UICC网络安全测试报告2.docx
- 文档编号:8866881
- 上传时间:2023-02-02
- 格式:DOCX
- 页数:16
- 大小:411.46KB
UICC网络安全测试报告2.docx
《UICC网络安全测试报告2.docx》由会员分享,可在线阅读,更多相关《UICC网络安全测试报告2.docx(16页珍藏版)》请在冰豆网上搜索。
UICC网络安全测试报告2
2015
通讯卡网络安全测试报告
广东楚天龙智能卡有限公司
2015/6/1
1、目的
这份文件的目的是为了在PCI-CP标准里需要做网络内外部渗透测试的需求,而在公司内部在高安全网络里做了渗透测试。
这份文件会解释渗透测试的内容,范围,参与人员和渗透测试里的成绩。
2、范围
以PCI-CP逻辑标准里的需求,卡产必须每一年或如网络上有大变更,在高安全网络里做内外部渗透测试。
而渗透测试的范围只限制在个人化网络里,以确保在个人化网络里的持卡人信息以保持安全。
3、引用标准
这次的内外部渗透测试是以美国的NSIT-SP800-155的标准和建议,而以下是标准里的引用内容:
计划环节:
在计划环节里,公司内部里会任命内部IT成员作为批准的渗透测试成员而CISO会带领渗透测试团队举行内外部渗透测试。
IT成员必须了解渗透测试的工具的和具备技术上的知识以确保测试的准确性。
网络发现环节:
人员在网络发现环节里,利用网络发现和漏洞扫描器工具(Nmap,NESSUS,Nexpose,etc.)来扫整个网络段,以确保网络的现场状态和网络的服务器和防火墙上的漏洞。
所用的漏洞扫描器能进行以下的功能:
∙InjectionFlaws(e.g.,SQLInjection)
∙Bufferoverflow
∙Insecurecryptographicstorage
∙Impropererrorhandling
∙Allotherdiscoverednetworkvulnerabilities.
攻击环节:
在攻击环节里,人员会以漏洞扫描器所扫出来的漏洞报告,以渗透测试工具(KaliLinux里所自带的MetaspliotFramework工具)来做攻击。
攻击是以被动形态而进行,以确保攻击不会损坏服务器或防火墙
报告环节:
在报告环节里,人员会以以上所有累计的结果跟成绩做分析。
分析是以以下的表作为标准:
以上表解释的是正式攻击发生的可能性和损失对比以确认风险数。
风险数的定义是以以下的解释来定义:
∙High(高等):
风险可能会轻易的被渗透而又有直接生意或技术上的损坏。
∙Medium(中等):
风险可能需要低等的技术有能力的人来渗透而可能有生意或技术上的损坏。
∙Low(低等):
风险可能需要中或高的技术有能力的人又可能有少量的生意和技术上的损坏。
4、网络结构
这次渗透测试的网络结构如下:
5、网络发现总结
以下是网络发现的总结:
网段:
192.168.2.0
IP地址
操作系统
风险评分
服务器/防火墙名字
192.168.2.2
MicrosoftWindowsServer2008
0
logserver
192.168.2.3
MicrosoftWindowsServer2008
0
FTPserver
192.168.2.253
未知
0
192.168.2.254
未知
0
网段:
192.168.3.0
IP地址
操作系统
风险评分
服务器/防火墙名字
192.168.3.12
MicrosoftWindowsServer2008
535
SQLserver
192.168.3.10
MicrosoftWindowsServer2008
535
ADC
192.168.3.2
Aerohiveembedded3.4
195
BACKUPAD
192.168.3.11
MicrosoftWindowsServer2008
195
192.168.3.14
MicrosoftWindowsServer2008
0
192.168.3.17
Linux2.6.9
0
192.168.3.13
Linux2.6.24
0
192.168.3.21
MicrosoftWindowsServer2008
0
192.168.3.23
MicrosoftWindowsVista
0
192.168.3.16
MicrosoftWindowsServer2008
0
BACKUPFILE
192.168.3.22
MicrosoftWindowsServer2008
0
192.168.3.50
MicrosoftWindowsServer2008
0
192.168.3.1
Linux2.6.38
0
192.168.3.15
MicrosoftWindowsServer2008
0
backupdb
192.168.3.18
未知
0
网段:
192.168.4.0
IP地址
操作系统
风险评分
服务器/防火墙名字
192.168.4.102
MicrosoftWindowsServer2008
535
192.168.4.124
MicrosoftWindowsServer2008
535
192.168.4.121
MicrosoftWindowsServer2008
535
192.168.4.104
MicrosoftWindowsServer2008
535
192.168.4.103
MicrosoftWindowsServer2008
535
192.168.4.111
MicrosoftWindowsVista
0
GRH-K01
192.168.4.112
MicrosoftWindowsServer2008
0
192.168.4.115
MicrosoftWindowsServer2008
0
192.168.4.106
MicrosoftWindows7.5
0
192.168.4.1
FreeBSD7.0-CURRENT
0
192.168.4.105
MicrosoftWindowsServer2008
0
GRH-GDSMJ
公网地址:
120.86.69.81
IP地址
操作系统
风险评分
服务器/防火墙名字
120.86.69.81
未知
0
6、漏洞详细
以下是漏洞的详细:
外部漏洞扫描(没有发现漏洞,详细可以参考漏洞扫描报告)
