AlaaCrypt Solutions
Security Assessment Findings Report
Business Confidential
Date: Sept 19, 2023
Project: 001-23
Version 1.0
AlaaCrypt Solutions – 001-23
BUSINESS CONFIDENTIAL
Copyright © AlaaCrypt Solutions (alaacrypt.com)
Page 1 of 14
Table of Contents
Table of Contents ............................................................................................................................................... 2
Confidentiality Statement ................................................................................................................................... 3
Disclaimer ........................................................................................................................................................... 3
Contact Information ............................................................................................................................................ 3
Assessment Overview ......................................................................................................................................... 4
Assessment Components ................................................................................................................................... 4
External Penetration Test ....................................................................................................................... 4
Finding Severity Ratings ..................................................................................................................................... 5
Scope .................................................................................................................................................................. 6
Scope Exclusions .................................................................................................................................... 6
Client Allowances .................................................................................................................................... 6
Executive Summary ............................................................................................................................................ 7
Attack Summary...................................................................................................................................... 7
Security Strengths .............................................................................................................................................. 8
SIEM alerts of vulnerability scans ......................................................................................................... 8
Security Weaknesses ......................................................................................................................................... 8
Missing Multi-Factor Authentication ...................................................................................................... 8
Weak Password Policy ............................................................................................................................ 8
Unrestricted Logon Attempts ................................................................................................................. 8
Vulnerabilities by Impact .................................................................................................................................... 9
External Penetration Test Findings...................................................................................................... 10
Insufficient Lockout Policy – Outlook Web App (Critical) .............................................................................. 10
Additional Reports and Scans (Informational) .............................................................................................. 13
AlaaCrypt Solutions – 001-23
BUSINESS CONFIDENTIAL
Copyright © AlaaCrypt Solutions (alaacrypt.com)
Page 2 of 14
Confidentiality Statement
This document is the exclusive property of AlaaCrypt Solutions (ACS) and TCM Security (TCMS). This
document contains proprietary and confidential information. Duplication, redistribution, or use, in
whole or in part, in any form, requires consent of both ACS and TCMS.
TCMS may share this document with auditors under non-disclosure agreements to demonstrate
penetration test requirement compliance.
Disclaimer
A penetration test is considered a snapshot in time. The findings and recommendations reflect the
information gathered during the assessment and not any changes or modifications made outside of
that period.
Time-limited engagements do not allow for a full evaluation of all security controls. TCMS prioritized
the assessment to identify the weakest security controls an attacker would exploit. TCMS
recommends conducting similar assessments on an annual basis by internal or third-party
assessors to ensure the continued success of the controls.
Contact Information
Name
Title
AlaaCrypt Solutions
Alaa Alomary
VP, Information Security
(CISO)
Jim Smith
IT Manager
Joe Smith
Network Engineer
Contact Information
Office: -
Email:-Office: -
Email:-Office: -
Email:-
TCM Security
Heath Adams
Lead Penetration Tester
Bob Adams
Penetration Tester
Rob Adams
Account Manager
Office: -
Email:-Office: -
Email:-Office: -
Email:-
AlaaCrypt Solutions – 001-23
BUSINESS CONFIDENTIAL
Copyright © AlaaCrypt Solutions (alaacrypt.com)
Page 3 of 14
Assessment Overview
From May 20th, 2023 to May 29th, 2023, ACS engaged TCMS to evaluate the security posture of its
infrastructure compared to current industry best practices that included an external penetration
test. All testing performed is based on the NIST SP 800-115 Technical Guide to Information
Security Testing and Assessment, OWASP Testing Guide (v4), and customized testing frameworks.
Phases of penetration testing activities include the following:
Planning – Customer goals are gathered and rules of engagement obtained.
Discovery – Perform scanning and enumeration to identify potential vulnerabilities, weak
areas, and exploits.
Attack – Confirm potential vulnerabilities through exploitation and perform additional
discovery upon new access.
Reporting – Document all found vulnerabilities and exploits, failed attempts, and company
strengths and weaknesses.
Assessment Components
External Penetration Test
An external penetration test emulates the role of an attacker attempting to gain access to an
internal network without internal resources or inside knowledge. A TCMS engineer attempts to
gather sensitive information through open-source intelligence (OSINT), including employee
information, historical breached passwords, and more that can be leveraged against external
systems to gain internal network access. The engineer also performs scanning and enumeration to
identify potential vulnerabilities in hopes of exploitation.
