Common vulnerabilities you expose during engagements

Viewing 11 reply threads
  • Author
    Posts
    • #8298
      cb122
      Participant

      When you conduct your network security assessments for your clients, are there any very common security weaknesses you come across in most of your client networks? I always find it intriguing to gauge the common sorts of security issues found in most networks. I’d hazard a guess that most serious network administrators will proactively run vulnerability assessment tools themselves, prior (and ideally on regular schedules) to an external security firm coming in and doing their independent there review. I just wondered if there are common security issues and vulnerabilities you come up against again and again in your reviews? Any tales and feedback most welcome.
      Thanks

    • #52252
      dynamik
      Participant

      • Blank/Weak admin creds for SQL Server and Tomcat
      • Still regularly see MS08-67 and NT4
      • MitM attacks – ARP poisoning, name response spoofing, etc.
      • Default credentials on web apps and devices
      • Tons of random third-party applications that fall through the patching cracks
      • VxWorks Memory disclosure is on about half of the assessments I do

      I need to get going for my flight, but those are the ones that come to mind when I think of what I see over and over and over and over.

    • #52253
      ziggy_567
      Participant

      SSL issues are very common as well. They’re not super-sexy, remotely exploitable….but there still out there.

    • #52254
      cd1zz
      Participant

      What AJ said but in addition:

      – Sync’d local admin pws
      – Lots of LM hashing in use
      – Tons of exposed 445 on EVERYTHING which makes PTH and psexec possible

    • #52255
      BillV
      Participant

      Same as each of those guys above have said, lots of it. Couple more…

      – We commonly see default DRAC credentials in larger environments.
      – Default SNMP strings (public and private)
      – Open network shares with sensitive information
      – Unauthenticated VNC
      – Insecure protocols (clear text… telnet, ftp, r stuff)

    • #52256
      hayabusa
      Participant

      Another one I’ve seen quite frequently, lately, is WSDL issues

      – information disclosure, up to and including full LDAP administrative credentials and passwords from a WSDL request that wasn’t made unavailable to ‘joe average user’

    • #52257
      Phillip Wylie
      Participant

      @hayabusa wrote:

      Another one I’ve seen quite frequently, lately, is WSDL issues

      – information disclosure, up to and including full LDAP administrative credentials and passwords from a WSDL request that wasn’t made unavailable to ‘joe average user’

      Speaking of WSDL, here’s an article about using a Burp WSDL plugin; http://www.netspi.com/blog/2013/03/05/hacking-web-services-with-burp/

    • #52258
      cd1zz
      Participant

      Weak passwords have already been mentioned…. I have pretty good success taking about 10 common passwords and spraying them across ALL the services I discover. Vmware, vnc, SMB, telnet, ssh…. everything…. In large environments, I usually hit at least one, which is typically the first step in total pwnag3 because of all the stuff already mentioned. Defense is hard. Glad I’m on offense.

    • #52259
      dynamik
      Participant

      @cd1zz wrote:

      What AJ said but in addition:

      – Sync’d local admin pws
      – Lots of LM hashing in use
      – Tons of exposed 445 on EVERYTHING which makes PTH and psexec possible

      There’s a group policy that disallows network authentication for the local users specified. We typically make organization’s roll that out after we’ve run a train on them using those techniques. It ruins everything for us or whoever the next year, but it’s simple and effective. Disallowing delegation for privileged accounts is huge too.

      Another fun one is if they’re setting the local admin’s password via group policy preferences and you get a standard domain user account. You can read the groups.xml on the domain controller and there are scripts floating around that’ll decrypt the encrypted password in it because Microsoft disclosed the key they used.

      Edit: http://carnal0wnage.attackresearch.com/2012/10/group-policy-preferences-and-getting.html

    • #52260
      cd1zz
      Participant

      That’s a cool idea and I think that would work well with what I usually recommend…. which is to implement GPO based FWs and block 445 inbound, except from a jump box or from a small subnet of IPs.

      I know 445 can also be used for installing software remotely, but again, that could be accomplished by only allowing inbound 445 from a subset of the network/jump box.

      I was recently at a client that implemented something really cool called CyberArk, ever heard of it? It changes the local admin passwords to crazy random passwords, every hour! It keeps track of all of them and allows SSO through the CyberArk. Bad ass!

    • #52261
      cb122
      Participant

      Many thanks to you all.

    • #52262
      dynamik
      Participant

      @cd1zz wrote:

      That’s a cool idea and I think that would work well with what I usually recommend…. which is to implement GPO based FWs and block 445 inbound, except from a jump box or from a small subnet of IPs.

      I know 445 can also be used for installing software remotely, but again, that could be accomplished by only allowing inbound 445 from a subset of the network/jump box.

      I’ve personally had a difficult time getting people to implement client-side firewall changes. There’s always a ton of push-back. I don’t know if the sys admins just aren’t as comfortable on the network side or what the deal is, but something that should be simple always seems to break everything. That’s definitely a good strategy when implemented properly though.

      With the network logon GPO, there’s a corresponding one that disallows RDP for specified users, which is necessary since that’s treated as an interactive logon, not a network logon. On the attacking side, that obviously requires cracking the hash instead of passing it, but it’s not like that doesn’t happen frequently 🙂 Again, disabling the service or client-side firewalls could address that as well. I guess a blanket GPO is a good safety net.

      @cd1zz wrote:

      I was recently at a client that implemented something really cool called CyberArk, ever heard of it? It changes the local admin passwords to crazy random passwords, every hour! It keeps track of all of them and allows SSO through the CyberArk. Bad ass!

      I’ve never used it personally, but it’s one I suggest be researched for anyone looking at enterprise password management. I saw one that did something similar, but it only changed after it was checked out by a user, effectively providing one-time passwords. The ManageEngine utility looks promising too. It even supports multi-factor, so you need a phone or RSA token in order to check out passwords.

Viewing 11 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2020 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?