NTPC NKaranpura

Network Vulnerability Assessment Report

August 2022

This report is confidential. Unauthorized use of this report in whole or in part is strictly prohibited.
Version Control
Version Date Created by Reviewed / Approved by Report Stage
Modified by
1.0 06-07-2022 Komalaiah Dongiri Harish Sah Harish Sah Stage-1

Report Distribution
Name Organization Purpose
Rajeev Verma NTPC For intimation of
vulnerabilities and their
closure
Kuldeep Singh NTPC For information please

This report is confidential. Unauthorized use of this report in whole or in part is strictly prohibited.
CONTENTS
Report Guide 4
Introduction 5
Project Background 5
Scope 6
Asset inventory details 6
Executive Summary 10
IT Infra Vulnerability Summary 11
IT Infra Network Devices 12
IT Infra Servers 17
IT Infra Workstations 24
IT CCTV & WIFI Controller 29
Configuration Audit 35
Network Architecture Review 39
Security Architecture Review 57
Abbrevations 58
Annexure 59

This report is confidential. Unauthorized use of this report in whole or in part is strictly prohibited.
REPORT GUIDE

The following table depicts the flow of this report.

Section Description

Introduction This section basically sets the tone of the Network vulnerability assessment and
penetration testing report and draws the boundaries of the report in terms of its
objective, scope, project timeline, project team from both sides.

Executive Summary This section is prepared for quick management reference. It contains summary
of observations from our review of network security test.

Detailed Report This section presents the detail of the observations/ gaps found in network
infrastructure along with the following:

• Risk rating
• Description of observation
• Impact
• References to CWE, CVE
• Recommendation to address the risk
• Proof of Concept
Annexures Contains high level approach adopted for the external penetration testing
assessment including assumptions.

Port summary List of all open services running on host covered under the test.

This report is confidential. Unauthorized use of this report in whole or in part is strictly prohibited.
INTRODUCTION
Project Background

Grant Thornton Bharat LLP (GT) was engaged to conduct Network vulnerability assessment and
penetration testing for NTPC NKaranpura IT assets. This network penetration testing was conducted using
similar tools and techniques that a malicious attacker would use to try and compromise Security of IT
Infrastructure with respect to:

• Confidentiality
• Integrity
• Availability

The purpose of this assessment was to identify technical as well as logical vulnerabilities in the publicly
exposed assets and provide recommendations for risk mitigation that may arise on successful exploitation
of these vulnerabilities. The idea behind this testing was to discover whether an attacker may leverage flaws
in the applications and supporting infrastructure to compromise the security at NTPC NKaranpura Client.

This report is confidential. Unauthorized use of this report in whole or in part is strictly prohibited.
Scope

i. Internal Security Audit

i. Security and Network Architecture Review
ii. Port Scanning and Sweeping
iii. System Identification & Trusted System Scanning
iv. Vulnerability Scanning and Internal Penetration Testing
1. Vulnerability & Configuration Assessment for the servers & desktops
2. Network Architecture & Security devices review
3. Internal Penetration testing

ASSET INVENTORY DETAILS

WIFI
Router/ L2 Serv Deskt controll CCT
L3 SW SW FW er op er V Remarks
0 33 1 4 50 1 42 Asset count as per the PO
Asset count as per the physical
1 23 1 5 16 1 22 verification at the client side

Asset List
Scope of the network assessment covers testing on the given IP addresses based on the Penetration Testing
Execution Standards (PTES) guidelines. The following IP addresses were subjected to the internal
penetration test:

IP Address Asset Location

[Link] Router Server Room- Block
B
[Link] L3 Switch Server Room- Block
B
[Link] L2 Switch UNIT-1

[Link] L2 Switch Block-B

[Link] L2 Switch Block-B

[Link] L2 Switch Block-B

[Link] L2 Switch Block-B

[Link] L2 Switch Block-B

[Link] L2 Switch Block-B

This report is confidential. Unauthorized use of this report in whole or in part is strictly prohibited.
[Link] L2 Switch Block-B

[Link] L2 Switch BLOCK-A

[Link] L2 Switch BLOCK-A

[Link] L2 Switch BLOCK-A

[Link] L2 Switch BLOCK-A

[Link] L2 Switch BLOCK-A

[Link] L2 Switch BLOCK-A

[Link] L2 Switch TIME OFFICE

[Link] L2 Switch TIME OFFICE

[Link] L2 Switch BLOCK-A

[Link] L2 Switch BLOCK-A
[Link] L2 Switch Block-B
[Link] L2 Switch SPARE-ICX
[Link] L2 Switch DM PLANT
[Link] L2 Switch SERVICE BUILDING

[Link] L2 Switch SERVICE BUILDING

[Link] Firewall Block-B, Server room

[Link] Pi Server Block-B

[Link] Intranet Block-B

Server

[Link] DMS Block-A

Server

[Link] Antivirus Block-B

Server
[Link] Intranet Block-B
Server-Old

[Link] Wireless Block-A

Controller

This report is confidential. Unauthorized use of this report in whole or in part is strictly prohibited.
IP Address Asset Details Location

[Link] CCTV C1
[Link] CCTV Gate-2
[Link] CCTV Cooling
Tower
[Link] CCTV Labour Gate

[Link] CCTV DAV

[Link] CCTV Material Gate

[Link] CCTV Barrage

[Link] CCTV Medical

[Link] CCTV Atal

[Link] CCTV ACC

[Link] CCTV Main Gate

[Link] CCTV Main Gate
PARKING
[Link] CCTV Main Gate -
IN
[Link] CCTV Main Gate -
OUT
[Link] CCTV Office Parking

[Link] CCTV Office

Entrance
[Link] CCTV Office - Right
Side
[Link] CCTV Office - Left
Side
[Link] CCTV Conference
Hall-A Block
[Link] CCTV HOP Office
[Link] CCTV Coal Gate
[Link] CCTV FOPH

This report is confidential. Unauthorized use of this report in whole or in part is strictly prohibited.
Configuration Audit

IP Address Asset
[Link] Switch
[Link] PI- Server
[Link] Intranet Server

Project Timeline and Team

External Penetration test assessment timeline as follows:

Assessment Start Date Assessment End Date

06-07-2022 09-07-2022

Following team members were involved in this assessment:

GT Security Team Contact Information

Komalaiah Dongiri M +91 9959955232

E [Link]@[Link]

This report is confidential. Unauthorized use of this report in whole or in part is strictly prohibited.
EXECUTIVE SUMMARY
Based on our Network vulnerability assessment and penetration testing activity, we provide NTPC
NKaranpura management with an indication of the significance of risk involved and the priority with which
the same needs to be addressed. We have categorized the observations illustrated in this report in
accordance with the classifications given below:

Risk Rating Criteria

The risk rating is used to signify the level of risk due to gaps noted during the audit and is based on a
qualitative criterion defined as follows:

Severity Rating
Critical Critical risk vulnerability has a high potential of impacting business operations leading
to downtime or disruption and provides an attacker with privileged access, resulting in
significant outage. If exploited, it has a direct impact on confidentiality, integrity or
availability of organizational information.

High High risk vulnerability indicates that successful exploitation of the vulnerability may
result in a significant impact to the confidentiality, integrity or availability of the
information accessible through the application/system or even the backend resources
like databases, operating systems, etc.

Medium Medium risk vulnerability reveals information about the application and its underlying
infrastructure that can be used by an attacker in conjunction with another vulnerability
to gain privileged control of the application or its underlying operating system.

Low Low risk vulnerability that has the potential of revealing the information about the
system and may lead to unauthorized access to a system, leading to compromise.
Higher work factor would be involved for exploiting this type of vulnerability.

To capture the risk rating, following risk assessment matrix is used considering Impact and probability of risk
in terms of ease of exploitation.

Risk Assessment Matrix

Major High Critical Critical
Impact of Vulnerability -
Moderate Medium Medium High
Consequence
Minor Low Medium Medium
Hard Moderate Easy
Risk Severity = Impact x Probability
Probability of Risk occurrence

Please note: Risk rating will also depend on the business criticality of the asset.

