0% found this document useful (0 votes)
1K views38 pages

TCMS Demo Corp Security Assessment Findings Report

TCMS Demo Corp Security Assessment Findings Report
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
1K views38 pages

TCMS Demo Corp Security Assessment Findings Report

TCMS Demo Corp Security Assessment Findings Report
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 38

DEMO CORP

Security Assessment Findings Report

Business Confidential

Date: March 9th, 2021


Project: DC-001
Version 1.0

DEMO CORP
BUSINESS CONFIDENTIAL Page 1 of 38
Copyright © TCM Security (tcm-sec.com)
Table of Contents
Table of Contents ..................................................................................................................................................... 2
Confidentiality Statement ........................................................................................................................................ 4
Disclaimer ................................................................................................................................................................. 4
Contact Information.................................................................................................................................................. 4
Assessment Overview............................................................................................................................................... 5
Assessment Components ........................................................................................................................................ 5
Internal Penetration Test ....................................................................................................................... 5
Finding Severity Ratings ........................................................................................................................................... 6
Risk Factors .............................................................................................................................................................. 6
Likelihood ................................................................................................................................................ 6
Impact...................................................................................................................................................... 6
Scope......................................................................................................................................................................... 7
Scope Exclusions .................................................................................................................................... 7
Client Allowances .................................................................................................................................... 7
Executive Summary .................................................................................................................................................. 8
Scoping and Time Limitations................................................................................................................ 8
Testing Summary .................................................................................................................................... 8
Tester Notes and Recommendations .................................................................................................... 9
Key Strengths and Weaknesses ..........................................................................................................10
Vulnerability Summary & Report Card................................................................................................................... 11
Internal Penetration Test Findings ......................................................................................................11
Technical Findings .................................................................................................................................................. 13
Internal Penetration Test Findings ......................................................................................................13
Finding IPT-001: Insufficient LLMNR Configuration (Critical) ....................................................................... 13
Finding IPT-002: Security Misconfiguration – Local Admin Password Reuse (Critical) .............................. 14
Finding IPT-003: Security Misconfiguration – WDigest (Critical) .................................................................. 15
Finding IPT-004: Insufficient Hardening – Token Impersonation (Critical).................................................. 16
Finding IPT-005: Insufficient Password Complexity (Critical) ....................................................................... 17
Finding IPT-006: Security Misconfiguration – IPv6 (Critical) ........................................................................ 18
Finding IPT-007: Insufficient Hardening – SMB Signing Disabled (Critical) ................................................ 19
Finding IPT-008: Insufficient Patch Management – Software (Critical) ....................................................... 20
Finding IPT-009: Insufficient Patch Management – Operating Systems (Critical) ...................................... 21
Finding IPT-010: Insufficient Patching – MS08-067 - ECLIPSEDWING/NETAPI (Critical) ........................... 22
Finding IPT-011: Insufficient Patching – MS12-020 – Remote Desktop RCE (Critical) ............................. 23
Finding IPT-012: Insufficient Patching – MS17-010 - EternalBlue (Critical) ............................................... 24
Finding IPT-013: Insufficient Patching – CVE-2019-0708 - BlueKeep (Critical) ......................................... 25
Finding IPT-014: Insufficient Privileged Account Management – Kerberoasting (High) ............................. 26

DEMO CORP
BUSINESS CONFIDENTIAL Page 2 of 38
Copyright © TCM Security (tcm-sec.com)
Finding IPT-015: Security Misconfiguration – GPP Credentials (High) ........................................................ 27
Finding IPT-016: Insufficient Authentication - VNC (High) ............................................................................ 28
Finding IPT-017: Default Credentials on Web Services (High) ..................................................................... 29
Finding IPT-018: Insufficient Hardening – Listable Directories (High)......................................................... 30
Finding IPT-019: Unauthenticated SMB Share Access (Moderate) ............................................................. 31
Finding IPT-020: Insufficient Patch Management – SMBv1 (Moderate) ..................................................... 32
Finding IPT-021: IPMI Hash Disclosure (Moderate) ...................................................................................... 33
Finding IPT-022: Insufficient SNMP Community String Complexity (Moderate) .......................................... 34
Finding IPT-023: Insufficient Data in Transit Encryption - Telnet (Moderate).............................................. 35
Finding IPT-024: Insufficient Terminal Services Configuration (Moderate) ................................................. 36
Finding IPT-025: Steps to Domain Admin (Informational) ............................................................................ 37
Additional Scans and Reports..............................................................................................................37