内部漏洞扫描(中和高等)(低等的详细可以参考漏洞扫描报告):
IP地址
漏洞等级
漏洞描述
解决方案
CISO意见
192.168.2.2
中
TheremotehostrespondedtoanICMPtimestamprequest.TheICMPtimestampresponsecontainstheremotehost'sdateandtime.Thisinformationcouldtheoreticallybeusedagainstsomesystemstoexploitweaktime-basedrandomnumbergeneratorsinotherservices.
Inaddition,theversionsofsomeoperatingsystemscanbeaccuratelyfingerprintedbyanalyzingtheirresponsestoinvalidICMPtimestamprequests.
DisableICMPtimestampresponses
DisableICMPtimestamprepliesforthedevice.Ifthedevicedoesnotsupportthislevelofconfiguration,theeasiestandmosteffectivesolutionisto
configureyourfirewalltoblockincomingandoutgoingICMPpacketswithICMPtypes13(timestamprequest)and14(timestampresponse).
192.168.2.3
中
TheremotehostrespondedtoanICMPtimestamprequest.TheICMPtimestampresponsecontainstheremotehost'sdateandtime.Thisinformationcouldtheoreticallybeusedagainstsomesystemstoexploitweaktime-basedrandomnumbergeneratorsinotherservices.
Inaddition,theversionsofsomeoperatingsystemscanbeaccuratelyfingerprintedbyanalyzingtheirresponsestoinvalidICMPtimestamprequests.
DisableICMPtimestampresponses
DisableICMPtimestamprepliesforthedevice.Ifthedevicedoesnotsupportthislevelofconfiguration,theeasiestandmosteffectivesolutionisto
configureyourfirewalltoblockincomingandoutgoingICMPpacketswithICMPtypes13(timestamprequest)and14(timestampresponse).
192.168.3.10
高
Thedatabaseallowsanyremotesystemtheabilitytoconnecttoit.Itisrecommendedtolimitdirectaccesstotrustedsystemsbecausedatabasesmay
containsensitivedata,andnewvulnerabilitiesandexploitsarediscoveredroutinelyforthem.Forthisreason,itisaviolationofPCIDSSsection1.3.7to
havedatabaseslisteningonportsaccessiblefromtheInternet,evenwhenprotectedwithsecureauthenticationmechanisms.
Configurethedatabaseservertoonlyallowaccesstotrustedsystems.Forexample,thePCIDSSstandardrequiresyoutoplacethedatabaseinaninternalnetworkzone,segregatedfromtheDMZ
192.168.3.12
高
Thedatabaseallowsanyremotesystemtheabilitytoconnecttoit.Itisrecommendedtolimitdirectaccesstotrustedsystemsbecausedatabasesmaycontainsensitivedata,andnewvulnerabilitiesandexploitsarediscoveredroutinelyforthem.Forthisreason,itisaviolationofPCIDSSsection1.3.7tohavedatabaseslisteningonportsaccessiblefromtheInternet,evenwhenprotectedwithsecureauthenticationmechanisms.
Configurethedatabaseservertoonlyallowaccesstotrustedsystems.Forexample,thePCIDSSstandardrequiresyoutoplacethedatabaseinaninternalnetworkzone,segregatedfromtheDMZ
192.168.3.11
高
TCP,whenusingalargeWindowSize,makesiteasierforremoteattackerstoguesssequencenumbersandcauseadenialofservice(connectionloss)topersistentTCPconnectionsbyrepeatedlyinjectingaTCPRSTpacket,especiallyinprotocolsthatuselong-livedconnections,suchasBGP.