10

This report is confidential. Unauthorized use of this report in whole or in part is strictly prohibited.
IT INFRA VULNERABILITY SUMMARY

A) Network Devices

Domain Critical High Medium Low Total

Vulnerability Assessment 0 2 3 2 7

B) Servers

Domain Critical High Medium Low Total

Vulnerability Assessment 3 3 6 1 13

C) Workstations

Domain Critical High Medium Low Total

Vulnerability Assessment 1 2 3 1 7

D) CCTV

Domain Critical High Medium Low Total

Vulnerability Assessment 1 4 5 1 11

E) WIFI Controller

Domain Critical High Medium Low Total

Vulnerability Assessment 0 0 1 0 1

11

This report is confidential. Unauthorized use of this report in whole or in part is strictly prohibited.
IT INFRA NETWORK DEVICES

Observation Summary for IT Infra Network Devices

The chart given below represents the vulnerabilities found during network penetration testing:

Vulnerabilities

0, 0%

2, 29% 2, 28%

3, 43%

Critical High Medium Low

Figure 1: Vulnerability Assessment Test Observations

The below table illustrates the distribution of observations of Penetration testing based on the risk
categorization i.e. Critical, High, Medium and Low.

12

This report is confidential. Unauthorized use of this report in whole or in part is strictly prohibited.
Detailed Observations

Detailed assessment report will cover following details about the vulnerability identified during the
assessment:

The Vulnerability is a short one-line description of the vulnerability

Vulnerability
identified.

The category describes the risk level of the vulnerability which is

Risk derived as per risk categorization from Executive Summary – Risk
rating section.

The section describes the flaw or bug that caused the vulnerability.
Description
This is a brief explanation of the vulnerability.

Observation The section describes the observations in regards to the vulnerability

Provides the possible business impact if this vulnerability is

Impact
successfully exploited.

The section will list the URL’s and the parameters affected by the
Affected URL
vulnerability.

Provides solutions or workarounds to mitigate the risk arising from this

Recommendations vulnerability. Mitigation solution should be tested in development
environment before putting into production.

The details of identified vulnerabilities, impact, severity and recommendations for the same are explained
below.

13

This report is confidential. Unauthorized use of this report in whole or in part is strictly prohibited.
Vulnerabilities & Impact Affected IP Risk Observations Recommendations Status
Address
SSL Medium Strength Cipher [Link] High It has been It is recommended to OPEN
Suites Supported (SWEET32) observed that SSL reconfigure the affected
is using medium application if possible to
Impact: strength avoid use of medium
The remote host supports the encryption such strength ciphers.
use of SSL ciphers that offer as DES-CBC3-
medium SHA which can be References:
strength encryption that it is easily [Link]
considerably easier to compromised if blog/blog/2016/08/24/sw
circumvent medium strength the attacker is on eet32/
encryption if the attacker is on the same physical
the same physical network.
network.
Unencrypted Telnet Server [Link], High It has been It is recommended to OPEN
[Link], observed that disable the Telnet
Impact: [Link], remote host is service and use SSH
This allows a remote man-in- [Link], using unencrypted instead.
the-middle attacker to [Link], telnet services.
eavesdrop on a Telnet session [Link],
to [Link],
obtain credentials or other [Link],
sensitive information and to [Link],
modify traffic exchanged [Link],
between a client and server. [Link],
[Link],
[Link]
HTTP TRACE / TRACK [Link] Medium It is observed the It is recommended to OPEN
Methods Allowed vulnerability can disable these HTTP
only be used when methods.
targeting users References:
Impact:
The attacker using the with unpatched [Link]
TRACE/TRACK method to and old browsers. [Link]/http-
read the cookies in a cross-site trace-track-methods-
scripting within an allowed/#:~:text=HTTP
XmlHttpRequest. This is not %20TRACE%20%2F%2
possible with modern browsers, 0TRACK%20Methods%
so the vulnerability can only be 20Allowed%20TRACE%
used when targeting users with 20and,information%20in
unpatched and old browsers. %20HTTP%20headers
%20when%20making%
20HTTP%20requests.
Internet Key Exchange (IKE) [Link] Medium It has been It is recommended to OPEN
Aggressive Mode with Pre- observed that disable Aggressive
Shared Key remote host Mode if supported.
supports
- Do not use Pre-Shared
Impact: aggressive mode
The remote Internet Key with pre-shared key for authentication if
Exchange (IKE) version 1 key (PSK). it's possible.

14

This report is confidential. Unauthorized use of this report in whole or in part is strictly prohibited.
service seems to support - If using Pre-Shared key
Aggressive Mode with Pre- cannot be avoided, use
Shared key (PSK) very strong keys.
authentication. Such a
- If possible, do not allow
configuration could allow an
attacker to capture and crack VPN connections from
the PSK of a VPN gateway and any IP addresses.
gain unauthorized access to
private networks. References:
[Link]
com/t5/vpn/to-disable-
internet-key-exchange-
ike-aggressive-mode-
with-pre/td-p/2962981
TLS Version 1.1 Protocol [Link] Medium It has been It is recommended to
Deprecated observed that enable support for TLS
remote host 1.2 and/or 1.3, and
Impact: supports TLS disable support for TLS
Ciphers that support encryption version 1.1. 1.1.
before MAC computation, and
authenticated encryption References:
modes such as GCM cannot be [Link]
used with TLS 1.1. Hence an g/doc/html/rfc8996
attacker can perform man-in-
the-middle attack against the
remote host.
SSH Server CBC Mode [Link] Low It has been It is recommended to OPEN
Ciphers Enabled observed that disable CBC mode
[Link]
remote host is cipher encryption, and
Impact: using CBC Mode
enable CTR or GCM
The SSH server is configured Cipher. The
to support Cipher Block following Cipher cipher mode encryption.
Chaining (CBC) encryption. Block Chaining
This may allow an attacker to (CBC) algorithms References:
recover the plaintext message are supported: [Link]
from the ciphertext. pport/pages/disabling-
3des-cbc cipher-block-chaining-
aes128-cbc
cbc-mode-ciphers-and-
aes256-cbc
weak-mac-algorithms-
ssh-ibm-puredata-
system-operational-
analytics#:~:text=for%20
Operational%20Analytic
s-
,Answer,would%20like%
20to%20address%20the
m.&text=To%20disable
%20CBC%20mode%20
ciphers,etc%2Fssh%2F
sshd_config%20file.&tex
t=Restart%20ssh%20aft
er%20you%20have%20

15

This report is confidential. Unauthorized use of this report in whole or in part is strictly prohibited.
 made%20the%20chang
es.

SSH Weak Key Exchange [Link] Low It has been It is recommended to OPEN
Algorithms Enabled observed that disable the weak key
remote host allow exchange algorithms.
Impact: weak key
An attacker can easily exploit exchange
the remote SSH server that is algorithms. The References:
configured to allow weak key following are weak [Link]
exchange algorithms. key exchange g/doc/html/rfc8732
algorithms that
are enabled:

diffie-hellman-
group-exchange-
sha1

diffie-hellman-
group1-sha1

16

This report is confidential. Unauthorized use of this report in whole or in part is strictly prohibited.
IT INFRA SERVERS

Observation Summary for IT Infra Servers

The chart given below represents the vulnerabilities found during network penetration testing:

Vulnerabilities

1, 8%
3, 23%

6, 46%
3, 23%

Critical High Medium Low

Figure 2: Vulnerability Assessment Test Observations

The below table illustrates the distribution of observations of Penetration testing based on the risk
categorization i.e. Critical, High, Medium and Low.

17

This report is confidential. Unauthorized use of this report in whole or in part is strictly prohibited.
Detailed Observations

Detailed assessment report will cover following details about the vulnerability identified during the
assessment:

The Vulnerability is a short one-line description of the vulnerability

Vulnerability
identified.

The category describes the risk level of the vulnerability which is

Risk derived as per risk categorization from Executive Summary – Risk
rating section.

The section describes the flaw or bug that caused the vulnerability.
Description
This is a brief explanation of the vulnerability.

Observation The section describes the observations in regards to the vulnerability

Provides the possible business impact if this vulnerability is

Impact
successfully exploited.

The section will list the URL’s and the parameters affected by the
Affected URL
vulnerability.

