10 Critical Network Pentest Findings IT Teams Overlook

After conducting over 10,000 automated inner community penetration exams final 12 months, vPenTest has uncovered a troubling actuality that many companies nonetheless have crucial safety gaps that attackers can simply exploit.

Organizations usually assume that firewalls, endpoint safety, and SIEMs are sufficient to maintain them safe. However how efficient are these defenses when put to the check? That is the place vPenTest, Vonahi Safety’s automated community pentesting platform, is available in. Designed to simulate real-world assault eventualities, vPenTest helps organizations discover exploitable vulnerabilities earlier than cybercriminals can.

These aren’t complicated, zero-day exploits. They’re misconfigurations, weak passwords, and unpatched vulnerabilities that attackers routinely exploit to realize entry, transfer laterally, and escalate privileges inside networks. Here is how these dangers break down:

• 50% stem from misconfigurations – Default settings, weak entry controls, and neglected safety insurance policies.
• 30% are on account of lacking patches – Unpatched programs that go away the door open for identified exploits.
• 20% contain weak passwords – Companies working with out correct authentication, making it simple for attackers to get in.

On this article, we’ll cowl the ten most crucial inner community safety dangers, breaking down what they’re, why they’re harmful, and the right way to repair them earlier than they flip into actual issues. We’ll begin with the least frequent and work our approach as much as the primary concern we have seen throughout 1000’s of assessments with vPenTest. If these weaknesses exist in your setting, attackers will discover them—it is only a matter of time.

10. Password Deficiencies – Redis Service

CVSS3: 9.9

% of incidence: 1.3%

What’s it:

• Redis is an in-memory key-value knowledge retailer generally used for caching, message brokering, and real-time analytics. By default, Redis doesn’t implement authentication, permitting shoppers to attach with out credentials.

Safety Impression:

• If an adversary positive factors entry to the Redis service, they might get hold of delicate knowledge saved throughout the databases hosted on the server and probably escalate privileges to realize system-level entry, relying on the capabilities of the Redis service and the permissions related to the compromised consumer account. This might result in unauthorized knowledge manipulation, knowledge exfiltration, or additional exploitation of the system.

Advice:

• It’s crucial to configure the Redis service to require a powerful password that meets the group’s password coverage. A strong password ought to embody the next standards:
• • Minimal of 12 characters
  • Not simply guessable, e.g., not present in a dictionary
  • Mixture of upper-case letters, decrease case letters, numerical digits, and/or particular characters
  • Verifiable towards identified compromised password databases (e.g., www.haveibeenpwned.com)
• Moreover, using a password supervisor can improve safety by producing complicated passwords which are troublesome to retrieve, even within the occasion that the password hash is obtained by means of a breach.

9. Firebird Servers Settle for Default Credentials

CVSS3: 9.0

% of incidence: 1.4%

What’s it:

• Default credentials are sometimes hard-coded usernames and passwords meant for preliminary setup and must be modified promptly to keep up safety. This concern arises when programs are deployed with out reconfiguration or when default settings are neglected in the course of the setup course of.

Safety Impression:

• The reliance on default credentials for Firebird servers can result in unauthorized entry, permitting attackers to authenticate and conduct reconnaissance on the affected programs. They might enumerate recordsdata or alter system configurations, thereby opening pathways to additional exploitation. If the attacker identifies the placement of Firebird database recordsdata, they might acquire the flexibility to learn or modify delicate database info. Moreover, sure variations of Firebird will be manipulated to execute system instructions, thereby extending an attacker’s management over the distant host.

Advice:

• To mitigate this vulnerability, it’s important to make the most of the GSEC instrument to alter the default credentials related to Firebird servers. Moreover, implementing a coverage for normal credential audits and guaranteeing that every one default settings are modified earlier than deployment can additional improve safety. Constantly monitoring server entry logs for unauthorized makes an attempt and enabling alerts for suspicious actions will support in detecting potential exploitations early.

8. Microsoft Home windows RCE (BlueKeep)

CVSS3: 9.8

% of incidence: 4.4%

What’s it:

• BlueKeep is a distant code execution vulnerability in Microsoft’s Distant Desktop Protocol (RDP), recognized as CVE-2019-0708.

Safety Impression:

• Exploitation of the BlueKeep vulnerability permits an attacker to imagine full management over the affected system(s). This degree of entry might facilitate additional assaults throughout the group’s infrastructure, together with the potential extraction of delicate knowledge reminiscent of passwords and password hashes. Moreover, the attacker may navigate laterally throughout the community, compromising further programs and companies. The exploit’s nature signifies that no particular privileges or authenticated entry are required to execute the assault, thus simplifying the method for the attacker and amplifying the potential influence on the group.