DEMO CORP
BUSINESS CONFIDENTIAL Page 3 of 38
Copyright © TCM Security (tcm-sec.com)
Confidentiality Statement
This document is the exclusive property of Demo Corp and TCM Security (TCMS). This document
contains proprietary and confidential information. Duplication, redistribution, or use, in whole or in
part, in any form, requires consent of both Demo Corp and TCMS.
Demo Corp may share this document with auditors under non-disclosure agreements to demonstrate
penetration test requirement compliance.

Disclaimer
A penetration test is considered a snapshot in time. The findings and recommendations reflect the
information gathered during the assessment and not any changes or modifications made outside of
that period.
Time-limited engagements do not allow for a full evaluation of all security controls. TCMS prioritized
the assessment to identify the weakest security controls an attacker would exploit. TCMS
recommends conducting similar assessments on an annual basis by internal or third-party assessors
to ensure the continued success of the controls.

Contact Information
Name Title Contact Information
Demo Corp
Global Information Security
John Smith Email: [email protected]
Manager
TCM Security
Heath Adams Lead Penetration Tester Email: [email protected]

Demo Corp
BUSINESS CONFIDENTIAL Page 4 of 38
Copyright © TCM Security (tcm-sec.com)
Assessment Overview
From February 22nd, 2021 to March 5th, 2021, Demo Corp engaged TCMS to evaluate the security
posture of its infrastructure compared to current industry best practices that included an internal
network penetration test. All testing performed is based on the NIST SP 800-115 Technical Guide to
Information Security Testing and Assessment, OWASP Testing Guide (v4), and customized testing
frameworks.
Phases of penetration testing activities include the following:
• Planning – Customer goals are gathered and rules of engagement obtained.
• Discovery – Perform scanning and enumeration to identify potential vulnerabilities, weak
areas, and exploits.
• Attack – Confirm potential vulnerabilities through exploitation and perform additional
discovery upon new access.
• Reporting – Document all found vulnerabilities and exploits, failed attempts, and company
strengths and weaknesses.

Assessment Components
Internal Penetration Test
An internal penetration test emulates the role of an attacker from inside the network. An engineer
will scan the network to identify potential host vulnerabilities and perform common and advanced
internal network attacks, such as: LLMNR/NBT-NS poisoning and other man- in-the-middle attacks,
token impersonation, kerberoasting, pass-the-hash, golden ticket, and more. The engineer will seek
to gain access to hosts through lateral movement, compromise domain user and admin accounts,
and exfiltrate sensitive data.

Demo Corp
BUSINESS CONFIDENTIAL Page 5 of 38
Copyright © TCM Security (tcm-sec.com)
Finding Severity Ratings
The following table defines levels of severity and corresponding CVSS score range that are used
throughout the document to assess vulnerability and risk impact.

CVSS V3
Severity Definition
Score Range
Exploitation is straightforward and usually results in system-level
Critical 9.0-10.0 compromise. It is advised to form a plan of action and patch
immediately.

Exploitation is more difficult but could cause elevated privileges and


High 7.0-8.9 potentially a loss of data or downtime. It is advised to form a plan of
action and patch as soon as possible.

Vulnerabilities exist but are not exploitable or require extra steps such
Moderate 4.0-6.9 as social engineering. It is advised to form a plan of action and patch
after high-priority issues have been resolved.

Vulnerabilities are non-exploitable but would reduce an organization’s


Low 0.1-3.9 attack surface. It is advised to form a plan of action and patch during
the next maintenance window.

No vulnerability exists. Additional information is provided regarding


Informational N/A items noticed during testing, strong controls, and additional
documentation.

Risk Factors
Risk is measured by two factors: Likelihood and Impact:

Likelihood
Likelihood measures the potential of a vulnerability being exploited. Ratings are given based on the
difficulty of the attack, the available tools, attacker skill level, and client environment.