Provides solutions or workarounds to mitigate the risk arising from this

Recommendations vulnerability. Mitigation solution should be tested in development
environment before putting into production.

The details of identified vulnerabilities, impact, severity and recommendations for the same are explained
below.

18

This report is confidential. Unauthorized use of this report in whole or in part is strictly prohibited.
Vulnerabilities & Impact Affected IP Risk Observations Recommendations Status
Address
Flexera FlexNet Publisher < [Link] Critical It has been observed It is recommended to OPEN
11.16.2 Vulnerabilities that the version of upgrade to FlexNet
Flexera FlexNet Publisher 11.16.2 or
Impact: Publisher running on
later.
- A remote attacker could send the remote host is
a combination of messages to prior to 11.16.2. References:
lmgrd or the vendor daemon, [Link]
causing the heartbeat between u?fbd5ba7b
lmgrd and the vendor daemon
to stop, and the vendor daemon
to shut down.
- A remote attacker could
corrupt the memory by
allocating / deallocating
memory, loading lmgrd or the
vendor daemon and causing
the heartbeat between lmgrd
and the vendor daemon to
stop.
Microsoft SQL Server [Link], Critical It has been observed It is recommended to OPEN
Unsupported Version [Link], that Microsoft SQL upgrade to Microsoft
Detection (remote check) [Link], Server on the remote SQL Server 2019
host is no longer (15.x).
[Link]
Impact: supported.
Microsoft SQL Server on the References:
remote Windows host is no [Link]
longer supported and it is likely
om/en-
to contain security
vulnerabilities which can be us/sql/database-
exploited by an attacker engine/install-
windows/latest-
updates-for-microsoft-
sql-server?view=sql-
server-ver16
SSL Version 2 and 3 Protocol [Link] Critical It has been observed It is recommended to OPEN
Detection that devices are using disable SSL 2.0 and
[Link]
SSL version 2.0 and 3.0. Use TLS 1.2 with
Impact: 3.0. higher cipher suites
An attacker can conduct man- listed below.
in-the-middle
attacks or to decrypt TLS_ECDHE_RSA_W
communications between the ITH_AES_128_CBC_
affected service and clients. SHA256 (secp256k1) -
A

TLS_ECDHE_RSA_W
ITH_AES_128_GCM_
SHA256 (secp256k1) -
A

19

This report is confidential. Unauthorized use of this report in whole or in part is strictly prohibited.
 TLS_ECDHE_RSA_W
ITH_AES_256_CBC_
SHA384 (secp256k1) -
A

TLS_ECDHE_RSA_W
ITH_AES_256_GCM_
SHA384 (secp256k1) –
A2

References:

[Link]
[Link]/2014/10/14/poo
[Link]

[Link]
ml/rfc7507
SSL Certificate Signed Using [Link] High It has been observed It is recommended to OPEN
Weak Hashing Algorithm that SSL certificate is sign SSL certificate
[Link]
signed using SHA-1 using strong encryption
Impact: [Link] With RSA Encryption. algorithm such as
An attacker can exploit this to [Link]
SHA-512.
generate another certificate
with the same digital signature,
allowing an attacker to References:
masquerade as the affected [Link]
service ml/rfc3279
Unencrypted Telnet Server [Link] High It has been observed It is recommended to OPEN
that remote host is disable the Telnet
Impact: using unencrypted service and use SSH
This allows a remote man-in- telnet services. instead.
the-middle attacker to
eavesdrop on a Telnet session
to
obtain credentials or other
sensitive information and to
modify traffic exchanged
between a client and server.
SSL Medium Strength Cipher [Link] High It has been observed It is recommended to OPEN
Suites Supported (SWEET32) that SSL is using reconfigure the
[Link]
medium strength affected application if
Impact: [Link]
encryption such as possible to avoid use of
The remote host supports the [Link]
DES-CBC3-SHA medium strength
use of SSL ciphers that offer [Link]
which can be easily ciphers.
medium compromised if the
strength encryption that it is attacker is on the References:
considerably easier to same physical [Link]
circumvent medium strength network. g/blog/blog/2016/08/24
encryption if the attacker is on /sweet32/
the same physical network.

20

This report is confidential. Unauthorized use of this report in whole or in part is strictly prohibited.
jQuery 1.2 < 3.5.0 Multiple [Link] Medium It has been observed It is recommended to OPEN
XSS that remote host is upgrade to jQuery
running on outdated version 3.5.0 or later.
Impact: jQuery version.
An attacker can perform References:
various types of Cross-site
scripting attacks. [Link]
/2020/04/10/jquery-3-
5-0-released/

SMB Signing not enabled [Link] Medium It has been observed It is recommended to OPEN
that remote host enable signing is on
[Link]
Impact: require SMB Signing. the remote SMB
An unauthenticated, [Link] server. On Windows,
remote attacker can exploit this [Link] this is found in the
to conduct man-in-the-middle [Link] policy setting
attacks 'Microsoft network
against the SMB server. server: Digitally sign
communications
(always)'.
References:
[Link]
[Link]/how-to-
resolve-smb-signing-
not-required-
vulnerability-
a1057219ed61

SSL RC4 Cipher Suites [Link] Medium It has been observed It is recommended to OPEN
Supported (Bar Mitzvah) that remote host is reconfigure the
[Link]
using weak cipher affected application, if
suite.
possible, to avoid use
Impact: of RC4 ciphers.
Low Strength Ciphers
(<= 64-bit key) Consider using TLS 1.2
If plaintext is repeatedly
encrypted (e.g., HTTP with AES-GCM suites
cookies), and an attacker is EXP-RC4-MD5-40bit subject to browser and
able to obtain many (i.e. tens of web server support.
millions) ciphertexts, the
attacker may be able to derive
the plaintext.
References:
[Link]
.com/

[Link]
3.03.12/[Link]
[Link]
uk/tls/

[Link]
om/docs/HII_Attacking

21

This report is confidential. Unauthorized use of this report in whole or in part is strictly prohibited.
 _SSL_when_using_R
[Link]

SSLv3 Padding Oracle on [Link] Medium It has been observed It is recommended to OPEN
Downgraded Legacy that the remote host disable SSLv3.
[Link]
Encryption Vulnerability is vulnerable to Services that must
(POODLE) padding oracle support SSLv3 should
attack. enable the TLS
Impact: Fallback SCSV
mechanism until
An attacker can perform a man- SSLv3 can be
in-the-middle (MitM) disabled.
information disclosure known
as POODLE. MitM attackers
can decrypt a selected byte of a References:
cipher text in as few as 256 tries
if they are able to force a victim [Link]
application to repeatedly send ocs/en/sdk-java-
the same data over newly technology/7.1?topic=i
created SSL 3.0 connections. p-padding-oracle-
downgraded-legacy-
encryption-poodle-
security-vulnerability

Terminal Services Doesn't [Link] Medium It has been observed It is recommended to OPEN
Use Network Level that terminal services enable Network Level
[Link]
Authentication (NLA) Only don’t use only for Authentication (NLA)
[Link] Network Level on the remote RDP
Impact: Authentication server. This is
(NLA). generally done on the
NLA uses the Credential 'Remote' tab of the
Security Support Provider 'System' settings on
(CredSSP) protocol to perform Windows.
strong server authentication
either through TLS/SSL or References:
Kerberos mechanisms, which [Link]
protect against man-in-the- -the-remote-computer-
middle attacks when not requires-network-level-
configured properly an attacker authentication/
can exploit it to conduct man-in-
the-middle attacks.
TLS Version 1.1 Protocol [Link] Medium It has been observed It is recommended to OPEN
Deprecated that remote host enable support for TLS
[Link]
supports TLS version 1.2 and/or 1.3, and
Impact: [Link] 1.1.
disable support for TLS
Ciphers that support encryption [Link]
before MAC computation, and 1.1.
[Link]
authenticated encryption
modes such as GCM cannot be References:
used with TLS 1.1. Hence an [Link]
attacker can perform man-in- org/doc/html/rfc8996
the-middle attack against the
remote host.

