PHASE 1: PLANNING AND PREPARATION
Background
Wells
Fargo is an international banking company based in the United States and
headquartered in San Francisco, California. Wells Fargo is the group of the
largest banks in the United States along with Citigroup, JP Morgan Chase, and
Bank of America. As of the end of 2015, the bank had over 8,500 retail branches
and 13,000 ATMs. Additionally, Wells Fargo operates in 35 countries, and its
global customer base adds up to 70 million. In 2014, Wells Fargo became the
most valuable bank in the world for the second year running (Bank, 2007).
Wells
Fargo is a virtual bank. Being a virtual bank, Wells Fargo uses a system of
banking in which all its transactions are carried out online with minimal
contact with the physical branches of the bank. Virtual banking is the latest
technological breakthrough that Wells Fargo has implemented thus providing its
customers all over the world with the ease of banking while on the go. Virtual
banking enables the customers not to necessarily walk in the bank thus enabling
them to operate their accounts or other banking services online.
Virtual
banking is one of the quickest ways of banking and also the cheapest because it
saves both time and money. Customers can easily access their accounts
virtually. Additionally, the banking system does not have banking hours thus
enabling customers to operate their accounts at any time of the day. The growth
of the virtual banking has given way to many associated problems. However,
virtual banking operated by Wells Fargo is vulnerable to security and
technology issues such as maintenance of sophisticated technology standards,
verification of digital signatures, fear of virus and spyware, encryption and
decryption (Fargo, 2005).
Assessment
Agreement
Cross-site
scripting is a known dangerous attack on computer networks. Once the attack has
been released on the network (virtual banking) operated by Wells Fargo, it can
comprehensively control the entire application. While testing for cross-site
scripting for the Wells Fargo virtual banking network, Metasploit will help in
identifying the weaknesses of the network and that database that has been
attacked (Araine, 2006).
Scope
The
project intends to identifying ways in which the Wells Fargo virtual banking
network is prone to vulnerabilities and how easily the attackers can utilize
the freely available information such as the emails of the customers accessing
their accounts online. Wells Fargo virtual banking network is a target for
hackers and malware because of the easiness of the process and the fact that
they would cash on the hacking. An hour of hacking of the Wells Fargo virtual
banking network would make millions of dollars for the hackers thus making it
more vulnerable than any other virtual network (Singh, 2012).
A. Rules of Engagement
1) Internal,
external of both approaches where the process will gather all usernames and the
passwords for the customers using the virtual banking. Through the process of
testing, the testing team will then login to verify access upon accessing the
network (SriNithi, Elavarasi, & Raj, 2014).
2) White
approach and gray approach
B. What will be tested
Virtual
banking network, telephony, database, wireless applications, web servers, email
servers, VPN, data leakage protection, VoIP, IDs, router, switches, firewall,
and DMZ
C. Ways in which it will be tested
1) Wells
Fargo virtual banking network will be scanned to help check vulnerabilities of
the network. Through scanning, database and network information will be
accessed thus helping in dragging the customers’ usernames which will then be
subjected to brute force attack in. The testing team will also identify all the
plugins and themes installed during the extraction of the usernames (Anthes,
1999).
2) Kali
Linux will be useful to help the penetration testing team to identify all items
within the virtual banking network which can easily be exploited. Additionally,
the tool will also help find all exploits through which the attackers can break
into the network.
Penetration
Testing Scope
|
In Scope
|
Out of Scope
|
|
(i) The
testing team will test the virtual network, login approvals, and customer
review segments
(ii) Testing
will be conducted by the organization of the application and deployment of
the application on the network.
(iii) The
network modules
(iv) The
FTP server
(v) Authorized
IP
(vi) All
virtual manager virtual computer
|
(i) The
Web server
(ii) Viewing
the data that is unauthorized
(iii) Testing
online policy module
(iv) Testing
other vulnerabilities that are beyond the scope
(v) The
testing team will not interfere with the Domain Server information
(vi) The
testing team will not interfere with the IP addresses
|
Scope
of Penetration Tools
|
In Scope
|
Out of Scope
|
|
(i) Linux
(ii) JavaScript
(iii) HTML
(iv) Virtual
Banking Network Scan
(v) Nikto
(vi) Kali
Operating System
|
(i) Password
Crackers
(ii) File
Manager Information
(iii) Data
Information
|
Deliverables
|
Deliverables
|
Description
|
Acceptance Criterion
|
|
Presentation
of the testing process
|
Electronic
presentation
|
Definition
of the of the process scope studied by the testing team and approved by the
project manager
|
|
Documentation
and delivery of the virtual banking network vulnerability report
|
Electronic
presentation
|
Definition
of the of the process scope studied by the testing team and approved by the
project manager
|
Team
Members
|
Role
|
Name
|
Responsibility
|
|
Project
Manager
|
Nathan
James
|
Responsible
for the success of the project and answerable to the team members
|
|
Project
Sponsor
|
Suchit
Reddy
|
(i) Representative
of the project third party stakeholders.