AlaaCrypt Solutions–001-23
BUSINESS CONFIDENTIAL
Copyright © AlaaCrypt Solutions (alaacrypt.com)
Page 4 of 14
Finding Severity Ratings
The following table defines levels of severity and corresponding CVSS score range that are used
throughout the document to assess vulnerability and risk impact.
Severity
CVSS V3
Score Range
Definition
Critical
9.0-10.0
Exploitation is straightforward and usually results in system-level
compromise. It is advised to form a plan of action and patch
immediately.
High
7.0-8.9
Exploitation is more difficult but could cause elevated privileges and
potentially a loss of data or downtime. It is advised to form a plan of
action and patch as soon as possible.
Moderate
4.0-6.9
Vulnerabilities exist but are not exploitable or require extra steps
such as social engineering. It is advised to form a plan of action and
patch after high-priority issues have been resolved.
Low
0.1-3.9
Vulnerabilities are non-exploitable but would reduce an
organization’s attack surface. It is advised to form a plan of action
and patch during the next maintenance window.
N/A
No vulnerability exists. Additional information is provided regarding
items noticed during testing, strong controls, and additional
documentation.
Informational
AlaaCrypt Solutions–001-23
BUSINESS CONFIDENTIAL
Copyright © AlaaCrypt Solutions (alaacrypt.com)
Page 5 of 14
Scope
Assessment
External Penetration Test
Details
-/24,-/24
Full scope information provided in “AlaaCrypt Solutions–001-23 Full Findings.xslx”
Scope Exclusions
Per client request, TCMS did not perform any Denial of Service attacks during testing.
Client Allowances
ACS did not provide any allowances to assist the testing.
AlaaCrypt Solutions–001-23
BUSINESS CONFIDENTIAL
Copyright © AlaaCrypt Solutions (alaacrypt.com)
Page 6 of 14
Executive Summary
TCMS evaluated ACS’s external security posture through an external network penetration test from
May 20th, 2023 to May 29th, 2023. By leveraging a series of attacks, TCMS found critical level
vulnerabilities that allowed full internal network access to the ACS headquarter office. It is highly
recommended that ACS address these vulnerabilities as soon as possible as the vulnerabilities are
easily found through basic reconnaissance and exploitable without much effort.
Attack Summary
The following table describes how TCMS gained internal network access, step by step:
Step
Action
1
Obtained historical breached account
credentials to leverage against all company
login pages
2
Attempted a “credential stuffing” attack
against Outlook Web Access (OWA), which
was unsuccessful. However, OWA provided
username enumeration, which allowed TCMS
to gather a list of valid usernames to leverage
in further attacks.
Recommendation
Discourage employees from using work e-mails and
usernames as login credentials to other services
unless necessary
Synchronize valid and invalid account messages.
OWA permitted authenticated with valid credentials.
TCMS recommends ACS implement Multi-Factor
Authentication (MFA) on all external services.
3
Performed a “password spraying” attack
against OWA using the usernames discovered
in step 2. TCMS used the password of
Summer2018! (season + year + special
character) against all valid accounts and
gained access into the OWA application.
OWA permitted unlimited login attempts. TCMS
recommends ACS restrict logon attempts against
their service.
TCMS recommends an improved password policy
of: 1) 14 characters or longer 2) Use different
passwords for each account accessed. 3) Do not
use words and proper names in passwords,
regardless of language
Additionally, TCMS recommends that ACS:
Train employees on how to create a proper
password
4
Leveraged valid credentials to log into VPN
OWA permitted authenticated with valid credentials.
TCMS recommends ACS implement Multi-Factor
Authentication (MFA) on all external services.
AlaaCrypt Solutions–001-23
BUSINESS CONFIDENTIAL
Copyright © AlaaCrypt Solutions (alaacrypt.com)
Page 7 of 14
Security Strengths
SIEM alerts of vulnerability scans
During the assessment, the ACS security team alerted TCMS engineers of detected vulnerability
scanning against their systems. The team was successfully able to identify the TCMS engineer’s
attacker IP address within minutes of scanning and was capable of blacklisting TCMS from further
scanning actions.
Security Weaknesses
Missing Multi-Factor Authentication
TCMS leveraged multiple attacks against ACS login forms using valid credentials harvested through
open-source intelligence. Successful logins included employee e-mail accounts through Outlook
Web Access and internal access via Active Directory login on the VPN. The use of multi-factor
authentication would have prevented full access and required TCMS to utilize additional attack
methods to gain internal network access.
Weak Password Policy
TCMS successfully performed password guessing attacks against ACS login forms, providing
internal network access. A predictable password format of Summer2018! (season + year + special
character) was attempted and successful.
