Penetration testing is one of the best ways for information technology (IT) specialists to find a company’s weaknesses before the bad guys do. Penetration testing, often known as pen tests or pen testing, simulates actual cyberattacks and provide vital information about an organization’s security posture by highlighting vulnerabilities that may result in data breaches or other security issues. To have a better understanding of the common exploitable vulnerabilities that organisations encounter and how to effectively address them, let’s examine each of these 10 Critical Pen testing Findings facts in more detail.
10 Pen Testing Recommendations & Findings
1. Multicast DNS (MDNS) Spoofing
Without a local DNS server, small networks can resolve DNS names using the multicast DNS (mDNS) protocol. It asks questions of the local subnet, thus any system can reply with the IP address that is required. Attackers could take advantage of this by responding with their own system’s IP address.
Suggestions:
Disabling mDNS completely when not in use is the most efficient way to stop exploitation. This can be accomplished by turning off the Apple Bonjour or avahi-daemon service, depending on the implementation.
2. NetBIOS Name Service (NBNS) Spoofing
NetBIOS Name Service (NBNS) is a protocol used in internal networks to resolve DNS names when a DNS server is unavailable. It broadcasts queries across the network, and any system can respond with the requested IP address. This can be exploited by attackers who respond with their own system’s IP address.
Recommendations:
To prevent the use of NBNS in a Windows environment or to reduce the impact of NBNS spoofing attacks, consider the following strategies:
- Configure the UseDnsOnlyForNameResolutions Registry Key
Prevent systems from using NBNS queries by configuring theUseDnsOnlyForNameResolutions
registry key (NetBIOS over TCP/IP Configuration Parameters). Set the registry DWORD value to disable NBNS. - Disable the NetBIOS Service for All Windows Hosts
Disable the NetBIOS service across all Windows hosts in the internal network. This can be achieved through DHCP options, network adapter settings, or a registry key.
3. Link-Local Multicast Name Resolution (LLMNR) Spoofing
Link-Local Multicast Name Resolution (LLMNR) is a protocol used in internal networks to resolve DNS names when a DNS server is unavailable. It broadcasts queries across the network, allowing any system to respond with the requested IP address. This can be exploited by attackers who respond with their own system’s IP address.
Recommendations:
To prevent LLMNR exploitation, configure the Multicast Name Resolution registry key to disable LLMNR queries.
- Using Group Policy:
- Navigate to
Computer Configuration\Administrative Templates\Network\DNS Client
- Set
Turn off Multicast Name Resolution
toEnabled
- Note: For administering a Windows 2003 DC, use the Remote Server Administration Tools for Windows 7.
- Navigate to
- Using the Registry (Windows Vista/7/10 Home Edition only):
- Navigate to
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient
- Set
EnableMulticast
to disable LLMNR.
- Navigate to
4. IPv6 DNS Spoofing
IPv6 DNS spoofing occurs when a rogue DHCPv6 server is deployed on a network. Since Windows systems prefer IPv6 over IPv4, IPv6-enabled clients will use the DHCPv6 server if available. During an attack, an IPv6 DNS server is assigned to these clients, allowing attackers to intercept DNS requests by reconfiguring clients to use the attacker’s system as the DNS server.
Recommendations:
- Disable IPv6:
- Unless required for business operations, disable IPv6. Test this configuration thoroughly to avoid network service interruptions.
- Implement DHCPv6 Guard:
- Use DHCPv6 guard on network switches to ensure only authorized DHCP servers can assign leases to clients.
5. Outdated Microsoft Windows Systems
Outdated Microsoft Windows systems are vulnerable to attacks as they no longer receive security updates, making them easy targets for attackers.
Recommendations:
- Replace outdated Windows versions with up-to-date and supported operating systems.
6. IPMI Authentication Bypass
Intelligent Platform Management Interface (IPMI) allows administrators to manage servers centrally. However, some servers have vulnerabilities that let attackers bypass authentication and extract password hashes. If the password is default or weak, attackers can obtain the cleartext password and gain remote access.
Recommendations:
- Restrict IPMI Access:
- Limit IPMI access to systems that require it for administration purposes.
- Disable IPMI:
- If not required, disable the IPMI service.
- Change Default Passwords:
- Use strong and complex passwords.
- Use Secure Protocols:
- Implement HTTPS and SSH to reduce the risk of man-in-the-middle attacks.
7. Microsoft Windows RCE (BlueKeep)
Systems vulnerable to CVE-2019-0708 (BlueKeep) were identified during testing. This vulnerability is highly exploitable and allows attackers to gain full control over affected systems.
Recommendations:
- Apply Security Updates:
- Immediately patch affected systems.
- Evaluate Patch Management Program:
- Assess why security updates were missing to improve the patch management process.
8. Local Administrator Password Reuse
During testing, many systems were found to share the same local administrator password. Compromising one account provided access to multiple systems, increasing the risk of widespread compromise.
Recommendations:
- Use Microsoft Local Administrator Password Solution (LDAPS) to ensure local administrator passwords are unique across systems.
9. Microsoft Windows RCE (EternalBlue)
Systems vulnerable to MS17-010 (EternalBlue) were identified during testing. This vulnerability allows attackers to gain full control over affected systems.
Recommendations:
- Apply Security Updates:
- Immediately patch affected systems.
- Evaluate Patch Management Program:
- Assess why security updates were missing to improve the patch management process.
10. Dell EMC iDRAC 7/8 CGI Injection (CVE-2018-1207)
Dell EMC iDRAC7/iDRAC8 versions prior to 2.52.52.52 are vulnerable to CVE-2018-1207, a command injection issue allowing unauthenticated attackers to execute commands with root privileges.
Recommendations:
- Upgrade Firmware:
- Update to the latest firmware version.
Common Causes of Critical Pentest Findings
While each finding stems from a different exploit, many share common root causes: configuration weaknesses and patching deficiencies.
Configuration Weaknesses:
- Typically due to improperly hardened services, weak/default credentials, unnecessarily exposed services, or excessive user permissions. While some may be exploitable in limited circumstances, successful attacks can have a high impact.
Patching Deficiencies:
- Often due to compatibility or configuration issues within the patch management solution. These deficiencies highlight the need for regular penetration testing.
Recommendations:
- Frequent Penetration Testing:
- Ongoing testing, beyond the typical annual approach, can identify significant gaps closer to real-time, providing valuable insights into security risks and potential compromises. For instance, Tenable’s Nessus scanner might identify LLMNR as informational, but more frequent testing with dedicated pen testing tools can highlight these issues and explain their potential impact.