There is a perception by many organisations that their internal network is a relatively safe haven from attackers. The thought is that well configured firewall rules and regular external penetration testing of internet connections provide adequate protection for the internal network. “We are safe inside the firewall and we trust our users, so we don’t need to worry so much about hardening, patching, access control and the rest” is an all too familiar view.
However, although the security of externally facing networks has improved, we have seen a rise in social engineering, client side attacks and physical intrusions into networks as a means of bypassing these external network controls. Recent high profile cases where criminals planted rogue equipment inside networks to steal money are likely to be just the tip of the iceberg. An internal network is increasingly a more appealing target for a hacker, than a highly secured external network. Once the hacker has obtained internal access, they can sit back and look for vulnerabilities, of which there is no short supply.
For a recent seminar, I started to compile a list of common vulnerabilities found on internal networks that led to compromise of specific systems or whole networks. I started to look for common threads in the vulnerabilities Dionach had found on the numerous internal tests we have performed over the years. After spending time looking through the results of previous assignments, speaking to colleagues and drawing from my own experiences I started to realise that putting together a concise list was much harder than I thought. I started looking for examples where one vulnerability or series of vulnerabilities had led to full system, network or domain compromise. I found that I wasn’t short on specific examples. Sometimes full compromises came from very simple misconfigurations or errors. Other times, a compromise came from a highly complex chain of lower risk vulnerabilities being exploited. The common factor in all tests was that numerous vulnerabilities were always present. The examples I had collected were fascinating, however, the aim of my presentation was to give an overview of common vulnerabilities. Somehow I needed to try and summarise the issues, to list the key components, or categories of some of the more serious exploits. This started to seem like a more manageable concept.
So here it is. This is my breakdown of the key vulnerability areas that I found that lead directly to a compromise or resulted in a compromise in combination with each other.
1. Weak / Default Passwords
A close look at most internal networks reveals a significant number of weak passwords,. Everything from normal users with “complex” passwords such as “Password01” and default system credentials, such as “tomcat:tomcat” or “sa:blank”, through to the classic “test:test” or “backupexec:backupexec” domain administrator accounts. Weak passwords are a common way to easily gain unauthorised access to systems within an internal network. Whether external attacker or rogue employee, password guessing is simple!
2. Inappropriate Privileges
Life is made much easier for an attacker when permissions and privileges are attributed inappropriately. Dionach often finds a high number of users in the Domain Admins group, test accounts with full administrator access, service accounts running with full privilege on the system or domain, redundant accounts that are still enabled and have access to live systems, and data that is easily accessible without appropriate control. Not keeping a good handle on privilege management leads to inappropriate access to resources.
Click on the following link to read the full blog post: http://www.dionach.com/blog/common-internal-vulnerabilities