One of the most effective ways for information technology (IT) professionals to uncover a company’s weaknesses before the bad guys do is penetration testing. By simulating real-world cyberattacks, penetration testing, sometimes called pentests, provides invaluable insights into an organization’s security posture, revealing weaknesses that could potentially lead to data breaches or other security incidents.
Vonahi Security, the creators of vPenTest, an automated network penetration testing platform, just released their annual report, “The Top 10 Critical Pentest Findings 2024.” In this report, Vonahi Security conducted over 10,000 automated network pentests, uncovering the top 10 internal network pentest findings at over 1,200 organizations.
Let’s dive into each of these critical findings to better understand the common exploitable vulnerabilities organizations face and how to address them effectively.
Multicast DNS (mDNS) is a protocol used in small networks to resolve DNS names without a local DNS server. It sends queries to the local subnet, allowing any system to respond with the requested IP address. This can be exploited by attackers who can respond with the IP address of their own system.
Recommendations:
NetBIOS Name Service (NBNS) is a protocol used in internal networks to resolve DNS names when a DNS server is unavailable. It broadcasts queries across the network, and any system can respond with the requested IP address. This can be exploited by attackers who can respond with their own system’s IP address.
Recommendations:
The following are some strategies for preventing the use of NBNS in a Windows environment or reducing the impact of NBNS Spoofing attacks:
Link-Local Multicast Name Resolution (LLMNR) is a protocol used in internal networks to resolve DNS names when a DNS server is unavailable. It broadcasts queries across the network, allowing any system to respond with the requested IP address. This can be exploited by attackers who can respond with their own system’s IP address.
Recommendations:
The most effective method for preventing exploitation is to configure the Multicast Name Resolution registry key in order to prevent systems from using LLMNR queries.
IPv6 DNS spoofing occurs when a rogue DHCPv6 server is deployed on a network. Since Windows systems prefer IPv6 over IPv4, IPv6-enabled clients will use the DHCPv6 server if available. During an attack, an IPv6 DNS server is assigned to these clients, while they keep their IPv4 configurations. This allows the attacker to intercept DNS requests by reconfiguring clients to use the attacker’s system as the DNS server.
Recommendations:
An outdated Microsoft Windows system is vulnerable to attacks as it no longer receives security updates. This makes it an easy target for attackers, who can exploit its weaknesses and potentially pivot to other systems and resources in the network.
Recommendations:
Intelligent Platform Management Interface (IPMI) allows administrators to manage servers centrally. However, some servers have vulnerabilities that let attackers bypass authentication and extract password hashes. If the password is default or weak, attackers can obtain the cleartext password and gain remote access.
Recommendations:
Since there is no patch available for this particular vulnerability, it is recommended to perform one or more of the following actions.
Systems vulnerable to CVE-2019-0708 (BlueKeep) were identified during testing. This Microsoft Windows vulnerability is highly exploitable due to available tools and code, allowing attackers to gain full control over affected systems.
Recommendations:
During the internal penetration test, many systems were found to share the same local administrator password. Compromising one local administrator account provided access to multiple systems, significantly increasing the risk of a widespread compromise within the organization.
Recommendations:
Systems vulnerable to MS17-010 (EternalBlue) were identified during testing. This Windows vulnerability is highly exploitable due to available tools and code, allowing attackers to gain full control over affected systems.
Recommendations:
Dell EMC iDRAC7/iDRAC8 versions prior to 2.52.52.52 are vulnerable to CVE-2018-1207, a command injection issue. This allows unauthenticated attackers to execute commands with root privileges, giving them complete control over the iDRAC device.
Recommendations:
While each of these findings emerged from a different exploit, there are some things that many of them have in common. The root causes of many of the top critical pentest findings continues to be configuration weaknesses and patching deficiencies.
Configuration weaknesses are typically due to improperly hardened services within systems deployed by administrators, and contain issues such as weak/default credentials, unnecessarily exposed services or excessive user permissions. Although some of the configuration weaknesses may be exploitable in limited circumstances, the potential impact of a successful attack will be relatively high.
Patching deficiencies still prove to be a major issue for organizations and are typically due to reasons such as compatibility and, oftentimes, configuration issues within the patch management solution.
These two major issues alone prove the need for frequent penetration testing. While once-a-year testing has been the usual approach for penetration testing, ongoing testing provides a significant amount of value in identifying significant gaps closer to real-time context of how security risks can lead to significant compromises. For example, Tenable’s Nessus scanner might identify LLMNR but only as informational. Quarterly or monthly network penetration testing with Vonahi’s vPenTest not only highlights these issues but also explains their potential impact.
vPenTest is a leading, fully automated network penetration testing platform that proactively helps reduce security risks and breaches across an organization’s IT environment. It removes the hassles of finding a qualified network penetration tester and provides quality deliverables that communicate what vulnerabilities were identified, what risk they present to the organization along with how to remediate those vulnerabilities from a technical and strategic standpoint. Best of all, it can help bolster the organization’s compliance management capabilities.
Get a free trial today and see how easy it is to use vPenTest to proactively identify your risks to cyberattacks in real-time.
Try vPenTest Free!