22

This report is confidential. Unauthorized use of this report in whole or in part is strictly prohibited.
SSL Certificate Chain [Link] Low It has been observed It is recommended to OPEN
Contains RSA Keys Less that 2048-bit RSA replace the certificate
[Link]
Than 2048 bits key provides 112-bit in the chain with the
[Link] of security. RSA key less than
Impact: [Link] 2048 bits in length with
An attacker can easily perform a longer key, and
brute force in order to decrypt reissue any certificates
the encryption with key size signed by the old
shorter than 2048 bits. certificate.

References:
[Link]
com/t5/Integrity-
Servers/SSL-
Certificate-Chain-
Contains-RSA-Keys-
Less-Than-2048-bits-
for/td-
p/6440854#.Yuj7nHZB
w2w

23

This report is confidential. Unauthorized use of this report in whole or in part is strictly prohibited.
IT INFRA WORKSTATIONS

Observation Summary for IT Infra Workstations

The chart given below represents the vulnerabilities found during network penetration testing:

Vulnerabilities

1, 14% 1, 14%

2, 29%

3, 43%

Critical High Medium Low

Figure 3: Vulnerability Assessment Test Observations

The below table illustrates the distribution of observations of Penetration testing based on the risk
categorization i.e. Critical, High, Medium and Low.

24

This report is confidential. Unauthorized use of this report in whole or in part is strictly prohibited.
Detailed Observations

Detailed assessment report will cover following details about the vulnerability identified during the
assessment:

The Vulnerability is a short one-line description of the vulnerability

Vulnerability
identified.

The category describes the risk level of the vulnerability which is

Risk derived as per risk categorization from Executive Summary – Risk
rating section.

The section describes the flaw or bug that caused the vulnerability.
Description
This is a brief explanation of the vulnerability.

Observation The section describes the observations in regards to the vulnerability

Provides the possible business impact if this vulnerability is

Impact
successfully exploited.

The section will list the URL’s and the parameters affected by the
Affected URL
vulnerability.

Provides solutions or workarounds to mitigate the risk arising from this

Recommendations vulnerability. Mitigation solution should be tested in development
environment before putting into production.

The details of identified vulnerabilities, impact, severity and recommendations for the same are explained
below.

25

This report is confidential. Unauthorized use of this report in whole or in part is strictly prohibited.
Vulnerabilities & Impact Affected IP Risk Observations Recommendations Status
Address
Microsoft SQL Server [Link] Critical It has been observed It is recommended to OPEN
Unsupported Version that Microsoft SQL upgrade to Microsoft
Detection (remote check) Server on the remote SQL Server 2019
host is no longer (15.x).
Impact: supported.
Microsoft SQL Server on the References:
remote Windows host is no [Link]
longer supported and it is likely to
.com/en-
contain security vulnerabilities
which can be exploited by an us/sql/database-
attacker engine/install-
windows/latest-
updates-for-
microsoft-sql-
server?view=sql-
server-ver16
SSL Certificate Signed Using [Link] High It has been observed It is recommended to OPEN
Weak Hashing Algorithm that SSL certificate is sign SSL certificate
signed using SHA-1 using strong
Impact: With RSA Encryption. encryption algorithm
An attacker can exploit this to such as SHA-512.
generate another certificate with
the same digital signature,
allowing an attacker to References:
masquerade as the affected [Link]
service tml/rfc3279
SSL Medium Strength Cipher [Link] High It has been observed It is recommended to OPEN
Suites Supported (SWEET32) [Link] that SSL is using reconfigure the
[Link] medium strength affected application if
Impact: [Link]
encryption such as possible to avoid use
The remote host supports the [Link]
[Link] DES-CBC3-SHA which of medium strength
use of SSL ciphers that offer can be easily ciphers.
[Link]
medium [Link] compromised if the
strength encryption that it is [Link] attacker is on the same References:
considerably easier to [Link], physical network. [Link]
circumvent medium strength [Link], org/blog/blog/2016/0
encryption if the attacker is on the [Link],
8/24/sweet32/
same physical network. [Link],
[Link]
SMB Signing not enabled [Link] Medium It has been observed It is recommended OPEN
[Link] that remote host not to enable signing is
Impact: [Link] signing SMB server. on the remote SMB
[Link] server. On Windows,
An unauthenticated, remote
[Link] this is found in the
attacker can exploit this to
[Link] policy setting
conduct man-in-the-middle [Link] 'Microsoft network
attacks against the SMB server. [Link] server: Digitally sign
[Link] communications
[Link], (always)'.
[Link],

26

This report is confidential. Unauthorized use of this report in whole or in part is strictly prohibited.
 [Link], References:
[Link], [Link]
[Link] [Link]/how-
to-resolve-smb-
signing-not-required-
vulnerability-
a1057219ed61

Terminal Services Doesn't Use [Link] Medium It has been observed It is recommended to OPEN
Network Level Authentication that terminal services enable Network Level
[Link]
(NLA) Only don’t use only for Authentication (NLA)
[Link] Network Level on the remote RDP
Impact: Authentication (NLA). server. This is
NLA uses the Credential Security generally done on the
Support Provider (CredSSP) 'Remote' tab of the
protocol to perform strong server 'System' settings on
authentication either through Windows.
TLS/SSL or Kerberos
mechanisms, which protect References:
against man-in-the-middle [Link]
attacks when not configured x-the-remote-
properly an attacker can exploit it computer-requires-
to conduct man-in-the-middle network-level-
attacks. authentication/
TLS Version 1.1 Protocol [Link] Medium It has been observed It is recommended to OPEN
Deprecated [Link] that remote host enable support for
[Link] supports TLS version TLS 1.2 and/or 1.3,
Impact: 1.1.
[Link] and disable support
Ciphers that support encryption
before MAC computation, and [Link] for TLS 1.1.
authenticated encryption modes [Link]
such as GCM cannot be used [Link] References:
with TLS 1.1. Hence an attacker [Link] [Link]
can perform man-in-the-middle [Link] [Link]/doc/html/rfc899
attack against the remote host. [Link], 6
[Link],
[Link],
[Link],
[Link]
SSL Certificate Chain Contains [Link] Low It has been observed It is recommended to OPEN
RSA Keys Less Than 2048 that 2048-bit RSA key replace the certificate
bits provides 112-bit of in the chain with the
security. RSA key less than
Impact: 2048 bits in length
An attacker can easily perform with a longer key, and
brute force in order to decrypt the reissue any
encryption with key size shorter certificates signed by
than 2048 bits. the old certificate.

References:
[Link]
[Link]/t5/Integrity-
Servers/SSL-
Certificate-Chain-

27

This report is confidential. Unauthorized use of this report in whole or in part is strictly prohibited.
 Contains-RSA-Keys-
Less-Than-2048-bits-
for/td-
p/6440854#.Yuj7nHZ
Bw2w

28

This report is confidential. Unauthorized use of this report in whole or in part is strictly prohibited.
IT INFRA CCTV

Observation Summary for IT CCTV

The chart given below represents the vulnerabilities found during network penetration testing:

Vulnerabilities

1, 9% 1, 9%

4, 36%
5, 46%

Critical High Medium Low

Figure 4: Vulnerability Assessment Test Observations

The below table illustrates the distribution of observations of Penetration testing based on the risk
categorization i.e. Critical, High, Medium and Low.

29

This report is confidential. Unauthorized use of this report in whole or in part is strictly prohibited.
Detailed Observations

Detailed assessment report will cover following details about the vulnerability identified during the
assessment:

The Vulnerability is a short one-line description of the vulnerability

Vulnerability
identified.

The category describes the risk level of the vulnerability which is

Risk derived as per risk categorization from Executive Summary – Risk
rating section.

The section describes the flaw or bug that caused the vulnerability.
Description
This is a brief explanation of the vulnerability.

Observation The section describes the observations in regards to the vulnerability

Provides the possible business impact if this vulnerability is

Impact
successfully exploited.

The section will list the URL’s and the parameters affected by the
Affected URL
vulnerability.

Provides solutions or workarounds to mitigate the risk arising from this

Recommendations vulnerability. Mitigation solution should be tested in development
environment before putting into production.

The details of identified vulnerabilities, impact, severity and recommendations for the same are explained
below.