Impact
Impact measures the potential vulnerability’s effect on operations, including confidentiality, integrity,
and availability of client systems and/or data, reputational harm, and financial loss.

Demo Corp
BUSINESS CONFIDENTIAL Page 6 of 38
Copyright © TCM Security (tcm-sec.com)
Scope
Assessment Details

Internal Penetration Test 10.x.x.x/8

Scope Exclusions
Per client request, TCMS did not perform any of the following attacks during testing:
• Denial of Service (DoS)
• Phishing/Social Engineering

All other attacks not specified above were permitted by Demo Corp.

Client Allowances
Demo Corp provided TCMS the following allowances:

• Internal access to network via dropbox and port allowances

Demo Corp
BUSINESS CONFIDENTIAL Page 7 of 38
Copyright © TCM Security (tcm-sec.com)
Executive Summary
TCMS evaluated Demo Corp’s internal security posture through penetration testing from February
22nd, 2021 to March 5th, 2021. The following sections provide a high-level overview of vulnerabilities
discovered, successful and unsuccessful attempts, and strengths and weaknesses.
Scoping and Time Limitations
Scoping during the engagement did not permit denial of service or social engineering across all
testing components.

Time limitations were in place for testing. Internal network penetration testing was permitted for ten
(10) business days.

Testing Summary
The network assessment evaluated Demo Corp’s internal network security posture. From an internal
perspective, the TCMS team performed vulnerability scanning against all IPs provided by Demo Corp
to evaluate the overall patching health of the network. The team also performed common Active
Directory based attacks, such as Link-Local Multicast Name Resolution (LLMNR) Poisoning, SMB
relaying, IPv6 man-in-the-middle relaying, and Kerberoasting. Beyond vulnerability scanning and
Active Directory attacks, the TCMS evaluated other potential risks, such as open file shares, default
credentials on servers/devices, and sensitive information disclosure to gain a complete picture of
the network’s security posture.

The TCMS team discovered that LLMNR was enabled in the network (Finding IPT-001), which
permitted the interception of user hashes via LLMNR poisoning. These hashes were taken offline
and cracked via dictionary attacks, which signals a weak password policy (Finding IPT-005). Utilizing
the cracked passwords, the TCMS team gained access to several machines within the network, which
indicates overly permissive user accounts.

With machine access, and the use of older operating systems in the network (Finding IPT-009), the
team was able to leverage WDigest (Finding IPT-003) to recover cleartext credentials to accounts.
The team was also able to dump local account hashes on each machine accessed. The TCMS team
discovered that the local account hashes were being re-used across devices (Finding IPT-002), which
lead to additional machine access through pass-the-hash attacks.

Ultimately, the TCMS team was able to leverage accounts captured through WDigest and hash dumps
to move laterally throughout the network until landing on a machine that had a Domain Administrator
credential in cleartext via WDigest. The testing team was able to use this credential to log into the
domain controller and compromise the entire domain. For a full walkthrough of the path to Domain
Admin, please see Finding IPT-025.

Demo Corp
BUSINESS CONFIDENTIAL Page 8 of 38
Copyright © TCM Security (tcm-sec.com)
In addition to the compromise listed above, the TCMS team found that users could be impersonated
through delegation attacks (Finding IPT-004), SMB relay attacks were possible due to SMB signing
being disabled (Finding IPT-007), and IPv6 traffic was not restricted, which could lead to LDAPS
relaying and domain compromise (Finding IPT-006).

The remainder of critical findings relate to patch management as devices with critical out-of-date
software (Finding IPT-008), operating systems (Finding IPT-009), and Microsoft RCE vulnerabilities
(Findings IPT-010, IPT-011, IPT-012, IPT-013), were found to be present within the network.

The remainder of the findings were high, moderate, low, or informational. For further information on
findings, please review the Technical Findings section.

Tester Notes and Recommendations


Testing results of the Demo Corp network are indicative of an organization undergoing its first
penetration test, which is the case here. Many of the findings discovered are vulnerabilities within
Active Directory that come enabled by default, such as LLMNR, IPv6, and Kerberoasting.

