You’re handing over the keys to the kingdom – How hackers gain complete control of your network, and it has nothing to do with ransomware.
When Redbot Security performs our manual controlled penetration testing (MCPT) for Network Security, we begin with a discovery phase. Part of this discovery phase is to perform full port scans on external IP addresses to ensure that addresses have limited ports/services exposed to the Internet. Exploiting, we utilize custom proprietary scripts on vulnerabilities that might be more complex (Contact us to discuss our methodology). Pivoting to internal network security testing, we typically test from an assumed breached position, sitting on internal network via VPN access- simulating a workstation compromise.
Let’s explore some of the more common exploitable vulnerabilities that Redbot Security often finds during our network testing phase. The good news: These common issues are easy to remediate.
During testing its not uncommon for us to find critical-rated vulnerabilities due to weak passwords. Even though a company can have strong domain password policy in place (requiring a minimum length of 14 characters) , many times a handful of accounts on the network still have older passwords in use. Many of these type of passwords do not fit the current domain password policy and use easily ‘crack-able’ 8 character passwords, and in addition have a policy for passwords that does not expire. Not surprisingly, many times we find that these non-updated passwords/ accounts are domain administrator accounts with easily guessable passwords which Redbot Security is able to crack within a few days of testing.
Even though your password policy might have an excellent minimum length requirement, the password policy’s “minimum password age” is also very important. When the password minimum age is set to none, a domain user has the ability to cycle through 5 passwords to get back to their original password all in the same day. Make sure you set this value to “1” or greater, and a domain user would have to wait at least 1 day before changing their password which ultimately would deter them from cycling passwords.
Most companies know that critical vulnerabilities can be resolved simply by updating critical security patches. However, more often than not, many systems across multiple client sectors are found to be using obsolete operating systems and missing patches such as the MS17-010 critical security update. This will inevitably allow Redbot Security to exploit these vulnerabilities gaining local administrator access and obtaining cleartext passwords for domain administrator accounts that stored in the system’s memory.
Operating systems such as Windows XP, Windows 7, and Windows Server 2008 no longer receive critical security updates/patches from Microsoft. Due to the lack of patches, malware using current exploits could be used with no current security updates to stop it.
Another common exploitable vulnerability is for Redbot Security to find systems with SMB signing set to “disabled”. SMB signing is a security feature in Windows that helps prevent Man-in-the-Middle (MitM) attacks using the SMB protocol. When this is set to “disabled” instead of “required”, Malicious Actors can easily perform SMB-relay attacks to gain local administrator access to the affected systems.
Yes, believe it or not, printers can be the starting point for a complete network take-over. Due to a basic oversight, many companies keep default passwords in use on office printers. Hackers can obtain basic domain credentials in use by the printer by scanning for domain user account. With this basic domain account, its fairly easy for hackers to be able to enumerate active directory usernames, groups, group memberships, and the password policies.
FTP and telnet services
These services transmit data in cleartext including credentials and should not be used on the network as a malicious insider could sniff the traffic to obtain the data. Furthermore when anonymous FTP is enabled anyone can login to the FTP instances using the “anonymous” account with any password provided.
And the last tip of the day, don’t use default community names for SNMP services. When using default community names any user on the network can download information about the system(s) to include user lists, network information on the system, and software installed on the system, leaving you exposed to potential vulnerabilities than can be chained to together for an effective attack.
Maintaining Positive Controls
When reviewing your current security the positive controls you have in place can make it more difficult for a bad actor to get in and gain control. Here are a few controls that should be in place.
- Create domain password policy that required a minimum length of 14 characters.
- Have threat detection controls in place to view network traffic and to be alerted to specific activities.
- Make sure Domain controllers have a GPO in place to prevent storing of LM hashes.
- Update routers/switches
- Do not use default passwords, even on printers
- Do not allow your Internet-facing firewalls to have excessive ports inbound from the Internet or outbound to the Internet.
Did you find this article interesting, useful? Let us know in the comment section below.
About Redbot Security
Redbot Security is the leading US penetration testing company, providing unparalleled manual controlled testing and enterprise reporting. We work closely with every type of company from SMB to fortune 500. Redbot Security’s Manual Controlled Penetration Testing utilizes a comprehensive assessment methodology, providing results with the utmost accuracy and ensuring representational coverage of risks facing an application or information system.
Penetration Testing Can help your team find exploitable vulnerabilities before bad actors find them.
If you are looking to find exploitable vulnerabilities on your OT/IT networks, Manual Controlled Penetration Testing (MCPT) is an easy to execute cost effective solution.
With Redbot Security you get reports written by experts that highlight key data and exactly how targets were compromised as well as recommendations on best practices along with complete review of remediation recommendations.
Redbot Security’s MCPT is a complete service provided by our team of IT/OT network/system experts to ensure that vulnerabilities are minimized and that your defenses are running in top shape by offering the following:
- Penetration Testing (black-box, gray-box, white-box)
- Real-World Attacker Tactics and Techniques- Controlled Manual Penetration Testing without Interruption
- Actionable and easy-to-follow results – Risk Rating, Exploit Storyboard and Remediation Recommendations
- Retesting is included in our service model.
Learn more here