UICC网络安全测试报告2解读.docx

1、UICC网络安全测试报告2解读2015通讯卡网络安全测试报告广东楚天龙智能卡有限公司2015/6/11、目的这份文件的目的是为了在PCICP标准里需要做网络内外部渗透测试的需求，而在公司内部在高安全网络里做了渗透测试。这份文件会解释渗透测试的内容，范围，参与人员和渗透测试里的成绩。2、 范围以PCICP逻辑标准里的需求，卡产必须每一年或如网络上有大变更，在高安全网络里做内外部渗透测试。而渗透测试的范围只限制在个人化网络里，以确保在个人化网络里的持卡人信息以保持安全。3、引用标准这次的内外部渗透测试是以美国的NSIT-SP800-155的标准和建议，而以下是标准里的引用内容：计划环节：在计划环节

2、里，公司内部里会任命内部IT成员作为批准的渗透测试成员而CISO会带领渗透测试团队举行内外部渗透测试。IT成员必须了解渗透测试的工具的和具备技术上的知识以确保测试的准确性。网络发现环节：人员在网络发现环节里，利用网络发现和漏洞扫描器工具（Nmap，NESSUS, Nexpose, etc.)来扫整个网络段，以确保网络的现场状态和网络的服务器和防火墙上的漏洞。所用的漏洞扫描器能进行以下的功能：Injection Flaws (e.g., SQL Injection)Buffer overflowInsecure cryptographic storageImproper error handli

3、ngAll other discovered network vulnerabilities.攻击环节：在攻击环节里，人员会以漏洞扫描器所扫出来的漏洞报告，以渗透测试工具（Kali Linux里所自带的Metaspliot Framework工具）来做攻击。攻击是以被动形态而进行，以确保攻击不会损坏服务器或防火墙报告环节：在报告环节里，人员会以以上所有累计的结果跟成绩做分析。分析是以以下的表作为标准：以上表解释的是正式攻击发生的可能性和损失对比以确认风险数。风险数的定义是以以下的解释来定义：High（高等）：风险可能会轻易的被渗透而又有直接生意或技术上的损坏。Medium（中等）：风险可能需要

4、低等的技术有能力的人来渗透而可能有生意或技术上的损坏。Low（低等）：风险可能需要中或高的技术有能力的人又可能有少量的生意和技术上的损坏。4、 网络结构这次渗透测试的网络结构如下：5、 网络发现总结以下是网络发现的总结：网段：192.168.2.0IP地址操作系统风险评分服务器防火墙名字192.168.2.2Microsoft Windows Server 20080logserver192.168.2.3Microsoft Windows Server 20080FTPserver192.168.2.253未知0192.168.2.254未知0网段：192.168.3.0IP地址操作系统风险

5、评分服务器防火墙名字192.168.3.12Microsoft Windows Server 2008 535SQLserver192.168.3.10Microsoft Windows Server 2008535ADC192.168.3.2Aerohive embedded3.4195BACKUPAD192.168.3.11Microsoft Windows Server 2008195192.168.3.14Microsoft Windows Server 2008 0192.168.3.17Linux 2.6.90192.168.3.13Linux 2.6.240192.168.3.2

6、1Microsoft Windows Server 20080192.168.3.23Microsoft Windows Vista0192.168.3.16Microsoft Windows Server 20080BACKUPFILE192.168.3.22Microsoft Windows Server 20080192.168.3.50Microsoft Windows Server 20080192.168.3.1Linux 2.6.380192.168.3.15Microsoft Windows Server 20080backupdb192.168.3.18 未知0网段：192.

7、168.4.0IP地址操作系统风险评分服务器防火墙名字192.168.4.102Microsoft Windows Server 2008 535192.168.4.124Microsoft Windows Server 2008535192.168.4.121Microsoft Windows Server 2008535192.168.4.104Microsoft Windows Server 2008535192.168.4.103Microsoft Windows Server 2008535192.168.4.111Microsoft Windows Vista0GRH-K01192

8、.168.4.112Microsoft Windows Server 20080192.168.4.115 Microsoft Windows Server 20080192.168.4.106Microsoft Windows 7.50192.168.4.1 FreeBSD 7.0-CURRENT0192.168.4.105Microsoft Windows Server 20080GRH-GDSMJ公网地址：120.86.69.81IP地址操作系统风险评分服务器防火墙名字120.86.69.81未知06、 漏洞详细以下是漏洞的详细：外部漏洞扫描（没有发现漏洞，详细可以参考漏洞扫描报告）内部

9、漏洞扫描（中和高等）（低等的详细可以参考漏洞扫描报告）：IP地址漏洞等级漏洞描述解决方案CISO 意见192.168.2.2中The remote host responded to an ICMP timestamp request. The ICMP timestamp response contains the remote hosts date and time. This information could theoretically be used against some systems to exploit weak time-based random number gener

10、ators in other services.In addition, the versions of some operating systems can be accurately fingerprinted by analyzing their responses to invalid ICMP timestamp requests.Disable ICMP timestamp responsesDisable ICMP timestamp replies for the device. If the device does not support this level of conf