Advice:

• It’s crucial to promptly apply all related safety updates to the affected system(s) to mitigate the BlueKeep vulnerability. Organizations ought to conduct an intensive evaluation of their patch administration processes to establish elements contributing to the absence of well timed updates. Given the exploitability of this vulnerability and its capacity to severely compromise programs, a direct response is crucial to safeguarding the group’s digital setting.

7. Microsoft Home windows RCE (EternalBlue)

CVSS3: 9.8

% of incidence: 4.5%

What’s it:

• EternalBlue is a distant code execution vulnerability within the Microsoft Server Message Block (SMBv1) protocol. It permits an attacker to ship specifically crafted packets to a susceptible system, enabling unauthorized entry and execution of arbitrary code with system-level privileges.

Safety Impression:

• Exploitation of the EternalBlue vulnerability permits an attacker to realize full administrative entry to the affected system(s). This entry can facilitate additional malicious actions throughout the group’s community, together with the extraction of cleartext passwords and password hashes, in addition to lateral motion to different programs. Importantly, this vulnerability doesn’t require the attacker to escalate privileges on the compromised system, that means they’ll provoke reconnaissance and additional assaults with none further effort.

Advice:

• To mitigate the danger related to the EternalBlue vulnerability, it’s crucial to promptly apply the related safety patches to all affected system(s). Moreover, an intensive evaluation of the group’s patch administration program must be performed to establish any deficiencies that led to the unpatched standing of those programs. Given the excessive threat and prevalence of exploitation of this vulnerability, speedy remediation efforts are essential.

6. IPMI Authentication Bypass

CVSS3: 10.0

% of incidence: 15.7%

What’s it:

• The Clever Platform Administration Interface (IPMI) is a crucial {hardware} resolution utilized by community directors for centralized administration of server(s). Throughout the configuration of server(s) geared up with IPMI, sure vulnerabilities might exist that permit attackers to bypass the authentication mechanism remotely. This ends in the extraction of password hashes, and in cases the place default or weak hashing algorithms are employed, attackers may probably recuperate the cleartext passwords.

Safety Impression:

• The power to extract cleartext passwords presents a big safety threat, as an attacker may leverage this info to realize unauthorized distant entry to delicate companies, together with Safe Shell (SSH), Telnet, or web-based interfaces. Such unauthorized entry may allow configurations manipulation, negatively impacting the supply and integrity of companies offered by the compromised server(s).

Advice:

• Given the absence of a patch for this vulnerability, it’s important to implement a number of of the next mitigation methods:
• • Restrict IPMI entry strictly to approved system(s) that require administrative functionalities.
  • Disable IPMI service on server(s) that don’t want it for enterprise operations.
  • Change default administrator password(s) to sturdy, complicated alternate options to boost safety.
  • Make use of safe communication protocols, reminiscent of HTTPS and SSH, to mitigate the danger of man-in-the-middle assaults that would expose delicate credentials.

5. Outdated Microsoft Home windows Programs

CVSS3: 9.8

% of incidence: 24.9%

What’s it:

• Outdated Microsoft Home windows system(s) current vital safety dangers, as they’re now not receiving crucial updates from Microsoft. These system(s) might lack important safety patches addressing identified vulnerabilities, successfully rendering them extra inclined to exploitation by attackers. Moreover, the absence of updates may end up in compatibility points with fashionable safety instruments and software program, additional diminishing the system(s)’ defenses. Vulnerabilities on outdated programs can usually be exploited in assaults, reminiscent of malware distribution, knowledge exfiltration, and unauthorized entry.

Safety Impression:

• If exploited, an outdated Microsoft Home windows system may permit an attacker to realize unauthorized entry to the affected system(s), exposing delicate knowledge and sources. Moreover, because of the potential similarity in configurations amongst system(s) throughout the identical community, an attacker might make the most of the compromised system(s) as a launching level to maneuver laterally, compromising further system(s) and rising the general footprint of the breach.

Advice:

• It’s strongly beneficial to exchange outdated variations of Microsoft Home windows with present working system(s) which are nonetheless supported by the producer. This could embrace conducting an intensive stock of all system(s) to establish and prioritize outdated variations, adopted by implementing a phased improve technique. Commonly confirm that every one system(s) are receiving the newest updates and patches to keep up safety integrity.

