One of the most effective ways for IT professionals to uncover a company's weaknesses before the bad guys do is a practice known as penetration testing ("pentest"). By simulating real-world cyberattacks, pentests provide invaluable insights into an organization's security posture, revealing weaknesses that could potentially lead to data breaches or other security incidents.
The findings in this newsletter were based on the top 10 results from over 10,000 automated network pentests, at over 1,200 organizations.
In this newsletter, Celerit cybersecurity specialists dive into each of these critical findings to better understand the common exploitable vulnerabilities organizations face and how to address them effectively.
Top 10 Pentest Findings & Recommendations
1. Multicast DNS (MDNS) Spoofing
Multicast DNS (mDNS) is a protocol used in small networks to resolve DNS names without a local DNS server. It sends queries to the local subnet, allowing any system to respond with the requested IP address. This can be exploited by attackers who can respond with the IP address of their own system.
Recommendations:
The most effective method for preventing exploitation is to disable mDNS altogether if it is not being used. Depending on the implementation, this can be achieved by disabling the Apple Bonjour or avahi-daemon service
2. NetBIOS Name Service (NBNS) Spoofing
NetBIOS Name Service (NBNS) is a protocol used in internal networks to resolve DNS names when a DNS server is unavailable. It broadcasts queries across the network, and any system can respond with the requested IP address. This can be exploited by attackers who can respond with their own system's IP address.
Recommendations:
The following are some strategies for preventing the use of NBNS in a Windows environment or reducing the impact of NBNS Spoofing attacks: Configure the Use DNS Only For Name Resolutions registry key in order to prevent systems from using NBNS queries (NetBIOS over TCP/IP Configuration Parameters). Set the registry DWORD to Disable the NetBIOS service for all Windows hosts in the internal network. This can be done via DHCP options, network adapter settings, or a registry key
3. Link-local Multicast Name Resolution (LLMNR) Spoofing
Link-Local Multicast Name Resolution (LLMNR) is a protocol used in internal networks to resolve DNS names when a DNS server is unavailable. It broadcasts queries across the network, allowing any system to respond with the requested IP address. This can be exploited by attackers who can respond with their own system's IP address.
Recommendations:
The most effective method for preventing exploitation is to configure the Multicast Name Resolution registry key in order to prevent systems from using LLMNR queries. Using Group Policy: Computer Configuration\Administrative Templates\Network\DNS Client \Turn off Multicast Name Resolution = Enabled (To administer a Windows 2003 DC, use the Remote Server Administration Tools for Windows 7)Using the Registry for Windows Vista/7/10 Home Edition only: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\ Windows NT\DNSClient \EnableMulticast
4. IPV6 DNS Spoofing
IPv6 DNS spoofing occurs when a rogue DHCPv6 server is deployed on a network. Since Windows systems prefer IPv6 over IPv4, IPv6-enabled clients will use the DHCPv6 server if available. During an attack, an IPv6 DNS server is assigned to these clients, while they keep their IPv4 configurations. This allows the attacker to intercept DNS requests by reconfiguring clients to use the attacker's system as the DNS server.
Recommendations:
Disable IPv6 unless it is required for business operations. As disabling IPv6 could potentially cause an interruption in network services, it is strongly advised to test this configuration prior to mass deployment. An alternative solution would be to implement DHCPv6 guard on network switches. Essentially, DHCPv6 guard ensures that only an authorized list of DHCP servers are allowed to assign leases to clients
5. Outdated Microsoft Windows Systems
An outdated Microsoft Windows system is vulnerable to attacks as it no longer receives security updates. This makes it an easy target for attackers, who can exploit its weaknesses and potentially pivot to other systems and resources in the network.
Recommendations:
Replace outdated versions of Microsoft Windows with operating systems that are up-to-date and supported by the manufacturer.
6. IPMI Authentication Bypass
Intelligent Platform Management Interface (IPMI) allows administrators to manage servers centrally. However, some servers have vulnerabilities that let attackers bypass authentication and extract password hashes. If the password is default or weak, attackers can obtain the cleartext password and gain remote access.
Recommendations:
Since there is no patch available for this particular vulnerability, it is recommended to perform one or more of the following actions. Restrict IPMI access to a limited number of systems - systems which require access for administration purposes. Disable the IPMI service if it is not required for business operations. Change the default administrator password to one that is strong and complex. Only use secure protocols, such as HTTPS and SSH, on the service to limit the chances of an attacker from successfully obtaining this password in a man-in-the-middle attack.
7. Microsoft Windows RCE (BlueKeep)
Systems vulnerable to CVE-2019-0708 (BlueKeep) were identified during testing. This Microsoft Windows vulnerability is highly exploitable due to available tools and code, allowing attackers to gain full control over affected systems.
Recommendations:
It is recommended to apply security updates on the affected system. Furthermore, the organization should evaluate its patch management program to determine the reason for the lack of security updates. As this vulnerability is a commonly exploited vulnerability and could result in significant access, it should be remediated immediately.
8. Local Administrator Password Reuse
During the internal penetration test, many systems were found to share the same local administrator password. Compromising one local administrator account provided access to multiple systems, significantly increasing the risk of a widespread compromise within the organization.
Recommendations:
Use a solution such as Microsoft Local Administrator Password Solution (LDAPS) to ensure that the local administrator password across multiple systems are not consistent.
9. Microsoft Windows RCE (EternalBlue)
Systems vulnerable to MS17-010 (EternalBlue) were identified during testing. This Windows vulnerability is highly exploitable due to available tools and code, allowing attackers to gain full control over affected systems.
Recommendations:
It is recommended to apply security updates on the affected system. Furthermore, the organization should evaluate its patch management program to determine the reason for the lack of security updates. As this vulnerability is a commonly exploited vulnerability and could result in significant access, it should be remediated immediately.
10. Dell EMC IDRAC 7/8 CGI Injection (CVE-2018-1207)
Dell EMC iDRAC7/iDRAC8 versions prior to 2.52.52.52 are vulnerable to CVE-2018-1207, a command injection issue. This allows unauthenticated attackers to execute commands with root privileges, giving them complete control over the iDRAC device.
Recommendations:
Upgrade the firmware to the latest possible version.
Common Causes of Critical Pentest Findings
While each of these findings emerged from a different exploit, there are some things that many of them have in common. The root causes of many of the top critical pentest findings continues to be configuration weaknesses and patching deficiencies.
If your organization wants to learn more about Pentesting or a Cybersecurity Assessment, contact Celerit's IT Team at:
Accelerate Your IT
Comentários