30

This report is confidential. Unauthorized use of this report in whole or in part is strictly prohibited.
Vulnerabilities & Impact Affected IP Risk Observations Recommendations Status
Address
SSL Version 2 and 3 Protocol [Link] Critical It has been observed It is recommended to OPEN
Detection [Link] that devices are using disable SSL 2.0 and
[Link] SSL version 2.0 and 3.0. Use TLS 1.2 with
Impact: 3.0. higher cipher suites
[Link]
An attacker can conduct man-in- listed below.
the-middle [Link]
attacks or to decrypt [Link] TLS_ECDHE_RSA_W
communications between the [Link] ITH_AES_128_CBC_
affected service and clients. [Link] SHA256 (secp256k1) -
[Link] A
[Link]
TLS_ECDHE_RSA_W
[Link] ITH_AES_128_GCM_
[Link], SHA256 (secp256k1) -
[Link] A

TLS_ECDHE_RSA_W
ITH_AES_256_CBC_
SHA384 (secp256k1) -
A

TLS_ECDHE_RSA_W
ITH_AES_256_GCM_
SHA384 (secp256k1) –
A2

References:

[Link]
[Link]/2014/10/14/poo
[Link]

[Link]
ml/rfc7507
AXIS gSOAP Message [Link] High It has been observed It is recommended to OPEN
Handling RCE (Devil's Ivy) that remote AXIS upgrade to the latest
[Link]
device is running a available firmware
Impact: [Link] firmware version that version(Fixed version
An unauthenticated, remote [Link] is missing a security : [Link]
attacker can exploit this, via an patch. It is, affected Or later) for your
HTTP POST message by a remote code device per the vendor
exceeding 2GB of data, to trigger execution advisory.
a stack-based buffer overflow, vulnerability, known
resulting in a denial of service as Devil's Ivy, due to
condition or the execution of an overflow condition
arbitrary code. that exists in a third-
party SOAP library
(gSOAP).

31

This report is confidential. Unauthorized use of this report in whole or in part is strictly prohibited.
SNMP Agent Default [Link] High It has been observed It is recommended to OPEN
Community Name (public) [Link] that remote host disable the SNMP
[Link] SNMP Agent using service on the remote
Impact: default community host if you do not use it.
[Link]
An attacker may change the [Link] name that is “Public” Either filter incoming
configuration of the remote UDP packets going to
[Link]
system. if the default community this port, or change the
[Link]
allows such modifications. default community
[Link] string.
[Link]
[Link], References:
[Link] [Link]
[Link]/topic/2196
652-snmp-agent-
default-community-
name-public

Unencrypted Telnet Server [Link] High It has been observed It is recommended to OPEN
[Link] that remote host is disable the Telnet
Impact: [Link] using unencrypted service and use SSH
This allows a remote man-in-the- telnet services. Since instead.
[Link]
middle attacker to eavesdrop on telnet is being used
a Telnet session to [Link] inside the secured References:
obtain credentials or other [Link] network hence it has [Link]
sensitive information and to [Link] least impact.
ocs/en/i/7.3?topic=ssl-
modify traffic exchanged [Link]
between a client and server. secure-telnet-access
[Link]
[Link],
[Link]
SSL Medium Strength Cipher [Link] High It has been observed It is recommended to OPEN
Suites Supported (SWEET32) [Link] that SSL is using reconfigure the
[Link] medium strength affected application if
Impact: [Link] encryption such as possible to avoid use of
The remote host supports the [Link] DES-CBC3-SHA medium strength
use of SSL ciphers that offer [Link] which can be easily ciphers.
medium [Link] compromised if the
strength encryption that it is [Link] attacker is on the References:
considerably easier to [Link] same physical [Link]
circumvent medium strength [Link] network. g/blog/blog/2016/08/24
encryption if the attacker is on the [Link] /sweet32/
same physical network. [Link],
[Link]
mDNS Detection (Remote [Link] Medium It has been observed It is recommended to OPEN
Network) [Link] that the remote filter incoming traffic to
[Link] service understands UDP port 5353, if
Impact: the Bonjour (also desired.
[Link]
This allows anyone to uncover known as ZeroConf
information from the remote host [Link], or mDNS) protocol
such as its operating system type [Link], which allow info
and exact version, its hostname, [Link], disclosure of host.

32

This report is confidential. Unauthorized use of this report in whole or in part is strictly prohibited.
and the list of services it is [Link],
running. [Link]

SSL Certificate Cannot Be [Link] Medium It has been observed It is recommended to OPEN
Trusted [Link] that remote host is purchase or generate a
[Link] using untrusted SSL proper SSL certificate
Impact: certificate.
[Link] for this service.
If the remote host is a public host
[Link] Issuer :
in production, any break in the
[Link] C=CN/ST=GD/L=SZ/ References:
chain makes it more difficult for
[Link] O=INF/OU=INF/CN= [Link]
users to verify the authenticity
[Link] XXX/E=xiaorenwei@i T-REC-X.509/en
and
[Link] [Link]
identity of the web server. This
[Link] [Link]
could make it easier to carry out /wiki/X.509
[Link]
man-in-the-middle attacks
[Link]
against the remote host.
[Link],
[Link]
SSL RC4 Cipher Suites [Link] Medium It has been observed It is recommended to OPEN
Supported (Bar Mitzvah) [Link] that remote host is reconfigure the
[Link] using weak cipher affected application, if
Impact: suite such as RC4-
[Link] possible, to avoid use
MD5-128bit and
If plaintext is repeatedly [Link] of RC4 ciphers.
RC4-SHA1-128bit.
encrypted (e.g., HTTP cookies), [Link] Consider using TLS 1.2
and an attacker is able to obtain [Link] with AES-GCM suites
many (i.e. tens of millions) [Link] subject to browser and
ciphertexts, the attacker may be [Link] web server support.
able to derive the plaintext. [Link]
[Link]
[Link],
[Link] References:
[Link]
.com/

[Link]
3.03.12/[Link]
[Link]
uk/tls/

[Link]
om/docs/HII_Attacking
_SSL_when_using_R
[Link]

33

This report is confidential. Unauthorized use of this report in whole or in part is strictly prohibited.
SSLv3 Padding Oracle on [Link] Medium It has been observed It is recommended to OPEN
Downgraded Legacy [Link] that the remote host disable SSLv3.
Encryption Vulnerability [Link] is vulnerable to Services that must
(POODLE) padding oracle support SSLv3 should
[Link]
attack. enable the TLS
Impact: [Link] Fallback SCSV
An attacker can perform a man- [Link] mechanism until
in-the-middle (MitM) information [Link] SSLv3 can be
disclosure known as POODLE. [Link] disabled.
MitM attackers can decrypt a [Link]
selected byte of a cipher text in
[Link], References:
as few as 256 tries if they are
able to force a victim application [Link]
to repeatedly send the same data [Link]
over newly created SSL 3.0 ocs/en/sdk-java-
connections. technology/7.1?topic=i
p-padding-oracle-
downgraded-legacy-
encryption-poodle-
security-vulnerability

Web Server Generic Cookie [Link] Medium It has been observed It is recommended to OPEN
Injection that remote host is patch or upgrade the
running a web server server.
Impact: that fails to
An attacker may be able to inject adequately sanitize
arbitrary cookies. Depending on request strings of
the structure of the web malicious
application, it may be possible to JavaScript.
launch a 'session fixation' attack
using this mechanism.
SSL Certificate Chain Contains [Link] Low It has been observed It is recommended to OPEN
RSA Keys Less Than 2048 [Link] that 2048-bit RSA replace the certificate
bits [Link] key provides 112-bit in the chain with the
of security. RSA key less than
Impact: [Link]
2048 bits in length with
An attacker can easily perform [Link] a longer key, and
brute force in order to decrypt the [Link] reissue any certificates
encryption with key size shorter [Link] signed by the old
than 2048 bits. [Link] certificate.
[Link]
[Link] References:
[Link] [Link]
[Link] com/t5/Integrity-
[Link], Servers/SSL-
[Link] Certificate-Chain-
Contains-RSA-Keys-
Less-Than-2048-bits-
for/td-
p/6440854#.Yuj7nHZB
w2w

34

This report is confidential. Unauthorized use of this report in whole or in part is strictly prohibited.
IT INFRA WIFI CONTROLLER
Observation Summary for IT CCTV
The chart given below represents the vulnerabilities found during network penetration testing:

Vulnerabilities

0, 0%

1, 100%

Critical High Medium Low

Figure 5: Vulnerability Assessment Test Observations

The below table illustrates the distribution of observations of Penetration testing based on the risk
categorization i.e. Critical, High, Medium and Low.