4. IPv6 DNS Spoofing

CVSS3: 10.0

% of incidence: 49.9%

What’s it:

• The chance of IPv6 DNS spoofing arises from the attainable introduction of a rogue DHCPv6 server throughout the inner community infrastructure. Because of the desire of Microsoft Home windows programs for IPv6 over IPv4, IPv6-capable shoppers are inclined to acquire their IP deal with configurations from any obtainable DHCPv6 server.

Safety Impression:

• The deployment of a rogue DHCPv6 server permits an attacker to govern DNS requests by redirecting IPv6-enabled shoppers to make the most of the attacker’s system as their DNS server. This functionality can result in severe penalties, such because the unauthorized seize of delicate knowledge, together with consumer credentials. When all DNS queries resolve to the attacker’s server, the sufferer’s system might inadvertently talk with malicious companies working on the attacker’s infrastructure, encompassing platforms reminiscent of SMB, HTTP, RDP, and MSSQL.

Advice:

• To mitigate the dangers related to IPv6 DNS spoofing, the next methods are beneficial, with emphasis on aligning every strategy with organizational operations and thorough testing previous to implementation:
• • Handle Rogue DHCP on the Community Layer: Implement options reminiscent of Rogue DHCP detection, DHCP snooping, and DHCP authentication on community switches and firewalls to manage unauthorized DHCP servers and reduce the probability of DNS spoofing assaults.
  • Favor IPv4 over IPv6: Make the most of Group Coverage Objects (GPOs) or Group Coverage Preferences (GPPs) to deploy registry modifications that configure Home windows programs to favor IPv4 over IPv6. You will need to word that this strategy is not going to forestall assaults from affecting non-Home windows units.
  • Disable IPv6: Whereas not typically advisable for Microsoft Home windows programs, disabling IPv6 could also be thought-about as a final resort precaution, offered thorough testing ensures there are not any vital disruptions to enterprise operations.

3. Hyperlink-Native Multicast Identify Decision (LLMNR) Spoofing

CVSS3: 9.8

% of incidence: 65.5%

What’s it:

Hyperlink-Native Multicast Identify Decision (LLMNR) is a protocol designed for identify decision inside inner community environments when conventional Area Identify System (DNS) companies are both unavailable or ineffective. LLMNR acts as a fallback mechanism, facilitating the decision of DNS names by means of multicast queries. The decision course of unfolds as follows:

1. The system first queries its native host file to discover a corresponding IP deal with for the desired DNS identify.
2. If no native entry exists, the system initiates a DNS question directed at its configured DNS server(s) to resolve the identify.
3. Ought to the DNS server(s) fail to supply a decision, the system broadcasts an LLMNR question throughout the native community, searching for responses from different hosts.

This reliance on multicast broadcasts introduces vulnerabilities, as any energetic system can reply to the queries, probably deceptive the requesting system.

Safety Impression:

• The broadcasting nature of LLMNR queries permits any system on the native community to reply with its personal IP deal with in reply to a decision request. Malicious actors can exploit this by sending crafted responses containing the attacker’s system’s deal with. This functionality opens avenues for vital safety breaches, notably if the question is tied to delicate companies reminiscent of SMB, MSSQL, or HTTP. Profitable redirection can facilitate the seize of delicate info together with plaintext and hashed account credentials. It’s pertinent to notice that hashed credentials will be subjected to fashionable brute-force assaults, thereby compromising account safety.

Advice:

• To mitigate the dangers related to LLMNR spoofing, it’s crucial to disable LLMNR performance throughout affected programs. This may be completed by means of the next strategies:
  • Group Coverage Configuration: Navigate to Laptop ConfigurationAdministrative TemplatesNetworkDNS Shopper and set ‘Flip off Multicast Identify Decision’ to Enabled. For administering configurations on a Home windows Server 2003 area controller, make the most of the Distant Server Administration Instruments for Home windows 7 obtainable at this hyperlink.
  • Registry Modification for Home windows Vista/7/10 House Version: Entry the registry at HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows NTDNSClient and modify the ‘EnableMulticast’ key to 0 or take away it to disable the characteristic.

2. NetBIOS Identify Service (NBNS) Spoofing

CVSS3: 9.8

% of incidence: 73.3%

What it’s:

The NetBIOS Identify Service (NBNS) is a protocol utilized by workstations inside an inner community to resolve domains when a DNS server is unavailable or unresponsive. When a system makes an attempt to resolve a DNS identify, it follows these steps:

1. The system first checks its native host file for an entry mapping the DNS identify to an IP deal with.
2. If no native mapping exists, the system sends a DNS question to its configured DNS server(s) in an try to retrieve the corresponding IP deal with.
3. If the DNS server(s) can’t resolve the identify, the system broadcasts an NBNS question throughout the native community, soliciting responses from different programs.