During testing, two constants stood out: a weak password policy and weak patching. The weak
password policy led to the initial compromise of accounts and is usually one of the first footholds an
attacker attempts to use in a network. The presence of a weak password policy is backed up by the
evidence of our testing team cracking over 2,200 user account passwords, including a majority of
the Domain Administrator accounts, through basic dictionary attacks.

We recommended that Demo Corp re-evaluates their current password policy and considers a policy
of 15 characters or more for their regular user accounts and 30 characters or more for their Domain
Administrator accounts. We also recommend that Demo Corp explore password blacklisting and will
be supplying a list of cracked user passwords for the team to evaluate. Finally, a Privilege Access
Management solution should be considered.

Weak patching and dated operating systems led to the compromise of dozens of machines within
the network. We believe the number of compromised machines would have been significantly larger,
however the TCMS and Demo Corp teams agreed it was not necessary to attempt to exploit any
remote code execution (RCE) based vulnerabilities, such as MS17-010 (Finding IPT-012), as the
domain controller had already been compromised and the teams did not want to risk any denial of
service through failed attacks.

We recommend that the Demo Corp team review the patching recommendations made in the
Technical Findings section of the report along with reviewing the provided Nessus scans for a full
overview of items to be patched. We also recommend that Demo Corp improve their patch
management policies and procedures to help prevent potential attacks within their network.

Demo Corp
BUSINESS CONFIDENTIAL Page 9 of 38
Copyright © TCM Security (tcm-sec.com)
On a positive note, our testing team triggered several alerts during the engagement. The Demo Corp
Security Operations team discovered our vulnerability scanning and was alerted when we attempted
to use noisy attacks on a compromised machine. While not all attacks were discovered during
testing, these alerts are a positive start. Additional guidance on alerting and detection has been
provided for findings, when necessary, in the Technical Findings section.

Overall, the Demo Corp network performed as expected for a first-time penetration test. We
recommend that the Demo Corp team thoroughly review the recommendations made in this report,
patch the findings, and re-test annually to improve their overall internal security posture.

Key Strengths and Weaknesses


The following identifies the key strengths identified during the assessment:

1. Observed some scanning of common enumeration tools (Nessus)


2. Mimikatz detected on some machines
3. Service accounts were not running as domain administrators
4. Demo Corp local administrator account password was unique to each device

The following identifies the key weaknesses identified during the assessment:

1. Password policy found to be insufficient


2. Critically out-of-date operating systems and weak patching exist within the network
3. Passwords were observed in cleartext due to WDigest
4. LLMNR is enabled within the network
5. SMB signing is disabled on all non-server devices in the work
6. IPv6 is improperly managed within the network
7. User accounts can be impersonated through token delegation
8. Local admin accounts had password re-use and were overly permissive
9. Default credentials were discovered on critical infrastructure, such as iDRACs
10. Unauthenticated share access was permitted
11. User accounts were found to be running as service accounts
12. Service accounts utilized weak passwords
13. Domain administrator utilized weak passwords

Demo Corp
BUSINESS CONFIDENTIAL Page 10 of 38
Copyright © TCM Security (tcm-sec.com)
Vulnerability Summary & Report Card
The following tables illustrate the vulnerabilities found by impact and recommended remediations:
Internal Penetration Test Findings

13 5 6 0 1

Critical High Moderate Low Informational

Finding Severity Recommendation


Internal Penetration Test
IPT-001: Insufficient LLMNR Critical Disable multicast name resolution via
Configuration GPO.
IPT-002: Security Misconfiguration – Critical Utilize unique local admin passwords
Local Admin Password Reuse and limit local admin users via least
privilege.
IPT-003: Security Misconfiguration – Critical Disable WDigest via GPO.
Wdigest
IPT-004: Insufficient Hardening – Critical Restrict token delegation.
Token Impersonation
IPT-005: Insufficient Password Critical Implement CIS Benchmark password
Complexity requirements / PAM solution.
IPT-006: Security Misconfiguration – Critical Restrict DHCPv6 traffic and incoming
IPv6 router advertisements in Windows
Firewall via GPO.
IPT-007: Insufficient Hardening – Critical Enable SMB signing on all Demo Corp
SMB Signing Disabled domain computers.
IPT-008: Insufficient Patch Critical Update to the latest software version.
Management – Software
IPT-009: Insufficient Patch Critical Update Operating Systems to the
Management – Operating Systems latest version.
IPT-010: Insufficient Patching – Critical Apply the appropriate Microsoft
MS08-067 - ECLIPSEDWING/NETAPI patches to remediate the issue.
IPT-011: Insufficient Patching – Critical Apply the appropriate Microsoft
MS12-020 – Remote Desktop RCE patches to remediate the issue.
IPT-012: Insufficient Patching – Critical Apply the appropriate Microsoft
MS17-010 - EternalBlue patches to remediate the issue.
IPT-013: Insufficient Patching – CVE- Critical Apply the appropriate Microsoft
2019-0708 - BlueKeep patches to remediate the issue.