35

This report is confidential. Unauthorized use of this report in whole or in part is strictly prohibited.
Detailed Observations

Detailed assessment report will cover following details about the vulnerability identified during the
assessment:

The Vulnerability is a short one-line description of the vulnerability

Vulnerability
identified.

The category describes the risk level of the vulnerability which is

Risk derived as per risk categorization from Executive Summary – Risk
rating section.

The section describes the flaw or bug that caused the vulnerability.
Description
This is a brief explanation of the vulnerability.

Observation The section describes the observations in regards to the vulnerability

Provides the possible business impact if this vulnerability is

Impact
successfully exploited.

The section will list the URL’s and the parameters affected by the
Affected URL
vulnerability.

Provides solutions or workarounds to mitigate the risk arising from this

Recommendations vulnerability. Mitigation solution should be tested in development
environment before putting into production.

The details of identified vulnerabilities, impact, severity and recommendations for the same are explained
below.

36

This report is confidential. Unauthorized use of this report in whole or in part is strictly prohibited.
Vulnerabilities & Impact Affected IP Risk Observations Recommendations Status
Address
SSL Certificate Cannot Be [Link] Medium It has been observed It is recommended to OPEN
Trusted that remote host is purchase or generate
using untrusted SSL a proper SSL
Impact: certificate. certificate for this
If the remote host is a public host
Issuer : service.
in production, any break in the
chain makes it more difficult for C=US/ST=CA/L=Sunn
yvale/O=Ruckus References:
users to verify the authenticity
Wireless [Link]
and
Inc./E=service@rucku /T-REC-X.509/en
identity of the web server. This [Link]/CN=Cer
could make it easier to carry out
tificate Authority [Link]
man-in-the-middle attacks
against the remote host. rg/wiki/X.509

37

This report is confidential. Unauthorized use of this report in whole or in part is strictly prohibited.
CONFIGURATION AUDIT

IP Address Asset
[Link] Switch
[Link] PI- Server
[Link] Intranet Server

Detailed Observations

Detailed assessment report will cover following details about the vulnerability identified during the
assessment:

The Vulnerability is a short one-line description of the vulnerability

Vulnerability
identified.

The category describes the risk level of the vulnerability which is

Risk derived as per risk categorization from Executive Summary – Risk
rating section.

The section describes the flaw or bug that caused the vulnerability.
Description
This is a brief explanation of the vulnerability.

The section will list the URL’s and the parameters affected by the
Affected URL
vulnerability.

Provides solutions or workarounds to mitigate the risk arising from this

Recommendations vulnerability. Mitigation solution should be tested in development
environment before putting into production.

The details of identified vulnerabilities, impact, severity and recommendations for the same are explained
below.

38

This report is confidential. Unauthorized use of this report in whole or in part is strictly prohibited.
CONFIGURATION AUDIT OF NETWORK DEVICES

Observation Summary for Configuration Audit of Network Devices

The chart given below represents the vulnerabilities found during Vulnerability Assessment testing:

Vulnerabilities

5, 29% 5, 30%

7, 41%

High Medium Low

Figure 6: Vulnerability Assessment Test Observations

Domain High Medium Low Total

Configuration Audit 5 7 5 17

39

This report is confidential. Unauthorized use of this report in whole or in part is strictly prohibited.
The below table Explained the all Vulnerabilities Details
Vulnerabilities Affected IP Add Risk Impact Recommendations Status
Clear Text Telnet [Link] High Due to the lack of It is recommended OPEN
Service Enabled encryption provided that the Telnet
by the Telnet service should be
protocol, an disabled. If remote
attacker who is able administrative access
to monitor a Telnet is required then It is
session would be recommended that a
able to view all of cryptographically
the authentication secure alternative,
credentials and such as Secure Shell,
data passed in the should be used
session. The instead. If Telnet has
attacker could then to be used then It is
attempt to gain recommended that
access to the network filtering
device using the should be employed
authentication to restrict access to
credentials the service from only
extracted from the those specific
session and devices that need the
potentially gain access.
access under the
context of that user.
Since Telnet is
commonly used for
network device
administration this
could gain the
attacker an
administrative level
of access.

No Console [Link] High If an attacker was It is recommended OPEN

Connection Timeout able to access a that a timeout period
system using an of 10 minutes should
authenticated be configured for the
session that is no console connection.
longer being used,
the attacker would
be able to perform
information
gathering,
configuration and
other malicious
activities under the
context of the
previous
authenticated user.
Due to the nature of

40

This report is confidential. Unauthorized use of this report in whole or in part is strictly prohibited.
 the access, this
could be an
administrative level
of access.

No Secure Shell [Link] High If an attacker was It is recommended OPEN

Session Timeout able to access a that a Secure Shell
system using an session timeout
authenticated period of 10 minutes
session that is no should be configured.
longer being used,
the attacker would
be able to perform
information
gathering,
configuration and
other malicious
activities under the
context of the
previous
authenticated user.
Due to the nature of
the access, this
could be an
administrative level
of access.

No Telnet Session [Link] High If an attacker was It is recommended OPEN

Timeout able to access a that a Telnet session
system using an timeout period of 10
authenticated minutes should be
session that is no configured.
longer being used,
the attacker would
be able to perform
information
gathering,
configuration and
other malicious
activities under the
context of the
previous
authenticated user.
Due to the nature of
the access, this
could be an
administrative level
of access.

41

This report is confidential. Unauthorized use of this report in whole or in part is strictly prohibited.
No Hypertext [Link] High If an attacker was It is recommended OPEN
Transfer Protocol able to access a that a Hypertext
Server Session system using an Transfer Protocol
Timeout authenticated server session
session that is no timeout period of 10
longer being used, minutes should be
the attacker would configured.
be able to perform
information
gathering,
configuration and
other malicious
activities under the
context of the
previous
authenticated user.
The level of access
could potentially be
at an administrative
level.

No Secure Shell [Link] Medium Without It is recommended OPEN

Service Network management host that access to the
Access Restrictions address restrictions Secure Shell service
an attacker, or should be restricted
malicious user, with to only those network
authentication hosts that require
credentials would access.
be able to connect
to the Secure Shell
service, logon and
execute commands
within the context of
that user. If an
attacker does not
have authentication
credentials they
could attempt a
brute-force attack in
order to identify
valid credentials.
Additionally, if there
is a vulnerability
with the service
then allowing
anyone to connect
to the service could
enable an attacker
to exploit the
vulnerability.

42

This report is confidential. Unauthorized use of this report in whole or in part is strictly prohibited.
No Hypertext [Link] Medium Without It is recommended OPEN
Transfer Protocol management host that access to the
Service Network address restrictions Hypertext Transfer
Access Restrictions an attacker, or Protocol service
malicious user, with should be restricted
authentication to only those network
credentials would hosts that require
be able to connect access.
to the Hypertext
Transfer Protocol
over SSL service,
logon and access
the functionality and
information
provided for that
user. If an attacker
does not have
authentication
credentials they
could attempt a
brute-force attack in
order to identify
valid credentials.
Additionally, if there
is a vulnerability
with the service
then allowing
anyone to connect
to the service could
enable an attacker
to exploit the
vulnerability.

Syslog Logging Not [Link] Medium If logging of system It is recommended OPEN

Enabled messages is not that Syslog logging
configured, a should be configured
network to enable system
administrator may messages to be
not be made aware logged to a central
of significant events logging server.
happening on the
device. These
events could
include security
issues such as
intrusion attempts,
network scans,
authentication
failures or
diagnostic and
management
information such as
potential hardware

43

This report is confidential. Unauthorized use of this report in whole or in part is strictly prohibited.
 issues. Without
logging system
messages, the
information would
not be available to
either a forensic
investigation or for
diagnostic
purposes.

