Pentesters on the most common vulnerabilities they find in networks

If the threat is coming from inside the house, the front door was probably misconfigured.

Unlike an external pentest, where hackers are tasked with breaking into a network, internal pentests begin from an interior vantage point.

During internal tests, pentesters are looking for security holes like poor patch management, unsegmented networks, and weak identity management, or more complicated exploits like link-local multicast name resolution (LLMNR) poisoning/relaying or disabled server message block (SMB) signing. Active Directory seems to be a perennial weak spot.

Pentesters who spoke with IT Brew spilled the beans on the most common vulnerabilities they find during internal tests.

Corey Ham, security analyst at Black Hills Information Security

The classic number one target…is Active Directory. As any admin knows, administering Active Directory is quite a challenge to get every user set down to the least privilege they need to do their jobs. And a lot of the times during setup and troubleshooting, admins will just sort of open things up so that they work, and then those things will be never restricted back down. So, there’s many, many instances of that kind of configuration-based vulnerability.

The whole time I’ve been pentesting, there have been what I would classify as relaying vulnerabilities in Windows. So, that would be your very old-school responder tool that still works to this day…Windows’ protocols, by default—specifically name resolution protocols—are exploitable, and a lot of companies still haven’t figured out or gone through the effort to lock them down…And that expands beyond just the client.

Basically, authentication relaying in Windows specifically is probably the most common vulnerability we see across every single customer.

Tom Richards, principal consultant at Synopsys

Either the service has no authentication, so we just browse to the webpage, and we’re dumped into an admin console. They’re using default or weak passwords.

We’re actually still finding EternalBlue on internal networks that we’re able to exploit, and that was disclosed in 2017. So, we’re still finding vulnerabilities that are—am I doing my math right, six years old now?-—on networks, and a lot of the other ones…revolve around Java attacks, where either frameworks or systems were not updated. So, they’re running various Java vulnerabilities.

We still have deserialization attacks…They have Java management extensions that are either improperly configured or are vulnerable that will allow us to just execute code on the systems...[or] something just hasn’t been updated, or properly patched in the last couple of years.

Josh Jacobson, head of security advisory, HackerOne

Hackers tend to be kind of like water on rocks. They’re gonna go for the easiest factor—they’re not going to try to go for that really complicated thing if they don’t have to. Why work harder; work smarter, right? So, those are the things I personally really like to look for—just default credentials on interconnected devices, IoT devices, printers, FTP shares, just networking devices like wireless access points that just get thrown up, spun up.

Anytime I see any kind of deprecated OS, that’s very concerning. There were several years that I was seeing Windows XP past its end of life. I even had a customer go, “Well, this is actually Windows XP Embedded, it has several more years of support.” And I’m like, “Well, you’re also not patching it, so it’s a moot point at this point.”

Heath Adams, CEO of TCM Security

It’s very, very common, from mom-and-pop shops all the way up, to see Active Directory internally. The thing about Active Directory is it ships inherently vulnerable, there are “features,” l call them in quotations, that are vulnerable of Active Directory. And those, especially if you’ve never been to a pentest before, are there as soon as you set it up.

The biggest one is known as LLMNR poisoning, which is link-local multicast name resolution. So, what that does is it acts as DNS, so it’s trying to resolve names within the network. And what’s going on in our position as an attacker is, we’re sitting there and waiting for these communications to happen. When these communications happen, what we see is a user, a domain, and the password hash of the user…If it’s a weak password on this, then we can go crack that hash offline…This is almost always the initial foothold for a company that has never been to pentest, doesn’t have a good password policy.

There are also attacks based off that. One is called SMB relay—that is a technical attack, where if somebody has local administrative rights on a computer, if you give somebody multiple local admin rights on computers, and we capture that hash, we can relay that to a computer that has SMB signing disabled, which is by default on all workstations and windows.