This dependency on broadcasts makes the NBNS susceptible to spoofing assaults, whereby an attacker can reply with a false IP deal with.

Safety Impression:

• The broadcasting nature of NBNS queries signifies that any system on the native community can reply. This vulnerability will be exploited by malicious actors who might reply these queries with the IP deal with of the attacker’s system, redirecting visitors meant for professional companies. For example, companies reminiscent of SMB, MSSQL, or HTTP may inadvertently ship delicate knowledge, together with cleartext or hashed account credentials, to the attacker’s system. Furthermore, fashionable computational capabilities can facilitate the cracking of hashed credentials, probably permitting unauthorized entry to consumer accounts.

Advice:

• To mitigate the danger of NBNS spoofing, it’s advisable to disable the NetBIOS service throughout all hosts throughout the inner community. This may be completed by means of a wide range of strategies together with configuration of DHCP choices, changes to community adapter settings, or modifications to the system registry. Implementing these modifications will considerably cut back the potential assault floor related to NBNS.

1. Multicast DNS (mDNS) Spoofing

CVSS3: 9.8

% of incidence: 78.2%

What it’s:

Multicast DNS (mDNS) serves as a reputation decision protocol for native networks, facilitating the decision of domains when a devoted DNS server is unavailable. The decision course of happens in phases:

1. The system first consults its native host file for any acceptable DNS identify/IP deal with mappings.
2. Within the absence of a configured DNS server, the system resorts to mDNS, broadcasting an IP multicast question requesting identification from the host similar to the DNS identify. This protocol conduct exposes a possible vulnerability that malicious actors can exploit, enabling them to impersonate professional programs by responding to those queries.

Safety Impression:

• mDNS queries, that are transmitted throughout the native subnet, will be answered by any gadget able to receiving them. This vulnerability permits an attacker to reply with their system’s IP deal with, probably deceptive the querying system. Such exploitation might result in interception of delicate info, together with unencrypted and hashed credentials, relying on the particular service the sufferer is making an attempt to entry (e.g., SMB, MSSQL, HTTP). It must be famous that hashed credentials can usually be compromised inside a comparatively quick timeframe utilizing up to date computing sources and brute-force assault methodologies.

Advice:

• To mitigate the danger of mDNS spoofing, the first advice is to fully disable mDNS if it isn’t in use. On Home windows programs, this will usually be finished by implementing the ‘Disable Multicast Identify Decision’ group coverage. As many functions have the potential to reintroduce mDNS performance, another technique is to dam UDP port 5353 through the Home windows firewall. For non-Home windows programs, disabling companies reminiscent of Apple Bonjour or avahi-daemon can present related safety.
• You will need to word that disabling mDNS might disrupt functionalities reminiscent of display casting and sure convention room applied sciences. Ought to full disabling not be possible, take into account isolating affected programs inside a managed community phase and mandating using sturdy, complicated passwords for any accounts that entry these programs.

What Pentesting Reveals About Safety Gaps

After analyzing tens of 1000’s of community assessments, one factor is evident—many safety gaps aren’t the results of superior hacking methods however easy, avoidable errors. Weak passwords, forgotten misconfigurations, and unpatched programs create simple alternatives for attackers. These aren’t once-in-a-lifetime vulnerabilities. They’re recurring issues that present up in networks of all sizes, 12 months after 12 months.

Pentesting is like stress-testing your safety earlier than an actual attacker does. It reveals how somebody may break in, transfer round, and escalate privileges utilizing the identical ways real-world attackers depend on. Repeatedly, assessments show that even corporations with sturdy defenses usually have hidden weaknesses ready to be exploited.

The issue? Most organizations nonetheless depend on annual pentests for compliance, leaving months of blind spots in between. That is the place vPenTest from Vonahi Safety is available in. It delivers automated, on-demand community pentesting, so as an alternative of ready for an audit to let you know what went mistaken, yow will discover and repair exploitable vulnerabilities year-round.

Cyber threats aren’t slowing down, so safety testing should not both. Whether or not finished manually or by means of automation, common community pentesting is the important thing to staying forward of attackers—not simply checking a field for compliance. Need to discover vPenTest and see the ability of automated community pentesting for your self? Schedule a free demo of vPenTest!