No Time [Link] Medium Although not a It is recommended OPEN

Synchronization direct threat to that all networked
Configured security, a device devices should
with no time synchronize their
synchronization clocks with a network
configured would time source.
make it more
difficult to correlate
events in the logs.
This would make a
forensic
investigation more
complex, hindering
any
troubleshooting.
The lack of time
synchronization
could also cause
problems with some
systems that
depend on accurate
time, such as some
authentication
services.

Clear Text Hypertext [Link] Medium Due to the lack of It is recommended OPEN
Transfer Protocol encryption provided that the Hypertext
Service Enabled by the Hypertext Transfer Protocol
Transfer Protocol service should be
service, an attacker disabled. If remote
who is able to administrative access
monitor a session is required then It is
would be able to recommended that a
view all of the cryptographically
authentication secure alternative,
credentials and such as Hypertext
data passed in the Transfer Protocol
session. The over SSL, should be
attacker could then used instead.
attempt to gain
access to the
device using the

44

This report is confidential. Unauthorized use of this report in whole or in part is strictly prohibited.
 authentication
credentials
extracted from the
session and
potentially gain
access under the
context of that user.
Since Hypertext
Transfer Protocol is
commonly used for
network device
administration this
could gain the
attacker an
administrative level
of access.

User Account Names [Link] Medium A malicious user It is recommended OPEN

Contained admin would be able to that all Admin or
create targeted elevated privilege
phishing and social accounts should not
engineering attacks contain information
at a specific user that identifies them as
they believe to have being such.
admin or elevated
privileges. Once
access is gained,
they would have
that user's access
to a system, which
could include re-
configuring the
device, extracting
potentially sensitive
information and
disabling the
device. Once an
attacker has
obtained the
configuration from
the device they may
be able to identify
authentication
credentials that
could then be used
to gain access to
other network
devices.

45

This report is confidential. Unauthorized use of this report in whole or in part is strictly prohibited.
No Telnet Service [Link] Medium Without It is recommended OPEN
Network Access management host that access to the
Restrictions address restrictions Telnet service should
an attacker, or be restricted to only
malicious user, with those network hosts
authentication that require access.
credentials would
be able to connect
to the Telnet
service, logon and
execute commands
within the context of
that user. If an
attacker does not
have authentication
credentials they
could attempt a
brute-force attack in
order to identify
valid credentials.
Additionally, if there
is a vulnerability
with the service
then allowing
anyone to connect
to the service could
enable an attacker
to exploit the
vulnerability.

Weak Password [Link] Low Strong It is recommended OPEN

History Policy Setting authentication that a user password
credentials are a history of 10 should
key component of a be configured in order
systems security. It to help prevent users
is therefore from repeatedly
important that a selecting the same
user chooses a password.
strong password
and that it is
changed on a
regular basis. If a
user is able to
repeatedly select
the same password
each time they are
asked to change
their password it
would make the
password age
facility redundant.

46

This report is confidential. Unauthorized use of this report in whole or in part is strictly prohibited.
 The younger a
passwords age the
better it is for
security because of
a number of
reasons. For
example, if given
enough time it may
be possible for an
attacker who had
captured some
encrypted network
traffic to decrypt
and identify the user
authentication
credentials. Over
time any password
is likely to be used
and be present in a
greater number of
locations, such as
on other devices,
system backups
and temporary files.
It is also possible
that over a period of
time a password
may become known
to co-workers or
passersby from
casual or intentional
shoulder surfing.

Weak Password Age [Link] Low Strong It is recommended OPEN

Policy Setting authentication that a user password
credentials are a age policy setting of
key component of a 60 days should be
systems security. It configured.
is therefore
important that a
user chooses a
strong password
and that it is
changed on a
regular basis.

47

This report is confidential. Unauthorized use of this report in whole or in part is strictly prohibited.
 The younger a
passwords age the
better it is for
security because of
a number of
reasons. For
example, if given
enough time it may
be possible for an
attacker who had
captured some
encrypted network
traffic to decrypt
and identify the user
authentication
credentials. Over
time any password
is likely to be used
and be present in a
greater number of
locations, such as
on other devices,
system backups
and temporary files.
It is also possible
that over a period of
time a password
may become known
to co-workers or
passersby from
casual or intentional
shoulder surfing.

Weak Minimum [Link] Low Strong It is recommended OPEN

Password Length authentication that a minimum
Policy Setting credentials are a password length
key component of a policy setting of 8
systems security. It characters should be
is therefore configured.
important that a
user chooses a
strong password
and that it is
changed on a
regular basis.

48

This report is confidential. Unauthorized use of this report in whole or in part is strictly prohibited.
 Generally, the
greater the number
of characters within
a password the
stronger the
password will be.
With a short
minimum password
length configured a
user could set a
short password,
requiring less time
for an attacker to
brute-force the
authentication
password.

No Pre-Logon Banner [Link] Low A pre-logon banner It is recommended OPEN

Message message is often that a carefully
overlooked when worded legal banner
configuring a that warns against
device, but it is an unauthorized access
important security should be configured.
setting which could
potentially
discourage an
uncommitted
attacker from
proceeding any
further. A pre-logon
banner message
should be
configured to
warning any
potential attacker
against
unauthorized
access and the
consequences.
Furthermore, if legal
proceedings are
executed against an
attacker it would be
easier to prove
intent on behalf of
the attacker if they
were first warned
against
unauthorized
access.

49

This report is confidential. Unauthorized use of this report in whole or in part is strictly prohibited.
 [Link] Low The network traffic It is recommended OPEN
from an attacker that all network
attached to one of interfaces should be
the network configured filtering to
interfaces detailed help prevent
above would not be unauthorized access
subjected to to network services
filtering, potentially and hosts.
providing
Interfaces Were unrestricted access
Configured With No to network services.
Filtering

50

This report is confidential. Unauthorized use of this report in whole or in part is strictly prohibited.
CONFIGURATION AUDIT OF SERVERS

Observation Summary for Configuration Audit of Servers

The chart given below represents the vulnerabilities found during Vulnerability Assessment testing:

Vulnerabilities

2, 20%

8, 80%

High Medium

Figure 7: Vulnerability Assessment Test Observations

Domain High Medium Total

Config Audit 8 2 10

51

This report is confidential. Unauthorized use of this report in whole or in part is strictly prohibited.
The below table Explained the all Vulnerabilities Details
Description Affected IP Risk Recommendation Solutions Status
Add s
Passwords for the built-in [Link] It is recommended Change the built-in OPEN
High
Administrator account must [Link] to change Administrator
be changed at least every 60 passwords for every account password
days. 60 days. at least every '60'
days.

It is highly
recommended to
use Microsoft's
LAPS, which may
be used on domain-
joined member
servers to
accomplish this.
The AO still has the
overall authority to
use another
equivalent
capability to
accomplish the
check.
Server must not have the [Link] It is recommended To Uninstall the OPEN
High
Telnet Client installed. [Link] to uninstall Telnet 'Telnet Client'
client feature.

Start 'Server
Manager'.

Select the server

with the feature.

Scroll down to
'ROLES AND
FEATURES' in the
right pane.

Select 'Remove
Roles and Features'
from the drop-down
'TASKS' list.

Select the
appropriate server
on the 'Server
Selection' page and

52

This report is confidential. Unauthorized use of this report in whole or in part is strictly prohibited.
 click 'Next'.

Deselect 'Telnet
Client' on the
'Features' page.

Click 'Next' and

'Remove' as
prompted.
Server must have Secure [Link] It is recommended Enable Secure Boot OPEN
High
Boot enabled. [Link] to that server must in the system
have enabled the firmware.
secure boot

Account lockout duration [Link] It is recommended Configure the policy OPEN

High
must be configured to 15 [Link] to set account value for Computer
minutes or greater. lockout to be Configuration >>
15mins or greater Windows Settings
>> Security Settings
>> Account Policies
>> Account Lockout
Policy >> 'Account
lockout duration' to
'15' minutes or
greater.