Unrestricted Logon Attempts
During the assessment, TCMS performed multiple brute-force attacks against login forms found on
the external network. For all logins, unlimited attempts were allowed, which permitted an eventual
successful login on the Outlook Web Access application.
AlaaCrypt Solutions–001-23
BUSINESS CONFIDENTIAL
Copyright © AlaaCrypt Solutions (alaacrypt.com)
Page 8 of 14
Vulnerabilities by Impact
The following chart illustrates the vulnerabilities found by impact:
Vulnerabilities by Impact
5
4
3
2
1
0
Critical
High
Moderate
AlaaCrypt Solutions–001-23
BUSINESS CONFIDENTIAL
Copyright © AlaaCrypt Solutions (alaacrypt.com)
Low
Page 9 of 14
External Penetration Test Findings
Insufficient Lockout Policy – Outlook Web App (Critical)
Description:
ACS allowed unlimited logon attempts against their Outlook Web App (OWA)
services. This configuration allowed brute force and password guessing attacks
in which TCMS used to gain access to ACS’s internal network.
Impact:
Critical
System:-
References:
NIST SP800-53r4 AC-17 - Remote Access
NIST SP800-53r4 AC-7(1) - Unsuccessful Logon Attempts |Automatic Account
Lock
Exploitation Proof of Concept
TCMS gathered historical breached data found in credentials dumps. The data amounted to 868
total account credentials (Note: A full list of compromised accounts can be found in “AlaaCrypt
Solutions001-23 Full Findings.xslx”.).
Figure 1: Sample list of breached user credentials
TCMS used the gathered credentials to perform a credential stuffing attack against the OWA login
page. Credential stuffing attacks take previously known credentials and attempt to use them on
login forms to gain access to company resources. TCMS was unsuccessful in the attack but was
able to gather additional sensitive information from the OWA server in the form of username
enumeration.
AlaaCrypt Solutions–001-23
BUSINESS CONFIDENTIAL
Copyright © AlaaCrypt Solutions (alaacrypt.com)
Page 10 of 14
Figure 2: OWA username enumeration
TCMS gathered the valid usernames and performed a password spraying attack. A password
spraying attack attempts to use common passwords against known usernames in hopes of gaining
access to company resources. TCMS attempted to use the common Summer2018! (season + year
+ special character) against all known valid usernames. A username returned as a successful
login:
Figure 3: Successful OWA Login
TCMS leveraged the valid credentials to log into the client VPN portal and gain access to the
internal network.
AlaaCrypt Solutions–001-23
BUSINESS CONFIDENTIAL
Copyright © AlaaCrypt Solutions (alaacrypt.com)
Page 11 of 14
Remediation
Who:
Vector:
Action:
IT Team
Remote
Item 1: VPN and OWA login with valid credentials did not require Multi-Factor
Authentication (MFA). TCMS recommends ACS implement and enforce MFA
across all external-facing login services.
Item 2: OWA permitted unlimited login attempts. TCMS recommends ACS
restrict logon attempts against their service.
Item 3: ACS permitted a successful login via a password spraying attack,
signifying a weak password policy. TCMS recommends the following password
policy, per the Center for Internet Security (CIS):
14 characters or longer
Use different passwords for each account accessed
Do not use words and proper names in passwords, regardless of
language
Item 4: OWA permitted user enumeration. TCMS recommends ACS synchronize
valid and invalid account messages.
Additionally, TCMS recommends that ACS:
Train employees on how to create a proper password
Check employee credentials against known breached passwords
Discourage employees from using work e-mails and usernames as login
credentials to other services unless absolutely necessary
AlaaCrypt Solutions–001-23
BUSINESS CONFIDENTIAL
Copyright © AlaaCrypt Solutions (alaacrypt.com)
Page 12 of 14
Additional Reports and Scans (Informational)
TCMS provides all clients with all report information gathered during testing. This includes
vulnerability scans and a detailed findings spreadsheet. For more information, please see the
following documents:
AlaaCrypt Solutions–001-23 Full Findings.xslx
AlaaCrypt Solutions–001-23 Vulnerability Scan Summary.xslx
AlaaCrypt Solutions–001-23 Vulnerability Scan by Host.pdf
AlaaCrypt Solutions–001-23
BUSINESS CONFIDENTIAL
Copyright © AlaaCrypt Solutions (alaacrypt.com)
Page 13 of 14
Last Page
AlaaCrypt Solutions–001-23
BUSINESS CONFIDENTIAL
Copyright © AlaaCrypt Solutions (alaacrypt.com)
Page 14 of 14