EnableTCPMD5Signatures
EnabletheTCPMD5signatureoptionasdocumentedinRFC2385.ItwasdesignedtoreducethedangerfromcertainsecurityattacksonBGP,suchasTCPresets.
192.168.3.2
高
TCP,whenusingalargeWindowSize,makesiteasierforremoteattackerstoguesssequencenumbersandcauseadenialofservice(connectionloss)topersistentTCPconnectionsbyrepeatedlyinjectingaTCPRSTpacket,especiallyinprotocolsthatuselong-livedconnections,suchasBGP.
EnableTCPMD5Signatures
EnabletheTCPMD5signatureoptionasdocumentedinRFC2385.ItwasdesignedtoreducethedangerfromcertainsecurityattacksonBGP,suchasTCPresets.
192.168.4.102
高
Thedatabaseallowsanyremotesystemtheabilitytoconnecttoit.Itisrecommendedtolimitdirectaccesstotrustedsystemsbecausedatabasesmaycontainsensitivedata,andnewvulnerabilitiesandexploitsarediscoveredroutinelyforthem.Forthisreason,itisaviolationofPCIDSSsection1.3.7tohavedatabaseslisteningonportsaccessiblefromtheInternet,evenwhenprotectedwithsecureauthenticationmechanisms.
Configurethedatabaseservertoonlyallowaccesstotrustedsystems.Forexample,thePCIDSSstandardrequiresyoutoplacethedatabaseinaninternalnetworkzone,segregatedfromtheDMZ
192.168.4.103
高
Thedatabaseallowsanyremotesystemtheabilitytoconnecttoit.Itisrecommendedtolimitdirectaccesstotrustedsystemsbecausedatabasesmaycontainsensitivedata,andnewvulnerabilitiesandexploitsarediscoveredroutinelyforthem.Forthisreason,itisaviolationofPCIDSSsection1.3.7tohavedatabaseslisteningonportsaccessiblefromtheInternet,evenwhenprotectedwithsecureauthenticationmechanisms.
Configurethedatabaseservertoonlyallowaccesstotrustedsystems.Forexample,thePCIDSSstandardrequiresyoutoplacethedatabaseinaninternalnetworkzone,segregatedfromtheDMZ
192.168.4.104
高
Thedatabaseallowsanyremotesystemtheabilitytoconnecttoit.Itisrecommendedtolimitdirectaccesstotrustedsystemsbecausedatabasesmay
containsensitivedata,andnewvulnerabilitiesandexploitsarediscoveredroutinelyforthem.Forthisreason,itisaviolationofPCIDSSsection1.3.7tohavedatabaseslisteningonportsaccessiblefromtheInternet,evenwhenprotectedwithsecureauthenticationmechanisms.
Configurethedatabaseservertoonlyallowaccesstotrustedsystems.Forexample,thePCIDSSstandardrequiresyoutoplacethedatabaseinaninternalnetworkzone,segregatedfromtheDMZ
192.168.4.121
高
Thedatabaseallowsanyremotesystemtheabilitytoconnecttoit.Itisrecommendedtolimitdirectaccesstotrustedsystemsbecausedatabasesmaycontainsensitivedata,andnewvulnerabilitiesandexploitsarediscoveredroutinelyforthem.Forthisreason,itisaviolationofPCIDSSsection1.3.7tohavedatabaseslisteningonportsaccessiblefromtheInternet,evenwhenprotectedwithsecureauthenticationmechanisms.
Configurethedatabaseservertoonlyallowaccesstotrustedsystems.Forexample,thePCIDSSstandardrequiresyoutoplacethedatabaseinaninternalnetworkzone,segregatedfromtheDMZ
192.168.4.124
高
Thedatabaseallowsanyremotesystemtheabilitytoconnecttoit.Itisrecommendedtolimitdirectaccesstotrustedsystemsbecausedatabasesmaycontainsensitivedata,andnewvulnerabilitiesandexploitsarediscoveredroutinelyforthem.Forthisreason,itisaviolationofPCIDSSsection1.3.7tohavedatabaseslisteningonportsaccessiblefromtheInternet,evenwhenprotectedwithsecureauthenticationmechanisms.
Configurethedatabaseservertoonlyallowaccesstotrustedsystems.Forexample,thePCIDSSstandardrequiresyoutoplacethedatabaseinaninternalnetworkzone,segregatedfromtheDMZ
7、渗透测试详细
漏洞名字:
MS08-037:
DNS中的漏洞可
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- UICC 网络安全 测试报告