Demo Corp
BUSINESS CONFIDENTIAL Page 11 of 38
Copyright © TCM Security (tcm-sec.com)
Finding Severity Recommendation
IPT-014: Insufficient Privileged High Use Group Managed Service
Account Management – Accounts (GMSA) for privileged
Kerberoasting services.
IPT-015: Security Misconfiguration – High Apply vendor patching. Do not use
GPP Credentials GPP cpasswords.
IPT-016: Insufficient Authentication - High Enable authentication on the VNC
VNC Server.
IPT-017: Default Credentials on Web High Change default credentials or disable
Services unused accounts.
IPT-018: Insufficient Hardening – High Restrict access and conduct web app
Listable Directories assessment.
IPT-019: Unauthenticated SMB Share Moderate Disable SMB share or require
Access authentication.
IPT-020: Insufficient Patch Moderate Upgrade to SMBv3 and apply latest
Management – SMBv1 patching.
IPT-021: IPMI Hash Disclosure Moderate Disable IPMI over LAN if it is not
needed.
IPT-022: Insufficient SNMP Moderate Disabled SNMP if not required.
Community String Complexity
IPT-023: Insufficient Data in Transit Moderate Migrate to TLS protected protocols.
Encryption - Telnet
IPT-024: Insufficient Terminal Moderate Enable Network Level Authentication
Services Configuration (NLA) on the remote RDP server.
IPT-025: Steps to Domain Admin Informational Review action and remediation steps.

Demo Corp
BUSINESS CONFIDENTIAL Page 12 of 38
Copyright © TCM Security (tcm-sec.com)
Technical Findings
Internal Penetration Test Findings
Finding IPT-001: Insufficient LLMNR Configuration (Critical)
Description: Demo Corp allows multicast name resolution on their end-user networks. TCMS
captured 20 user account hashes by poisoning LLMNR traffic and cracked 2
with commodity cracking software.

The cracked accounts were used to leverage further access that led to the
compromise of the Domain Controller.
Risk: Likelihood: High – This attack is effective in environments allowing multicast
name resolution.

Impact: Very High – LLMNR poisoning permits attackers to capture password


hashes to either crack offline or relay in real-time and pivot laterally in the
environment.
System: All
Tools Used: Responder, Hashcat
References: Stern Security - Local Network Attacks: LLMNR and NBT-NS Poisoning
NIST SP800-53 r4 IA-3 - Device Identification and Authentication
NIST SP800-53 r4 CM-6(1) - Configuration Settings

Evidence

Figure 1: Captured hash of “production”

Figure 2: Cracked hash of “production”

Remediation
Disable multicast name resolution via GPO. For full mitigation and detection guidance, please
reference the MITRE guidance here.
The cracked hashes demonstrate a deficient password complexity policy. If multicast name
resolution is required, Network Access Control (NAC) combined with application whitelisting can
limit these attacks.

Demo Corp
BUSINESS CONFIDENTIAL Page 13 of 38
Copyright © TCM Security (tcm-sec.com)
Finding IPT-002: Security Misconfiguration – Local Admin Password Reuse (Critical)
Description: TCMS utilized local administrator hashes to gain access to other machines in
the network via a ‘pass-the-hash’ attack. The local administrator hashes were
obtained via machine access provided by the cracked account in IPT-001.

