Pentesting of 11,500 IPs and 50 Apps for a Warehouse Automation Provider
About Our Customer
The Customer is a US-based warehouse product manufacturer and material handling automation provider. With a history spanning over 100 years, it is one of the global industry leaders with several manufacturing facilities and a vast network of dealers across the Americas.
A Large-Scale Infrastructure Pentest Required Solid Cybersecurity Competencies
The Customer wanted to reinforce the security of its large-scale IT infrastructure comprising more than 11,500 IP addresses and around 50 applications. It sought an experienced penetration testing vendor to carry out the extensive project promptly and effectively. Trusting ScienceSoft’s 20 years of experience in cybersecurity, 34 years in manufacturing IT, and a solid track record of penetration testing projects, the Customer delegated the task to our team.
Black Box Penetration Testing and Security Consulting
ScienceSoft's cybersecurity experts conducted black box penetration testing of the Customer’s IT infrastructure based on the NIST 800-115 methodology. The testing aimed to quickly uncover critical vulnerabilities and evaluate the security status of the Customer's widespread network. The distinctive feature of the black box model is that security engineers have no information about the inner workings of the applications or any security controls in place, thus acting as real-life attackers.
The test consisted of the following stages:
Discovery phase
ScienceSoft's ethical hackers ran a port scan of over 11,500 IP addresses and defined around 200 live hosts and 50 websites as testing targets. They performed vulnerability assessment using automated tools like Nessus and Nmap to identify as many security issues as possible.
Attack phase
ScienceSoft's security testing team manually exploited the discovered vulnerabilities. This stage involved brute-force attacks and input data manipulation (injections, buffer overflows, protocol violations).
Reporting phase
ScienceSoft's cybersecurity experts analyzed the penetration testing results and classified the vulnerabilities according to their severity and exploitability. Out of 23 detected vulnerabilities, there were 5 high-severity, 10 medium-severity, and 8 low-severity issues. Some of the major problems ScienceSoft revealed were:
- Inadequate connection encryption. Some of the Customer's remote hosts accepted unencrypted connections and connections encrypted using deprecated SSLv2 and SSLv3 protocol versions.
- Vulnerable software versions. The scan of the remote hosts detected outdated software versions with known security issues.
- Brute-force vulnerability. ScienceSoft’s ethical hackers managed to make over 100 uninterrupted login attempts to SSH and FTP servers, thus revealing a vulnerability in the protection against brute-force attacks.
- Unsecured open ports. Several remote hosts had unsecured FTP and SSH ports that accepted connections from the internet without any proxy or VPN.
Along with the report on penetration testing results, ScienceSoft provided practical recommendations on fixing the identified security issues. In particular, our cybersecurity experts suggested:
- Configuring servers to support secure cryptographic protocols (TLS 1.2 and TLS 1.3) with up-to-date SSL certificates. This would help reduce the risk of an attacker exploiting associated vulnerabilities to intercept traffic, decrypt communications between the affected service and clients, and get hold of sensitive data.
- Updating outdated software to the latest version (where it’s impossible – configuring remote hosts not to disclose the software version). Those steps would help mitigate the risk of an attacker exploiting vulnerable software to execute arbitrary code on the server and cause a denial of service (DoS).
- Limiting failed authentication attempts, restricting access to the SSH service, and configuring the firewall to only allow access to whitelisted IPs. This would help reduce the risk of brute-force attacks.
- Blocking direct internet access to the SSH and FTP services, setting up VPN/proxy/jump host or redirection to the secured ports, and opting for more secure file transfer protocols like FTPS instead of FTP. This would help minimize the risk of attackers exploiting unsecured ports to perform cross-site scripting (XSS) and denial of service (DoS) attacks.
Insight into Critical Security Threats and Their Remediation
Within just 15 days, ScienceSoft's penetration testers thoroughly examined the Customer's vast network. Based on the vulnerabilities' severity, they defined the overall security risk level of the IT infrastructure as medium. The actionable recommendations in the report helped the Customer promptly mitigate the security risks and better protect its assets.
Seeing the Customer's satisfaction with the service quality, one of the company’s subsidiaries plans to engage ScienceSoft in its own security project.
Technologies and Tools
Metasploit, Wireshark, Nessus, BurpSuite, Acunetix, Nmap, DirB, SSLScan, SSHScan, ike-scan, Hydra, Telnet, Swaks, custom scripts in Python, C, and Perl.