This last week Core Security organized and ran a Capture the Flag hacking challenge for a group of high school students in New York City. We use a fictional health care provider’s network for these events, that’s based on our real world experiences working in actual networks, both from an attack and a defense standpoint. A great time was had by all.
Even though this was the first exposure to Core Impact as a penetration testing tool, almost all of the flags were captured. One of the students asked a cogent question, observing that some of the systems in the environment were pretty easy to hack. This in turn led to a couple of war stories, but the bottom line is that I’ve personally come across every single vulnerability that I built into that environment in penetration tests of third party organizations. It’s amazing just how many simple, and easy to exploit vulnerabilities remain in production networks. It’s downright embarrassing. To that point, I’m going to share a couple of real doozies from a talk that I do periodically called “10 Stupid Vulnerabilities that I’m Tired of seeing on every Pen-Test I do.”
1. Improperly disposed network gear: When I do a pen-testing engagement, one of the first things I try to figure out is where the target disposes of their retired technology, mostly network gear. You’d be amazed how often you can get routers, firewalls, and switches (and the supervisors for them) that still have the config on them. This is a veritable cornucopia of details that make it easier to exploit things. You get network layout information, SNMP read/write community strings, VPN credentials, and network user credentials. And of course, those credentials are OFTEN in use in other areas (like Domain Admins).
2. Network devices with easily guessable SNMP community strings: Whether it’s the classic “public” or “private”, the manufacturer like “Cisco”, ”HP”, or “Juniper”, or the company name, default or easily guessable SNMP community strings lead us to the ability to manipulate networks at the most fundamental level. After all, if they’re using an Access Control List to block traffic, there must be a *good* reason, and of course we want to poke that!
3. Lazy IT person debris: There’s a lot of really useful tools for IT folks to help them monitor things, and many of them are packaged up as self-contained virtual appliances. It makes them easy to stand up and toy with. The problem comes when these VMs are never retired, or more properly, managed at all. I’ve come across many an organization that’s running a Cacti VM, and it’s because it was an appliance VM instead of a “real” server, it’s never been hardened, or it still has all the default credentials for SSH, the Cacti application itself, and the database. These are great for helping me to find out the network layout, getting additional credentials, and more.
4. Multi-Function Printers: I love, love, love those giant multifunction printer/copier/fax/scanner machines. Why? Because historically, the vendors who install and manage them are completely clueless about information security, and they don’t coordinate with internal IT or security folks. Almost without fail, the management interface is accessible with easily Googleable default credentials, and if it offers a “scan to network” or “scan to email” function, we’ll almost always see an account being used with highly privileged access, if not Domain Admin privileges. To add icing to the cake, these machines are almost always *years* behind on updates, because the vendors that manage them don’t care, and the customers overlook the need. That’s four examples from the talk.