(ii) He
will be addressing all personnel issues. Furthermore
(iii) Linking
the team members and the stakeholders
|
|
Team
members
|
(i) Klaas
Nime
(ii) Claude
Plat
(iii) Hanadi
Saeed
|
They
will take active roles in ensuring the project has succeeded.
|
Specific
Roles
|
Name
|
Specialty
|
Email
|
Phone number
|
Alternative
|
|
Klaas
Nime
|
Programming
|
|
543-556-7789
|
Hani
Jalal
|
|
Claude
Plat
|
Computer
Network Admin
|
|
800-456-4120
|
James
Walker
|
|
Hanadi
Saeed
|
Database
Professional
|
|
739-098-7650
|
Khadar
Bashar
|
Escalation
Path
The problem with
Wells Fargo virtual banking network will be tested at the top level management.
The bank's chief information officer (CIO) and the administrators are the top
level management capable of listing the main problems with the network. In case
the problem will be above the law, the organization has a ready centralized
administration officer to whom the problem will be transferred (Wilhelm, 2010).
The virtual banking of Wells Fargo is comprised of several departments where
each department requires a point of contact as follows:
Points
of Contact
|
Department
|
Point of Contact
|
Method of Contact
(Phone)
|
|
Project
Manager
|
Nathan
James
|
768-432-7654
|
|
Head
of Application Development
|
Suraj
Mahant
|
432-678-4652
|
|
Network
Administrator
|
Claude
Plat
|
132-453-0986
|
|
Quality
Assurance
|
Sudhakar
Reddy
|
453-867-9090
|
|
Database
Administrator
|
Hanadi
Saeed
|
756-908-8709
|
|
Chief
Information Officer (CIO)
|
Emma
Granderson
|
123-456-7890
|
(i) Dates and Times
– After consulting and agreeing with the bank management, the dates for the
project were set on 1st December 2016 to 15th December 2016. Testing will be
done daily except on holidays and weekends from 8 AM to 5 PM.
(ii) Retest Policy
– The testing team has organized for a retest in case the bank will not be
satisfied with the work. However, the retest will be according to the policy.
The testing team will only retest the virtual network modules that will not
have met standards and quality of work according to the policy. Additionally,
the bank must request for a retest before the first month expires.
(iii) Working Conditions
– The testing team will perform the testing on its premises. However, the bank
will have to give all critical database servers and virtual network
applications to the testing team. The testing team will also have an agreement
with the bank if the testing can be carried out at the team’s premises
(Ceraolo, 1996).
(iv) Non-disclosure Agreement
– The testing team will ensure that it has protected the bank’s data and
information during the testing time through a non-disclosure agreement between
the bank and the team.
(v) Liability Insurance
– The team will be fully responsible for any destruction of the bank’s
information system or the network infrastructure. However, ways in which the
testing team will be responsible will be through an agreement (Weidman, 2014).
(vi) Legal Issues
– The bank will have a right to take the testing team to court in case it
violates the agreement and vice versa.
(vii) Quality Assurance
– The testing team must assure the bank that their work will fully meet the
quality and standards needed by the organization. Therefore, the bank will hire
an independent quality assurance team to rate and assess the work.
PHASE
2: ASSESSMENT
Information Gathering
The
testing team will gather information for the testing through active and passive
information gathering. Through active information gathering the testing, team
will get information from the administration at the beginning of the test where
information such as authorization and login will be gathered. On the other
hand, passive information gathering is the information about penetration
testing the testing team already has. One of the tools the testing team will be
used is the crawler which will enable the testing team gather and
comprehensively understand information about penetration testing and the
content management system the bank uses. Additionally, the testing will
actively use the virtual network scanning for scanning all plugins that attackers
might have installed in the virtual network and the server (Engebretson, 2013).
Network Mapping
The
testing team will map the virtual banking network and in a way comprehensively
understand the network infrastructure. Additionally, through virtual network
banking mapping, the team will identify the underlying concepts of the
Internet. This understanding of the network and the underlying facts about the
internet will speed up the process of penetration testing. Under the guidance
of the network administrator, the team will compile various components of the
virtual banking network and where they are located within the infrastructure
(Hurley, Rogers, & Thornton, 2007).
