In this article I will share most common loop wholes of Internal Infrastructure within Windows based domains and what may be their impact. I used to travel a lot to conduct such kind of assessments and so, readers can treat this as reflection of what I experienced while conducting Internal Penetration Testing assessments. At the end of this article I will also explain briefly why this kind of assessment is necessary and what actually we Pen testers do during internal network penetration testing.
So let’s start with some of the most common issues:
1) Missing Security updates/patches on servers
The vulnerabilities that I generally used to found very often relates to missing OS or third party software patches. Now as these days working exploits for these kinds of vulnerabilities are readily available with various open source easy to use tools, their implication becomes much for critical. Typically most Windows servers will have the SMB ports open (139 and 445) which allows someone on the same network segment (unauthenticated or authenticated) to send exploits to the server. Third party softwares are often found un-patched because these applications generally sits outside of the standard Windows update system and is not updated and these vulnerabilities can ultimately lead to exploitation of a fully patched base operating system. Even if the compromised box is not playing important functions (ex: Print servers or test/development servers), a successful exploitation can compromise the whole domain. And believe me with the amount of information available freely these days over the internet this is absolutely possible for an internal user.
2) Sensitive information stored in open network shares
Almost during all the internal assessments I found some open network shares containing sensitive information such as HR details, Pay slips, Salaries, Cisco configuration files, password spreadsheets, SQL backup files etc.
Batch files and XML files are often seen with hard coded SQL server credentials that have domain admin privileges or allow access to the SQL server directly. Shares such as NETLOGON often contain batch files with drive mappings or software installs that also contain hard coded domain administrator credentials or reveal a commonly used password. This allows a standard user browsing the network to obtain very sensitive information and high privileged user credentials to access servers without any exploitation being required.
Permission issues with user directories on file servers are often found which allow any user to view other user’s data; typically this includes H.R or salary information and in some cases I.T supports staff data and passwords.
3) Common/Weak/Default login credentials
As an attacker I often got success trying certain common (default) usernames and passwords to gain access into the system and perform unauthorized actions. An attacker may try an intelligent brute force using known vendor default credentials as well as a dictionary of common usernames and passwords. Many vendor products come preconfigured with default (and thus well known) usernames and passwords that should be deleted prior to usage in a production environment. It is a common mistake to forget to remove these default login credentials. Another problem is that users would pick very simple (common) passwords (e.g. “secret” or “password”) that make it easier for the attacker to gain access to the system compared to using a brute force attack or even a dictionary attack using a full dictionary.
§ Some common examples are:
§ MS SQL server default password for “sa” account
§ MySql default blank password for root account
§ Cisco devices default level 15 password
§ JBoss application server JMX-console default credential
§ Tomcat manager default password
§ Oracle TNS Listener blank password
Common usernames and passwords are often found between workstations and servers. Therefore any software or physical exploit that compromises a workstation can then use the retrieved credentials to exploit a fully patched server. If the password is strong and can’t be cracked it is possible to send just the hash of the password out to servers to authenticate without knowing what the password is. Common passwords between servers is also a risk as if one non essential server is compromised the credentials gained can be used to authenticate against a business critical server that is not vulnerable to exploitation.
4) Improper access control list
Segmenting your network using access control lists is the simplest way to make sure that systems communicate only with the systems that they should. Having properly configured access control lists would have protected 66 per cent of the records that were compromised last year, according to the Verizon report.
5) Weak password policies
Easily guessable user accounts and passwords are often found within organizations that have shared job roles such as reception, helpdesk, security etc. As these are positions where multiple users may use the same computer, for ease of use logins such as “reception” with a password of “reception” are commonly seen to make life easier for the users.
Passwords are often based on the company name or something obvious relating to the company that can be guessed. Weak password polices are found that allow short and weak passwords for users and administrator accounts without any complexity or forced password changes.
6) Insecure Workstations
Workstations are often not considered to be that important with regards to security. With internal testing these are often the easiest method of exploiting the servers and domain. The main areas are:
Missing Microsoft patches – Workstation patching is also very important. The most typical exploits relate to SMB ports just the same as the servers. If a workstation can be exploited it could contain credentials that can allow a fully patched server to be compromised. If a Windows workstation has the firewall enabled then all inbound ports are filtered, therefore only an exploit that requires user interaction would work such as a PDF exploit that creates an outbound connection to the attacker.
Boot security – Workstations often do not have any boot security enabled within the BIOS. It is therefore possible to power on the workstation and inserts a CDROM or USB stick to mount the Windows partition bypassing all security and extract the local administrator password hashes. The workstation could also contain cached credentials for domain administrators as when the system was originally joined to the domain the cached value is typically stored. If common credentials are found between workstations and servers, this can result in the domain being fully compromised.
3rd Party applications – Applications such as Adobe PDF reader, Java, QuickTime etc are susceptible to vulnerabilities in the same way as the operating system. Even with a fully patched operating system a vulnerability within a 3rd party application can lead to the system being compromised. Often these applications are not patched or left up to the end user to control if they wish to install updates. These are also excluded from Windows updates services and are often not considered a important application to patch.
The importance of internal assessments are key to ensuring your network, data and user environment are secure not only from internal staff threats but from the outside world. Many of today’s attack vectors work outbound from client systems, therefore inbound firewall rules may not stop this. It is also vital to ensure that sensitive data information such as H.R or payroll data is not accessible to standard users. An internal infrastructure test consists of a pen tester visiting the client site and being provided with a network outlet. Typically no user credentials are supplied and very little information will be provided. Assessments of the servers, network devices and even workstations will be conducted looking for vulnerabilities that can be exploited. Not just automated tools are used, a lot of manual and adaptive thinking is required to piece together small pieces of information that could result in a network compromise.