.

Common vulnerabilities you expose during engagements

<<

cb122

Newbie
Newbie

Posts: 20

Joined: Tue Jan 15, 2013 8:54 am

Post Thu Mar 14, 2013 6:23 am

Common vulnerabilities you expose during engagements

When you conduct your network security assessments for your clients, are there any very common security weaknesses you come across in most of your client networks? I always find it intriguing to gauge the common sorts of security issues found in most networks. I’d hazard a guess that most serious network administrators will proactively run vulnerability assessment tools themselves, prior (and ideally on regular schedules) to an external security firm coming in and doing their independent there review. I just wondered if there are common security issues and vulnerabilities you come up against again and again in your reviews? Any tales and feedback most welcome.
Thanks
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Thu Mar 14, 2013 7:20 am

Re: Common vulnerabilities you expose during engagements

  • Blank/Weak admin creds for SQL Server and Tomcat
  • Still regularly see MS08-67 and NT4
  • MitM attacks - ARP poisoning, name response spoofing, etc.
  • Default credentials on web apps and devices
  • Tons of random third-party applications that fall through the patching cracks
  • VxWorks Memory disclosure is on about half of the assessments I do

I need to get going for my flight, but those are the ones that come to mind when I think of what I see over and over and over and over.
The day you stop learning is the day you start becoming obsolete.
<<

ziggy_567

User avatar

Sr. Member
Sr. Member

Posts: 378

Joined: Tue Dec 30, 2008 1:53 pm

Post Thu Mar 14, 2013 8:20 am

Re: Common vulnerabilities you expose during engagements

SSL issues are very common as well. They're not super-sexy, remotely exploitable....but there still out there.
--
Ziggy


eCPPT - GSEC - GCIH - GWAPT - GCUX - RHCE - SCSecA - Security+ - Network+
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Thu Mar 14, 2013 8:45 am

Re: Common vulnerabilities you expose during engagements

What AJ said but in addition:

- Sync'd local admin pws
- Lots of LM hashing in use
- Tons of exposed 445 on EVERYTHING which makes PTH and psexec possible
<<

venom77

User avatar

Hero Member
Hero Member

Posts: 1905

Joined: Mon Dec 11, 2006 3:23 pm

Post Thu Mar 14, 2013 9:33 am

Re: Common vulnerabilities you expose during engagements

Same as each of those guys above have said, lots of it. Couple more...

- We commonly see default DRAC credentials in larger environments.
- Default SNMP strings (public and private)
- Open network shares with sensitive information
- Unauthenticated VNC
- Insecure protocols (clear text... telnet, ftp, r stuff)
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Thu Mar 14, 2013 10:05 am

Re: Common vulnerabilities you expose during engagements

Another one I've seen quite frequently, lately, is WSDL issues

- information disclosure, up to and including full LDAP administrative credentials and passwords from a WSDL request that wasn't made unavailable to 'joe average user'
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

rockman

Full Member
Full Member

Posts: 104

Joined: Sun Apr 06, 2008 12:38 pm

Post Thu Mar 14, 2013 10:24 am

Re: Common vulnerabilities you expose during engagements

hayabusa wrote:Another one I've seen quite frequently, lately, is WSDL issues

- information disclosure, up to and including full LDAP administrative credentials and passwords from a WSDL request that wasn't made unavailable to 'joe average user'


Speaking of WSDL, here's an article about using a Burp WSDL plugin; http://www.netspi.com/blog/2013/03/05/h ... with-burp/
CISSP, IAM, working on OSCP
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Thu Mar 14, 2013 10:55 am

Re: Common vulnerabilities you expose during engagements

Weak passwords have already been mentioned.... I have pretty good success taking about 10 common passwords and spraying them across ALL the services I discover. Vmware, vnc, SMB, telnet, ssh.... everything.... In large environments, I usually hit at least one, which is typically the first step in total pwnag3 because of all the stuff already mentioned. Defense is hard. Glad I'm on offense.
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Thu Mar 14, 2013 5:26 pm

Re: Common vulnerabilities you expose during engagements

cd1zz wrote:What AJ said but in addition:

- Sync'd local admin pws
- Lots of LM hashing in use
- Tons of exposed 445 on EVERYTHING which makes PTH and psexec possible




There's a group policy that disallows network authentication for the local users specified. We typically make organization's roll that out after we've run a train on them using those techniques. It ruins everything for us or whoever the next year, but it's simple and effective. Disallowing delegation for privileged accounts is huge too.

Another fun one is if they're setting the local admin's password via group policy preferences and you get a standard domain user account. You can read the groups.xml on the domain controller and there are scripts floating around that'll decrypt the encrypted password in it because Microsoft disclosed the key they used.

Edit: http://carnal0wnage.attackresearch.com/ ... tting.html
Last edited by dynamik on Thu Mar 14, 2013 5:35 pm, edited 1 time in total.
The day you stop learning is the day you start becoming obsolete.
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Thu Mar 14, 2013 7:30 pm

Re: Common vulnerabilities you expose during engagements

That's a cool idea and I think that would work well with what I usually recommend.... which is to implement GPO based FWs and block 445 inbound, except from a jump box or from a small subnet of IPs.

I know 445 can also be used for installing software remotely, but again, that could be accomplished by only allowing inbound 445 from a subset of the network/jump box.

I was recently at a client that implemented something really cool called CyberArk, ever heard of it? It changes the local admin passwords to crazy random passwords, every hour! It keeps track of all of them and allows SSO through the CyberArk. Bad ass!
<<

cb122

Newbie
Newbie

Posts: 20

Joined: Tue Jan 15, 2013 8:54 am

Post Fri Mar 15, 2013 7:31 am

Re: Common vulnerabilities you expose during engagements

Many thanks to you all.
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Fri Mar 15, 2013 9:57 am

Re: Common vulnerabilities you expose during engagements

cd1zz wrote:That's a cool idea and I think that would work well with what I usually recommend.... which is to implement GPO based FWs and block 445 inbound, except from a jump box or from a small subnet of IPs.

I know 445 can also be used for installing software remotely, but again, that could be accomplished by only allowing inbound 445 from a subset of the network/jump box.


I've personally had a difficult time getting people to implement client-side firewall changes. There's always a ton of push-back. I don't know if the sys admins just aren't as comfortable on the network side or what the deal is, but something that should be simple always seems to break everything. That's definitely a good strategy when implemented properly though.

With the network logon GPO, there's a corresponding one that disallows RDP for specified users, which is necessary since that's treated as an interactive logon, not a network logon. On the attacking side, that obviously requires cracking the hash instead of passing it, but it's not like that doesn't happen frequently :) Again, disabling the service or client-side firewalls could address that as well. I guess a blanket GPO is a good safety net.

cd1zz wrote:I was recently at a client that implemented something really cool called CyberArk, ever heard of it? It changes the local admin passwords to crazy random passwords, every hour! It keeps track of all of them and allows SSO through the CyberArk. Bad ass!


I've never used it personally, but it's one I suggest be researched for anyone looking at enterprise password management. I saw one that did something similar, but it only changed after it was checked out by a user, effectively providing one-time passwords. The ManageEngine utility looks promising too. It even supports multi-factor, so you need a phone or RSA token in order to check out passwords.
The day you stop learning is the day you start becoming obsolete.

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software