Figure 1: Network of XSS Attack
The
testing team will use vulnerability analysis in the estimation of a potential
vulnerability on Wells Fargo’s virtual banking network. Through the analysis,
the team will define, identify, and classify security vulnerabilities in the
virtual banking network. Therefore, the testing team will find all the plugins
that the attackers might have installed in the network and customer experience
blog by typing the code below:
Wpscan-url
http://freeinstagramfollowers.me –u
Upon
typing the code above, the result will be:
[+]
Name: wp-super-cache
|
Location:
http://freeinstagramfollowers.me/wp-content/plugins/wp-super-cache/
[+] We
could not determine a version so all vulnerabilities are printed out
[!]
Title: WP-Super-Cache 1.3 - Remote Code Execution
Reference: https://wpvulndb.com/vulnerabilities/6623
Reference:
http://www.acunetix.com/blog/web-security-zone/wp-plugins-remote-code-execution/
Reference: http://wordpress.org/support/topic/pwn3d
Reference: http://blog.sucuri.net/2013/04/update-wp-super-cache-and-w3tc-immediately-remote-code-execution-vulnerability-disclosed.html
[i]
Fixed in: 1.3.1
[!]
Title: WP Super Cache 1.3 - trunk/wp-cache.phpwp_nonce_url Function URI XSS
Reference: https://wpvulndb.com/vulnerabilities/6624
Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2008
Reference: http://osvdb.org/92832
[i]
Fixed in: 1.3.1
[!]
Title: WP Super Cache 1.3 - trunk/plugins/wptouch.php URI XSS
Reference: https://wpvulndb.com/vulnerabilities/6625
Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2008
Reference: http://osvdb.org/92831
[i]
Fixed in: 1.3.1
[!]
Title: WP Super Cache 1.3 - trunk/plugins/searchengine.php URI XSS
Reference: https://wpvulndb.com/vulnerabilities/6626
Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2008
Reference: http://osvdb.org/92830
[i]
Fixed in: 1.3.1
[!]
Title: WP Super Cache 1.3 - trunk/plugins/domain-mapping.php URI XSS
Reference: https://wpvulndb.com/vulnerabilities/6627
Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2008
Reference: http://osvdb.org/92829
[i]
Fixed in: 1.3.1
[!]
Title: WP Super Cache 1.3 - trunk/plugins/badbehaviour.php URI XSS
Reference: https://wpvulndb.com/vulnerabilities/6628
Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2008
Reference: http://osvdb.org/92828
[i]
Fixed in: 1.3.1
[!]
Title: WP Super Cache 1.3 - trunk/plugins/awaitingmoderation.php URI XSS
Reference: https://wpvulndb.com/vulnerabilities/6629
Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2008
Reference: http://osvdb.org/92827
[i]
Fixed in: 1.3.1
Penetration Testing
Cross-site
scripting (XSS) vulnerability is a destructive virtual banking network flaw. It
manifests itself when a file that has not been filtered well is stored in the
server after which it will be sent to the client browser. During penetration
testing, the web server will start automatically when the penetration testing
team boots the tail. The team will enter http://<IP> on the browser to
start penetration testing using the Kali Linux tool. The <IP> represents
the IP address of the Kali Linux tool. The tool will display the page below:
A
terminal will then get opened which will then update the METASPLOITABLE tool as
indicated below:
The
testing team will then start the Metasploit by carefully typing msfconsole in
the terminal above. Immediately after loading, the XSSF will be updated by
typing XSSF on port 666. Below is the resultant page:
Upon
loading, XSSF will display various options when the team will inject the
script. Wampserver is vulnerable to XSS. It will immediately change to =”>.
Below is the error confirming the presence of XSS:
The team
will injectand src="more vulnerability. Below is the displayed window:
That
will not be enough and the team will want to display more cookies by typing msf
> use auxiliary/xssf/public/misc/cookie and then msf>. In case anyone will
want to interrupt the auxiliary, they will use xssf_logs1 and all cookies will
be displayed as follows:
The
penetration testing will then carefully check for an auxiliary capable of
sending alerts to remote machines within the virtual banking network. The code
Msf> type auxiliary/xssf/public/misc/alert will be injected. The code will
then be configured by typing show options and the screen below will be in
display:
The
team will then compromise the target machine with the network by using ms10_046
which is a shortcut file. It will points to the malicious DLL. The shortcut
file will run an arbitrary payload when it is accessed and in the process
display the window below:
By
typing msf>jobs the testing team will note that background job is 0 which is
basically its id. The exploitation will immediately start. By sending the
shortcut file the malicious DLL will be continued. The team will have succeeded
in exploiting the vulnerability and the meter session below will be opened:
The
screen below will be displayed as a confirmation of XSS in the URL
The
form above will be submitted and immediately JavaScript code will be executed.