Pass-the-hash attacks do not require knowing the account password to


successfully log into a machine. Thus, reusing the same local admin password
(and therefore the same hash) on multiple machines will permit system access
to those computers.

TCMS leveraged this attack to gain access to ~50 machines within the main
office. This led to further account access and the eventual compromise of the
domain controller.
Risk: Likelihood: High – This attack is effective in large networks with local admin
password reuse.

Impact: Very High – Pass-the-hash permits an attacker to move laterally and


vertically throughout the network.
System: All
Tools Used: Impacket, Crackmapexec
References: https://capec.mitre.org/data/definitions/644.html
https://tcm-sec.com/pentest-tales-001-you-spent-how-much-on-security/

Evidence

Figure 3: Local admin hash used to gain access to machine

Remediation
Utilize unique local admin passwords. Limit local admin users via least privilege. Consider
implementing a PAM solution. For full mitigation and detection guidance, please reference the
MITRE guidance here.

Demo Corp
BUSINESS CONFIDENTIAL Page 14 of 38
Copyright © TCM Security (tcm-sec.com)
Finding IPT-003: Security Misconfiguration – WDigest (Critical)
Description: Demo Corp permitted out-of-date operating systems within their network,
including Windows 7, 8, Server 2008, and Server 2012.

These operating systems, by default, permit WDigest, which stores all current
logged-in user’s passwords in clear-text.

TCMS leveraged machine access gained in IPT-001 and IPT-002 to move


laterally throughout the network until uncovering a machine with Domain Admin
credentials stored in WDigest.
Risk: Likelihood: Moderate – This attack is effective in networks with older operating
systems.

Impact: Very High – WDigests credentials are stored in clear text, which can
permit the theft of sensitive accounts, such as Domain Administrators.
System: All systems older than Windows 10 and Server 2016
Tools Used: Metasploit, Kiwi
References: https://stealthbits.com/blog/wdigest-clear-text-passwords-stealing-more-than-
a-hash/

Evidence

Figure 4: Cleartext passwords of Domain Administrators

Remediation
Disable WDigest via GPO. For full mitigation and detection guidance, please reference the
guidance here.

Demo Corp
BUSINESS CONFIDENTIAL Page 15 of 38
Copyright © TCM Security (tcm-sec.com)
Finding IPT-004: Insufficient Hardening – Token Impersonation (Critical)
Description: TCMS impersonated the token of “supcb” to obtain Domain Administrator
privileges.
Risk: Likelihood: High – The penetration tester viewed and impersonated tokens with
the use of open-source tools.

Impact: Very High - If exploited, an attacker gains domain administrator access.


System: All
Tools Used: Metasploit, Incognito
References: NIST SP800-53 r4 CM-7 - Least Functionality
NIST SP800-53 r4 AC-6 - Least Privilege
https://docs.microsoft.com/en-us/windows-server/identity/ad-
ds/manage/how-to-configure- protected-accounts

Evidence

Figure 5: Impersonation of “sup”

Figure 6: Shell access as Domain Admin “sup”

Remediation
Restrict token delegation. For full mitigation and detection guidance, please reference the MITRE
guidance here.

Demo Corp
BUSINESS CONFIDENTIAL Page 16 of 38
Copyright © TCM Security (tcm-sec.com)
Finding IPT-005: Insufficient Password Complexity (Critical)
Description: TCMS dumped hashes from the domain controller and proceeded to attempt
common password guessing attacks against all users.

TCMS cracked 2,226 passwords using basic password list guessing attacks and
low effort brute forcing attacks. 17 cracked accounts had domain administrator
rights.
Risk: Likelihood: High - Simple passwords are susceptible to password cracking
attacks. Encryption provides some protection, but dictionary attacks base on
common word lists often crack weak passwords.

Impact: Very High - Domain admin accounts with weak passwords could lead to
an adversary critically impacting Demo Corp ability to operate.
System: All
Tools Used: Manual Review
References: NIST SP800-53 IA-5(1) - Authenticator Management
https://www.cisecurity.org/white-papers/cis-password-policy-guide/

Evidence

Figure 7: Excerpt of cracked domain hashes

Remediation
Implement CIS Benchmark password requirements / PAM solution. TCMS recommends that Demo
Corp enforce industry best practices around password complexity and management. A password
filter to prevent users from using common and easily guessable passwords is also recommended.
Additionally, TCMS recommends that Demo Corp enforce stricter password requirements for
Domain Administrator and other sensitive accounts.

