• Blank/Weak admin creds for SQL Server and Tomcat
• Still regularly see MS08-67 and NT4
• MitM attacks - ARP poisoning, name response spoofing, etc.
• Default credentials on web apps and devices
• Tons of random third-party applications that fall through the patching cracks
• VxWorks Memory disclosure is on about half of the assessments I do

I need to get going for my flight, but those are the ones that come to mind when I think of what I see over and over and over and over.

What AJ said but in addition:

 - Sync'd local admin pws
 - Lots of LM hashing in use
 - Tons of exposed 445 on EVERYTHING which makes PTH and psexec possible

Another one I've seen quite frequently, lately, is WSDL issues

- information disclosure, up to and including full LDAP administrative credentials and passwords from a WSDL request that wasn't made unavailable to 'joe average user'

Weak passwords have already been mentioned.... I have pretty good success taking about 10 common passwords and spraying them across ALL the services I discover. Vmware, vnc, SMB, telnet, ssh.... everything.... In large environments, I usually hit at least one, which is typically the first step in total pwnag3 because of all the stuff already mentioned. Defense is hard. Glad I'm on offense.

That's a cool idea and I think that would work well with what I usually recommend.... which is to implement GPO based FWs and block 445 inbound, except from a jump box or from a small subnet of IPs.

I know 445 can also be used for installing software remotely, but again, that could be accomplished by only allowing inbound 445 from a subset of the network/jump box.

I was recently at a client that implemented something really cool called CyberArk, ever heard of it? It changes the local admin passwords to crazy random passwords, every hour! It keeps track of all of them and allows SSO through the CyberArk. Bad ass!

I've personally had a difficult time getting people to implement client-side firewall changes. There's always a ton of push-back. I don't know if the sys admins just aren't as comfortable on the network side or what the deal is, but something that should be simple always seems to break everything. That's definitely a good strategy when implemented properly though.

With the network logon GPO, there's a corresponding one that disallows RDP for specified users, which is necessary since that's treated as an interactive logon, not a network logon. On the attacking side, that obviously requires cracking the hash instead of passing it, but it's not like that doesn't happen frequently Again, disabling the service or client-side firewalls could address that as well. I guess a blanket GPO is a good safety net.


I've never used it personally, but it's one I suggest be researched for anyone looking at enterprise password management. I saw one that did something similar, but it only changed after it was checked out by a user, effectively providing one-time passwords. The ManageEngine utility looks promising too. It even supports multi-factor, so you need a phone or RSA token in order to check out passwords.