One of the most effective ways for information technology (IT) professionals to uncover a company's weaknesses before the bad guys do is penetration testing. By simulating real-world cyberattacks, penetration testing, sometimes called pentests, provides invaluable insights into an organization's security posture, revealing weaknesses that could potentially lead to data breaches or other security incidents.
Vonahi Security, the creators of vPenTest, an automated network penetration testing platform, just released their annual report, "The Top 10 Critical Pentest Findings 2024." In this report, Vonahi Security conducted over 10,000 automated network pentests, uncovering the top 10 internal network pentest findings at over 1,200 organizations.
Let's dive into each of these critical findings to better understand the common exploitable vulnerabilities organizations face and how to address them effectively.
Top 10 Pentest Findings & Recommendations
1. Multicast DNS (MDNS) Spoofing
Multicast DNS (mDNS) is a protocol used in small networks to resolve DNS names without a local DNS server. It sends queries to the local subnet, allowing any system to respond with the requested IP address. This can be exploited by attackers who can respond with the IP address of their own system.
Recommendations:
The most effective method for preventing exploitation is to disable mDNS altogether if it is not being used. Depending on the implementation, this can be achieved by disabling the Apple Bonjour or avahi-daemon service2. NetBIOS Name Service (NBNS) Spoofing
NetBIOS Name Service (NBNS) is a protocol used in internal networks to resolve DNS names when a DNS server is unavailable. It broadcasts queries across the network, and any system can respond with the requested IP address. This can be exploited by attackers who can respond with their own system's IP address.
Recommendations:
The following are some strategies for preventing the use of NBNS in a Windows environment or reducing the impact of NBNS Spoofing attacks:
Configure the UseDnsOnlyForNameResolutions registry key in order to prevent systems from using NBNS queries (NetBIOS over TCP/IP Configuration Parameters). Set the registry DWORD to Disable the NetBIOS service for all Windows hosts in the internal network. This can be done via DHCP options, network adapter settings, or a registry key3. Link-local Multicast Name Resolution (LLMNR) Spoofing
Link-Local Multicast Name Resolution (LLMNR) is a protocol used in internal networks to resolve DNS names when a DNS server is unavailable. It broadcasts queries across the network, allowing any system to respond with the requested IP address. This can be exploited by attackers who can respond with their own system's IP address.
Recommendations:
The most effective method for preventing exploitation is to configure the Multicast Name Resolution registry key in order to prevent systems from using LLMNR queries.
Using Group Policy: Computer Configuration\Administrative Templates\Network\DNS Client \Turn off Multicast Name Resolution = Enabled (To administer a Windows 2003 DC, use the Remote Server Administration Tools for Windows 7) Using the Registry for Windows Vista/7/10 Home Edition only: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\ Windows NT\DNSClient \EnableMulticast4. IPV6 DNS Spoofing
IPv6 DNS spoofing occurs when a rogue DHCPv6 server is deployed on a network. Since Windows systems prefer IPv6 over IPv4, IPv6-enabled clients will use the DHCPv6 server if available. During an attack, an IPv6 DNS server is assigned to these clients, while they keep their IPv4 configurations. This allows the attacker to intercept DNS requests by reconfiguring clients to use the attacker's system as the DNS server.
Recommendations:
Disable IPv6 unless it is required for business operations. As disabling IPv6 could potentially cause an interruption in network services, it is strongly advised to test this configuration prior to mass deployment. An alternative solution would be to implement DHCPv6 guard on network switches. Essentially, DHCPv6 guard ensures that only an authorized list of DHCP servers are allowed to assign leases to clients5. Outdated Microsoft Windows Systems
An outdated Microsoft Windows system is vulnerable to attacks as it no longer receives security updates. This makes it an easy target for attackers, who can exploit its weaknesses and potentially pivot to other systems and resources in the network.
Recommendations:
Replace outdated versions of Microsoft Windows with operating systems that are up-to-date and supported by the manufacturer.6. IPMI Authentication Bypass
Intelligent Platform Management Interface (IPMI) allows administrators to manage servers centrally. However, some servers have vulnerabilities that let attackers bypass authentication and extract password hashes. If the password is default or weak, attackers can obtain the cleartext password and gain remote access.
Recommendations:
Since there is no patch available for this particular vulnerability, it is recommended to perform one or more of the following actions.