Below is the display:
Vulnerability Table
|
System
|
Vulnerabilities
|
Exploits
|
Exploit description
|
Source of exploit
|
|
Customer
Blog
|
Segments
can easily read the feedback of the customers
|
Cross-site
scripting java
|
Cross-site
scripting java
|
Complex
scripts
|
|
Permits
message containing the iFrame
|
iFrames
presented on the customer blog with a cookie catcher
|
iFrames
presented on the customer blog with a cookie catcher. Upon clicking the
iFrame it sends cookie to the attacker
|
Complex
scripts
|
PHASE
3: CLOSING ACTIVITIES
In
phase 3, the testing team will close all activities of the penetration testing.
This phase will also give the penetration testing an opportunity to communicate
with Wells Fargo management on what they have found with their virtual banking
network and the vulnerabilities associated with the network (Halfond &
Orso, 2011).
1.
Reporting
The
team completed all the activities according to the agreement with the
management at the bank and process of identification of various vulnerabilities
with the network. The network was checked for vulnerabilities within the dates
and time. While gathering information, the team applied various exploits which
enabled them to identify various ways in which Wells Fargo virtual banking
network could easily get exploited by vulnerabilities.
2.
Follow-up
Actions
Upon
the completion of the penetration testing, the team presented their findings to
the management at Wells Fargo. The team then followed their findings with some
recommendations which the company was going to use to prevent the occurrence of
XSS attacks in the future. Besides that, the information technology team was
trained in ways to which they would be able to prevent the occurrence of such
attacks in the future. While making observations, the penetration testing team
in collaboration with the management at the company concluded that everything
went according to the plans. Additionally, the management saw it important to
preserve all examination reports and frequently refer to the report. This is
one way which was going to help the IT security team to free the company from
dangers and vulnerabilities of XSS (Ramachandran, 2011).
3.
Archiving
Wells
Fargo Bank will store all the electronic and manual documents about this
penetration testing. The bank might find it necessary to appoint personnel at
the IT department to be in charge of the findings from the penetration testing.
The testing team advices the bank to store the findings from the process for at
least one year. However, the team will continue being in touch with the bank
concerning the security of the virtual banking network and exploitation of the
vulnerabilities. In addition to this:
(i)
The testing team will work closely with
Wells Fargo Bank in ensuring that all critical data that can be used by
attackers has been deleted.
(ii) Wells
Fargo Bank will archive all non-disclosure contracts as well as the
endorsements. However, the company will also store some of them for a period
not exceeding five years (Allsopp, 2009).
References
Allsopp, W. (2009). Unauthorized access: Physical penetration
testing for IT security teams. West
Sussex: Wiley Publishers.
Araine, R. (2006).
Covert pen testing has arrived. Eweek, 23(33), 27
Anthes, G. H. (1999).
`Cyberterrorists' Could Be In Your Own Backyard. Computerworld, 33(39), 24.
Bank, W.
F. (2007). Wells Fargo Bank. NA, as Documentation Agents.
Ceraolo, J. P. (1996).
Penetration testing through social engineering.Information Systems Security, 4(4), 37.
Engebretson,
P. (2013). The Basics of Hacking and Penetration Testing: Ethical Hacking
and Penetration Testing.
Waltham, MA: Elsevier.
Fargo, W. (2005). News
Releases,“The New Wells Fargo Electronic Deposit Services Break Through Banking Boundaries in the Age of
Check 21”, San Francisco Mar. 28, 2005. Retrieved
from the internet.
Hacking the hackers.
(2015). Economist, 414(8931), 83-84.
Halfond, W. G., &
Orso, S. R. (2011). Improving penetration testing through static and dynamic analysis. Software Testing, Verification and Reliability, 21 (3), 195-214.
Hurley,
C., Rogers, R., & Thornton, F. (2007). WarDriving and Wireless
Penetration Testing. Rockland,
MA: Syngress Publishing.
Ramachandran,
V. (2011). Backtrack 5 Wireless Penetration Testing: Beginner's Guide. Birmingham, Uk: Packt Publishing.
Singh, A. (2012). Metasploit penetration testing cookbook :
over 70 recipes to master the most widely
used penetration testing framework. Birmingham: Packt Publisher.
SriNithi, D.,
Elavarasi, G., & Raj, M. (2014). Improving web application security using penetration testing. Research Journal of Applied Sciences, Engineering and Technology , 8 (5), 658-663.
Weidman,
G. (2014). Penetration Testing: A Hands-On Introduction to Hacking. San
Francisco, CA: No Starch Press, Inc.
Wilhelm,
T. (2010). Professional Penetration Testing: Volume 1: Creating and
operating a Formal Hacking Lab.
Burlington, MA: Syngress.
Sherry Roberts is the author of this paper. A senior editor at MeldaResearch.Com in college research paper services if you need a similar paper you can place your order for best essay services online.
No comments:
Post a Comment