A value of '0' is also

acceptable,
requiring an
administrator to
unlock the account.
Server must have the number [Link] It is recommended Configure the policy OPEN
High
of allowed bad logon [Link] to configure bad value for Computer
attempts configured to three logon attempts to 3 Configuration >>
or less. or less Windows Settings
>> Security Settings
>> Account Policies
>> Account Lockout
Policy >> 'Account
lockout threshold' to
'3' or fewer invalid
logon attempts
(excluding '0', which
is unacceptable).
Server password history [Link] It is recommended Configure the policy OPEN
High
must be configured to 24 [Link] to not to use last 24 value for Computer
passwords remembered. passwords Configuration >>
Windows Settings

53

This report is confidential. Unauthorized use of this report in whole or in part is strictly prohibited.
 >> Security Settings
>> Account Policies
>> Password Policy
>> 'Enforce
password history' to
'24' passwords
remembered.
Server must be configured to [Link] It is recommended Configure the policy OPEN
High
audit Logon/Logoff - Group [Link] to configure audit value for Computer
Membership successes. Logon/Logoff - Configuration >>
Group Membership Windows Settings
successes. >> Advanced Audit
Policy Configuration
>> System Audit
Policies >>
Logon/Logoff >>
'Audit Group
Membership' with
'Success' selected.
Server must be configured to [Link] It is recommended Configure the policy OPEN
High
audit Privilege Use - [Link] to configure audit value for Computer
Sensitive Privilege Use sensitive privilege Configuration >>
failures. use failures Windows Settings
>> Security Settings
>> Advanced Audit
Policy Configuration
>> System Audit
Policies >> Privilege
Use >> 'Audit
Sensitive Privilege
Use' with 'Failure'
selected.
Server must have a host- [Link] It is recommended Install a HIDS or OPEN
Medium
based intrusion detection or [Link] to have a host- HIPS on each
prevention system. based intrusion server.
prevention system

Server must implement [Link] It is recommended Configure OPEN

Medium
protection methods such as [Link] to that a server must protection methods
TLS, encrypted VPNs, or implement such as TLS,
IPsec if the data owner has a protection methods encrypted VPNs, or
strict requirement for such as IPsec when the data
ensuring data integrity and owner has a strict
TLS,encrypted
confidentiality is maintained requirement for
VPNs.
at every step of the data ensuring data
transfer and handling integrity and
process. confidentiality is
maintained at every
step of the data

54

This report is confidential. Unauthorized use of this report in whole or in part is strictly prohibited.
 transfer and
handling process.

55

This report is confidential. Unauthorized use of this report in whole or in part is strictly prohibited.
NETWORK ARCHITECTURE REVIEW

1. No HA-status is maintained with the Router-[Link]

2. It is recommended to tag device interfaces for better understanding of network flow.
3. It is recommended to disable ICMP on critical devices in order to eliminate the possibility of
various attacks associated with ping such as Ping sweep, ping flood, ICMP tunneling etc.
Reference- [Link]
130413e56030
4. All the network devices are protected with passwords. Using generic IDs to login into the devices.
5. Ping restrictions only on Firewall and not on other devices.
6. Associate from corporate office visits the plant in order to carry out patching activity. It is
recommended to implement WSUS server in the network for patch management.
Note: DMZ zone is crucial when we have internet facing webserver. Since there is no internet
facing device hence creating a DMZ zone won’t be necessary.

Internet Service Provider

- BSNL - Bharat Sanchar Nigam Limited
- PGCIL- Power Grid Corporation of India Limited

56

This report is confidential. Unauthorized use of this report in whole or in part is strictly prohibited.
SECURITY ARCHITECTURE REVIEW

• Devices in domain communicate with internet through proxy that has been provided by
corporate office.

• There is Wi-Fi in the environment.

• WIFI is accessed after successful authentication with valid credentials and MAC-Binding is
not implemented

• Biometric power controller and has been installed but won't communicate with the internet.

• All the Network Devices get authenticated with Active Directory. There is no low privileged
user on servers and Network devices. It is recommended to have multiple accounts with
different privileges/permissions (local and admin) because there is a possibility that any
changes from admin account might have an impact the production. Hence it advisable to
use local account until there is any change in configuration is required.

• USB is strictly prohibited at the site.

• Trend Micro Antivirus is installed and updated in all PCs.

Product name: Trend Micro Apex One Security Agent
Path: C:\Program Files (x86)\Trend Micro\OfficeScan Client

• As the site is running on DHCP connectivity for desktops, to fix the vulnerabilities attaching
the IP details along with Hostname of the device.

Asset Inventory
[Link]
•
• It is recommended to assign a static IP to the workstations rather than running them on
DHCP.

• There is no group policy configured to disable external storage but they get restricted by
the antivirus (Trend Micro). As soon as external device (USB) is connected to a system
trend micro prompts an error message.

57

This report is confidential. Unauthorized use of this report in whole or in part is strictly prohibited.
ABBREVATIONS

SSL - Secure Sockets Layer

SSH - Secure Shell
TLS - Transport Layer Security
GP - Group Policy
GUI- Graphical User Interface
CLI- command-line interface

58

This report is confidential. Unauthorized use of this report in whole or in part is strictly prohibited.
ANNEXURE
Assessment Approach:
The network vulnerability assessment and penetration testing were conducted as an exercise, implying that
the GT team was given internal IP addresses. This was done to simulate as closely as possible the viewpoint
of a completely external attacker. Following approach is followed performing the assessment on the assets
provided for test.

Workstation IP Addresses are mentioned below-

Hostname IP Address Asset Type

NKRPD530DQCITD [Link] Desktop

NKRPD326NR7ITD [Link] Desktop

NKRPD773622ITD [Link] Desktop

NKRPD326NRJITD [Link] Desktop

NKRPD773584ITD [Link] Desktop

NKRPD530DQZITD [Link] Desktop

NKRPD554902ITD [Link] Desktop

NKRPD231933ITD [Link] Desktop

NKRPD530DPHITD [Link] Desktop

NKRPD966522ITD [Link] Desktop

59

This report is confidential. Unauthorized use of this report in whole or in part is strictly prohibited.
NKRPD326NRBITD [Link] Desktop

NKRPD554904ITD [Link] Desktop

NKRDP773616ITD [Link] Desktop

NKRPD546331ITD [Link] Desktop

NKRPD326NRCITD [Link] Desktop

DESKTOP-3SJHLTI [Link] Workstation

60

This report is confidential. Unauthorized use of this report in whole or in part is strictly prohibited.
Penetration Testing Approach
Assumptions:
Based on the scope, only the specified IP addresses were tested. This report has been produced based on
the external penetration test & output of the scan that was conducted on a particular date tested. Vulnerability
details provided in this report is based on the IP addresses provided for assessment considering test was
performed on a production or identical to production environment.
It is recommended that prior to acting on the recommendations; following actions are assumed to be taken
by NTPC NKaranpura Client:

• Vulnerabilities identified were as on the date security assessment conducted and also as per
the scan policies selected (non-intrusive). Any vulnerabilities identified after GT assessment
date may also not form part of this report.

• GT provided the reference link in the detailed vulnerability section are for NTPC NKaranpura
reference only.

• Any fix to application/system should be tested on UAT or non-production environment prior to

any patch deployment on production environment.

• Appropriate backup and rollback plan are made prior to implementing the recommendation on
the system.

• This report is intended solely for the information and internal use of NTPC NKaranpura.

• NTPC NKaranpura team is responsible for applying security fixes and maintaining an effective
security controls on application, network and system.
• There are version specific vulnerabilities included in the report based on the outcome of the
service enumeration. This needs to be validated by respective team to verify the correct version
running on the system and apply the OEM specified patch (if version is vulnerable) after testing
patch on non-production system and taking appropriate backup.

Consultant Note:
The following section details some of the observations made by the security consultant during the course of
the assignment:

• It is recommended to disable all unwanted services running on the systems

• Perform periodic security assessment to all IT assets
• Apply the proper SSL certificates for all applications that supports the business operation and use
sensitive data

61

This report is confidential. Unauthorized use of this report in whole or in part is strictly prohibited.
 End OF Document

62

This report is confidential. Unauthorized use of this report in whole or in part is strictly prohibited.