11、iguration, the easiest and most effective solution is toconfigure your firewall to block incoming and outgoing ICMP packets with ICMP types 13 (timestamp request) and 14 (timestamp response).192.168.2.3中The remote host responded to an ICMP timestamp request. The ICMP timestamp response contains the

12、remote hosts date and time. This information could theoretically be used against some systems to exploit weak time-based random number generators in other services.In addition, the versions of some operating systems can be accurately fingerprinted by analyzing their responses to invalid ICMP timesta

13、mp requests.Disable ICMP timestamp responsesDisable ICMP timestamp replies for the device. If the device does not support this level of configuration, the easiest and most effective solution is toconfigure your firewall to block incoming and outgoing ICMP packets with ICMP types 13 (timestamp reques

14、t) and 14 (timestamp response).192.168.3.10高The database allows any remote system the ability to connect to it. It is recommended to limit direct access to trusted systems because databases maycontain sensitive data, and new vulnerabilities and exploits are discovered routinely for them. For this re

15、ason, it is a violation of PCI DSS section 1.3.7 tohave databases listening on ports accessible from the Internet, even when protected with secure authentication mechanisms.Configure the database server to only allow access to trusted systems. For example, the PCI DSS standard requires you to place

16、the database in an internal network zone, segregated from the DMZ192.168.3.12高The database allows any remote system the ability to connect to it. It is recommended to limit direct access to trusted systems because databases may contain sensitive data, and new vulnerabilities and exploits are discove

17、red routinely for them. For this reason, it is a violation of PCI DSS section 1.3.7 to have databases listening on ports accessible from the Internet, even when protected with secure authentication mechanisms.Configure the database server to only allow access to trusted systems. For example, the PCI

18、 DSS standard requires you to place the database in an internal network zone, segregated from the DMZ192.168.3.11高TCP, when using a large Window Size, makes it easier for remote attackers to guess sequence numbers and cause a denial of service (connection loss) to persistent TCP connections by repea

19、tedly injecting a TCP RST packet, especially in protocols that use long-lived connections, such as BGP.Enable TCP MD5 SignaturesEnable the TCP MD5 signature option as documented in RFC 2385. It was designed to reduce the danger from certain security attacks on BGP, such as TCP resets.192.168.3.2高TCP

20、, when using a large Window Size, makes it easier for remote attackers to guess sequence numbers and cause a denial of service (connection loss) to persistent TCP connections by repeatedly injecting a TCP RST packet, especially in protocols that use long-lived connections, such as BGP.Enable TCP MD5

21、 SignaturesEnable the TCP MD5 signature option as documented in RFC 2385. It was designed to reduce the danger from certain security attacks on BGP, such as TCP resets.192.168.4.102高The database allows any remote system the ability to connect to it. It is recommended to limit direct access to truste

22、d systems because databases may contain sensitive data, and new vulnerabilities and exploits are discovered routinely for them. For this reason, it is a violation of PCI DSS section 1.3.7 to have databases listening on ports accessible from the Internet, even when protected with secure authenticatio

23、n mechanisms.Configure the database server to only allow access to trusted systems. For example, the PCI DSS standard requires you to place the database in an internal network zone, segregated from the DMZ192.168.4.103高The database allows any remote system the ability to connect to it. It is recomme

24、nded to limit direct access to trusted systems because databases may contain sensitive data, and new vulnerabilities and exploits are discovered routinely for them. For this reason, it is a violation of PCI DSS section 1.3.7 to have databases listening on ports accessible from the Internet, even whe

25、n protected with secure authentication mechanisms.Configure the database server to only allow access to trusted systems. For example, the PCI DSS standard requires you to place the database in an internal network zone, segregated from the DMZ192.168.4.104高The database allows any remote system the ab

26、ility to connect to it. It is recommended to limit direct access to trusted systems because databases maycontain sensitive data, and new vulnerabilities and exploits are discovered routinely for them. For this reason, it is a violation of PCI DSS section 1.3.7 to have databases listening on ports ac

27、cessible from the Internet, even when protected with secure authentication mechanisms.Configure the database server to only allow access to trusted systems. For example, the PCI DSS standard requires you to place the database in an internal network zone, segregated from the DMZ192.168.4.121高The data

28、base allows any remote system the ability to connect to it. It is recommended to limit direct access to trusted systems because databases may contain sensitive data, and new vulnerabilities and exploits are discovered routinely for them. For this reason, it is a violation of PCI DSS section 1.3.7 to

29、 have databases listening on ports accessible from the Internet, even when protected with secure authentication mechanisms.Configure the database server to only allow access to trusted systems. For example, the PCI DSS standard requires you to place the database in an internal network zone, segregat

30、ed from the DMZ192.168.4.124高The database allows any remote system the ability to connect to it. It is recommended to limit direct access to trusted systems because databases may contain sensitive data, and new vulnerabilities and exploits are discovered routinely for them. For this reason, it is a

31、violation of PCI DSS section 1.3.7 to have databases listening on ports accessible from the Internet, even when protected with secure authentication mechanisms.Configure the database server to only allow access to trusted systems. For example, the PCI DSS standard requires you to place the database in an internal network zone, segregated from the DMZ7、 渗透测试详细漏洞名字：MS08-037: DNS 中的漏洞可允许欺骗 (