, general information was returned on the host of the
application. As visible in Screenshot 6, I was able to gather
a “fish eye” view of the application and how it is being
hosted. Given in the screenshot, we can tell that the
application is being hosted on one singular computer with the
IP Address of 69.55.55.228. This information is important and
fairly alarming as it gives an potential in for a hacker.
Additionally, in Screenshot 7, were also able to gather
additional details on the rest of the ports and the operating
system (Not Available). This was great and showed extreme
security as the application didn’t have any major opened ports
or an operating system that could be exploited easily.

With Nmap and several commands being utilized above, A TCP scan
was conducted compared to using a UDP scan. Using a TCP scan was
desirable as it is faster compared to a UDP scan. A TCP scan can
be executed quickly and is able to scan thousands of ports in
seconds without being impeded by firewalls or other barriers.
UDP scanning is considered to be undesirable since it typically
includes sending a packet to each targeted port and this causes
it to be extremely slow in comparison to TCP.

CareLine | 14
VULNERABILITY SCANNING FINDINGS:

It is important to acknowledge that there are three common network

vulnerability scanning tools which are Nessus, Nexpose (InsightVM),
and OpenVAS. Each of these tools has a unique set of features that
provide security professionals and penetration testers with the
ability to identify vulnerabilities.

Having a good grasp and an ability to utilize common network

vulnerability scanning tools is critical for anyone since a
penetration tester can utilize a payload such as Meterpreter to
exploit the vulnerabilities on any system. Common network
vulnerability scanning tools can help us identify these
vulnerabilities early before they eventually become exploited.

In addition to common network vulnerability scanning tools, there

are also three common web vulnerability scanning tools which are
Appscan, AppSpider, and Acunetix WVS.

For CareLine, several vulnerability scanning techniques were used

against the application to test its security in addition to the
scan. As shown in Screenshot 8, the login page of CareLine was
tested used various different password cracking techniques and
login information. Unsuccessfully, there was no way to exploit
the login screen and gain access to the application without
having a created username and password.

Screenshot 8:

CareLine | 15
In addition to attempting to get access to the application, three other
attacks were attempted against CareLine. The first attack was Cross
Site Scripting (XSS). XSS is the process of using a malicious injection
to attack the code of the web application and insert malicious code. In
this particular test, a simple injection was created and executed
against CareLine, but was not successful. The results of this test
concluded the CareLine was secure from XSS attacks.

The second attempted attack on CareLine was a SQL Injection. Just like
XSS, this is another form of utilizing malicious code to disrupt the
web application. In the case of CareLine and this test, a SQL Injection
was attempted because the primary database for CareLine is SQL. Any
potential SQL Injection that comes from outside hackers could
potentially destroy the entire web application and doing a pre-test of
this before a real occurrence is critical. As displayed in Screenshot
9, the final results of our test were that we utilized a modified SQL
Injection code and
ran this against the application. Overall, CareLine was able to
withstand the modified SQL Injection and displayed great security for
the future.

Screenshot 9:

CareLine | 16
The last and final attack that was performed was a directory traversal.
A directory traversal is a specialized Hyper Text Transfer Protocol
(HTTP) attack that allows for hackers to gain access to the critical
directories of a web application. For CareLine, the heart of the
project rests within the directories and ensuring that they are secure
is important.

An attempted directory traversal attack was ran against CareLine and

did not succeed. The attack was not able to gain access to the critical
directories and there was no disruption to the application. In total,
this was a very unsuccessful attack for the directory traversal but
justified that CareLine is secured.

CareLine | 17
 3
CONCLUSION AND
APPENDIX

CareLine | 18
CONCLUSION:

In conclusion, a penetration test was conducted that included

utilizing various technical methods such as OSINT and performing
Passive Reconnaissance and as well as Active Reconnaissance.
Additionally, intensive research and written answers were provided to
answer general penetration testing questions.

This experience was very successful in displaying the strong security

of the web application and allowed for me to attempt new security
techniques that were closely related to what I’ve been learning in
school over the past five years. As I continue to move forward with my
career, I feel that this experience will allow me to display the
importance of security professionals like myself, but also allow others
to see how important it is to use and care about information security.
This application if not secured properly could easily have been
attacked very easy. Having an understanding of the techniques and
valuing this in any organization is critical and demonstrates an
extreme reason for all parties to care.

Overall, this was a great and fun way to turn the last of my Senior
Project into a security project as well. I believe that the execution
and research of techniques that I was able to do was important and it
allowed for me to grow in a personal and professional sense. It was
great completing this project and I look forward to doing more of these
in my future career.

CareLine | 19
APPENDIX A: CARELINE SCREENSHOTS

The following screenshots are a general overview into the CareLine

Application that was built for the senior project.

Home/Marketing Page:

Caretaker Dashboard:

CareLine | 20
Patient Page:

Clinic Page:

CareLine | 21
CareLine | 22