Restrict IPMI access to a limited number of systems - systems which require access for administration purposes. Disable the IPMI service if it is not required for business operations. Change the default administrator password to one that is strong and complex. Only use secure protocols, such as HTTPS and SSH, on the service to limit the chances of an attacker from successfully obtaining this password in a man-in-the-middle attack.7. Microsoft Windows RCE (BlueKeep)
Systems vulnerable to CVE-2019-0708 (BlueKeep) were identified during testing. This Microsoft Windows vulnerability is highly exploitable due to available tools and code, allowing attackers to gain full control over affected systems.
Recommendations:
It is recommended to apply security updates on the affected system. Furthermore, the organization should evaluate its patch management program to determine the reason for the lack of security updates. As this vulnerability is a commonly exploited vulnerability and could result in significant access, it should be remediated immediately.8. Local Administrator Password Reuse
During the internal penetration test, many systems were found to share the same local administrator password. Compromising one local administrator account provided access to multiple systems, significantly increasing the risk of a widespread compromise within the organization.
Recommendations:
Use a solution such as Microsoft Local Administrator Password Solution (LDAPS) to ensure that the local administrator password across multiple systems are not consistent.9. Microsoft Windows RCE (EternalBlue)
Systems vulnerable to MS17-010 (EternalBlue) were identified during testing. This Windows vulnerability is highly exploitable due to available tools and code, allowing attackers to gain full control over affected systems.
Recommendations:
It is recommended to apply security updates on the affected system. Furthermore, the organization should evaluate its patch management program to determine the reason for the lack of security updates. As this vulnerability is a commonly exploited vulnerability and could result in significant access, it should be remediated immediately.10. Dell EMC IDRAC 7/8 CGI Injection (CVE-2018-1207)
Dell EMC iDRAC7/iDRAC8 versions prior to 2.52.52.52 are vulnerable to CVE-2018-1207, a command injection issue. This allows unauthenticated attackers to execute commands with root privileges, giving them complete control over the iDRAC device.
Recommendations:
Upgrade the firmware to the latest possible version.Common Causes of Critical Pentest Findings
While each of these findings emerged from a different exploit, there are some things that many of them have in common. The root causes of many of the top critical pentest findings continues to be configuration weaknesses and patching deficiencies.
Configuration weaknesses
Configuration weaknesses are typically due to improperly hardened services within systems deployed by administrators, and contain issues such as weak/default credentials, unnecessarily exposed services or excessive user permissions. Although some of the configuration weaknesses may be exploitable in limited circumstances, the potential impact of a successful attack will be relatively high.
Patching deficiencies
Patching deficiencies still prove to be a major issue for organizations and are typically due to reasons such as compatibility and, oftentimes, configuration issues within the patch management solution.
These two major issues alone prove the need for frequent penetration testing. While once-a-year testing has been the usual approach for penetration testing, ongoing testing provides a significant amount of value in identifying significant gaps closer to real-time context of how security risks can lead to significant compromises. For example, Tenable's Nessus scanner might identify LLMNR but only as informational. Quarterly or monthly network penetration testing with Vonahi's vPenTest not only highlights these issues but also explains their potential impact.
What is vPenTest?
vPenTest is a leading, fully automated network penetration testing platform that proactively helps reduce security risks and breaches across an organization's IT environment. It removes the hassles of finding a qualified network penetration tester and provides quality deliverables that communicate what vulnerabilities were identified, what risk they present to the organization along with how to remediate those vulnerabilities from a technical and strategic standpoint. Best of all, it can help bolster the organization's compliance management capabilities.
vPenTest: Key Features & Benefits
Comprehensive Assessments: Run both internal and external tests to thoroughly examine all potential entry points in your network. Real-World Simulation: Simulate real-world cyber threats to gain valuable insights into your security posture. Timely and Actionable Reporting: Receive detailed, easy-to-understand reports with vulnerabilities, their impacts, and recommended actions. Ongoing Testing: Set monthly testing intervals to ensure proactive and responsive security measures. Efficient Incident Response: Identify vulnerabilities early to prepare for potential security incidents effectively. Compliance Alignment: Meet regulatory compliance requirements such as SOC2, PCI DSS, HIPAA, ISO 27001, and cyber insurance requirements.Get a free trial today and see how easy it is to use vPenTest to proactively identify your risks to cyberattacks in real-time.
Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.