External Penetration Test Report 2021
January 15, 2021
Sample Project Authored by: Freddie Fakename
Table of Contents
Disclaimer ...... 5 Scope ...... 6 Testing Objective ...... 6 Risk Classification ...... 6 External Penetration Test Results ...... 7 Summary of Vulnerabilities ...... 8 1. Communication is not secure ...... 9 2. CKEditor 4.10.1 has 3 vulnerabilities ...... 10 3. Jquery 3.4.1 has 2 vulnerabilities ...... 10
MacGuyverTech Inc. – Sample Report Page 2
Date: January 15, 2021
To: Sample Project Management
Re: Internal Network Penetration Test Report 2021
MacGuyverTech is pleased to present the following report to Sample Project detailing our External Network Penetration Test Report 2020; it represents the principal matters we consider worth the attention of the Sample Project team.
MacGuyverTech was tasked with performing an external network penetration test for Sample Project. An external penetration test is a dedicated attack against externally connected systems. The focus of this test is to perform attacks, mimicking methodologies of a hacker attempting to infiltrate Sample Project’s external infrastructure. Our overall objective was to evaluate the infrastructure, identify systems, and exploit flaws while reporting the findings back to Sample Project.
Our report identifies certain “findings” which we recommend be understood and remediated by management and appropriate staff. Some of these findings are critical in nature and must be addressed immediately.
Respectfully,
______January 15, 2021
Freddie Fakename Certified Auditor
MacGuyverTech Inc. – Sample Report Page 3
Copyright
Copyright© 2021 MacGuyverTech. All Rights Reserved.
MacGuyverTech Inc. – Sample Report Page 4
Disclaimer
This Penetration test Report (the “report”) was created for by MacGuyverTech.
This report contains confidential information of Sample Project. MacGuyverTech agrees to hold this report confidential and shall not disclose it or its contents to any third party other than Sample Project without prior consultation and written agreement.
This report is provided to the recipient “as is” without warranty of any kind. Furthermore, MacGuyverTech expressly disclaims any warranty or representation (either express or implied) that the report will identify any or all potential security risks or problems.
MacGuyverTech shall have no liability whatsoever for Sample Project’s use or further dissemination of their proprietary information.
MacGuyverTech Inc. – Sample Report Page 5
Scope
Testing Objective The internal Penetration Test objective is to determine Sample Project’s state of internal infra security for sound practices and timely management. The report may contain the following: Active Host information gathering and discovery: IP range port scan to discover active hosts OS fingerprinting of all active Hosts (Angry IP Scan) Service identification of all open ports Application identification of all Identified services
Automated vulnerability scanning with multiple tools: Scanning done using Nessus – Open VAS All test cases played except DoS and Crash tests Scanning done on all known IP’s (active or inactive)
Manual Penetration testing: Testing done based on findings from automated tools All relevant exploits from the last 6 months are tested. Multiple sources used for exploit code gathering (Metasploit, Nikto, and Hydra)
Risk Classification 1. High Risk vulnerabilities pose an immediate threat to the information security of Sample Project and must be addressed immediately. 2. Medium Risk vulnerabilities must be addressed promptly as they could potentially pose serious threats to the information security of Sample Project. 3. Low Risk vulnerabilities are issues that do not pose an immediate or critical threat but must be addressed later.
MacGuyverTech Inc. – Sample Report Page 6
External Penetration Test Results
MacGuyverTech Inc. – Sample Report Page 7
External Network Name XX.XXX.42.138 -142 XXX.XX.131.58-.62 XX.X.115.242-246 XX.XXX.42.129-134 http//:www.samplewebsiter.com/sample_page/ Assessment Started 01-15-2021
Assessment Ended 01-15-2021
Executive Summary: The scans and tests carried out for the Sample Project revealed the level of cyber resiliency the project has. Overall a total of x vulnerabilities were discovered. Of these vulnerabilities, y were high risk, z were medium risk and x were low risk.
Methodologies: Black box (Penetration testing was conducted over internal network and with no prior knowledge or network and applications architecture or background technologies).
Techniques: Automated network vulnerability scanner Nessus, Nmap, Kali and Manual penetration testing.
Following tables provides overview of the vulnerabilities found in the network:
Severity Vulnerability Count Vulnerability Count 160 140 High 0 120 100 80 Medium 3 60 40 Low 144 20 0 High Medium Low Total Total 147 High Medium Low Total
Summary of Vulnerabilities
MacGuyverTech Inc. – Sample Report Page 8
This risk analysis included Sample Project’s external network penetration testing. The following table provides an overview of the vulnerabilities found.
Vulnerability IP Severity Communications not secure XX.XXX.42.138 -142 Medium XXX.XX.131.58-.62 XX.X.115.242-246
Sample Vulnerability http//:www.samplewebsiter.com/sample_pag Medium e/ Sample Vulnerability http//:www.samplewebsiter.com/sample_pag Medium e/
1. Communication is not secure Severity: Medium
Risk Description: The communication between the web browser and the server is done using the HTTP protocol, which transmits data unencrypted over the network. Thus, an attacker who manages to intercept the communication at the network level, is able to read and modify the data transmitted (including passwords and other sensitive data).
Observation: Outdated protocol does not properly secure communications along the network. has a very serious exploit which can grant unauthorized access to the entire system. This must be addressed as soon as possible.
Recommendations: We recommend you reconfigure the web server to use HTTPS – which encrypts the communication between web browser and the server.
Evidence for XX.XXX.42.138 -142
Evidence for XXX.XX.131.58-.62
Evidence for XX.X.115.242-246
MacGuyverTech Inc. – Sample Report Page 9
2. Sample Vulnerability Severity: Medium
Risk Description: A description of the vulnerability found the system will be found here.
Observation: A description of how we discovered the vulnerability will be found here
Recommendations: A description of the recommendations made will be found here.
Evidence for http//:www.samplewebsiter.com/sample_page/
3. Sample Vulnerability Severity: Medium
Risk Description: A description of the vulnerability found the system will be found here.
Observation: A description of how we discovered the vulnerability will be found here
Recommendations: A description of the recommendations made will be found here.
Evidence for http//:www.samplewebsiter.com/sample_page/
MacGuyverTech Inc. – Sample Report Page 10
External Network Name XX.XXX.42.138 -142 XXX.XX.131.58-.62 XX.X.115.242-246 XX.XXX.42.129-134 http//:www.samplewebsiter.com/sample_page/ Assessment Started 01-15-2021
Assessment Ended 01-15-2021
Executive Summary: A Metasploit vulnerability scan was also run, but nothing was found.
Methodologies: Black box (Penetration testing was conducted over internal network and with no prior knowledge or network and applications architecture or background technologies).
Techniques: Automated network vulnerability scanner Nessus, Nmap, Kali and Manual penetration testing.
Following tables provides overview of the vulnerabilities found in the network:
Severity Vulnerability Count Vulnerability Count 1 High 0 0.8
0.6 Medium 0 0.4
0.2 Low 0
0 High Medium Low Total Total 0 High Medium Low Total
MacGuyverTech Inc. – Sample Report Page 11