Demo Corp
BUSINESS CONFIDENTIAL Page 17 of 38
Copyright © TCM Security (tcm-sec.com)
Finding IPT-006: Security Misconfiguration – IPv6 (Critical)
Description: Through IPv6 DNS poisoning, the TCMS team was able to successfully relay
credentials to the Demo Corp domain controller.
Risk: Likelihood: High – IPv6 is enabled by default on Windows networks. The tools
and techniques required to perform this task are trivial.

Impact: Very High - If exploited, an attacker can gain domain administrator


access.
System: All
Tools Used: Mitm6, Impacket
References: https://blog.fox-it.com/2018/01/11/mitm6-compromising-ipv4-networks-via-
ipv6/

Evidence

Figure 8: Successfully relayed LDAP credentials via mitm6

Remediation
1. IPv6 poisoning abuses the fact that Windows queries for an IPv6 address even in IPv4-only
environments. If you do not use IPv6 internally, the safest way to prevent mitm6 is to block
DHCPv6 traffic and incoming router advertisements in Windows Firewall via Group Policy.
Disabling IPv6 entirely may have unwanted side effects. Setting the following predefined rules
to Block instead of Allow prevents the attack from working:
a. (Inbound) Core Networking - Dynamic Host Configuration Protocol for IPv6(DHCPV6-In)
b. (Inbound) Core Networking - Router Advertisement (ICMPv6-In)
c. (Outbound) Core Networking - Dynamic Host Configuration Protocol for IPv6(DHCPV6-
Out)
2. If WPAD is not in use internally, disable it via Group Policy and by disabling the
WinHttpAutoProxySvc service.
3. Relaying to LDAP and LDAPS can only be mitigated by enabling both LDAP signing and LDAP
channel binding.
Consider Administrative users to the Protected Users group or marking them as Account is sensitive
and cannot be delegated, which will prevent any impersonation of that user via delegation.

Demo Corp
BUSINESS CONFIDENTIAL Page 18 of 38
Copyright © TCM Security (tcm-sec.com)
Finding IPT-007: Insufficient Hardening – SMB Signing Disabled (Critical)
Description: Demo Corp failed to implement SMB signing on multiple devices. The absence
of SMB signing could lead to SMB relay attacks, yielding system-level shells
without requiring a user password.
Risk: Likelihood: High – Relaying password hashes is a basic technique not requiring
offline cracking.

Impact: High – If exploited, an adversary gains code execution, leading to lateral


movement across the network.
System: Identified 709 machines, please see the below file for listing.

[file removed]
Tools Used: Nessus, Nmap, MultiRelay, Responder
References: CIS Microsoft Windows Server 2012 R2 v2.2.0 (Page 180)
https://github.com/lgandx/Responder/blob/master/tools/MultiRelay.py

Evidence

Figure 9: Successful SMB relay

Remediation
Enable SMB signing on all Demo Corp domain computers. Alternatively, as SMB signing can cause
performance issues, disabling NTLM authentication, enforcing account tiering, and limiting local
admin users can effectively help mitigate attacks. For full mitigation and detection guidance, please
reference the MITRE guidance here.

Demo Corp
BUSINESS CONFIDENTIAL Page 19 of 38
Copyright © TCM Security (tcm-sec.com)
Finding IPT-008: Insufficient Patch Management – Software (Critical)
Description: Demo Corp permitted various deprecated software in their network. This
includes:

• Apache version < 2.4.46


• Apache Tomcat version < 7.0.100, 8.5.51, 9.0.31
• Cisoco AireOS version 8.5.151.10
• CodeMeter version 3.05 (5.21.1478.500)
• Dropbear SSH Server version 2015.68
• Dell iDRAC7 version 2.63.60.62.01
• Dell iDRAC8 version 2.63.60.61.06
• Dell iDRAC9 version 3.36.36.36.21
• ESXi version 5.5
• ESXi version 6.5 build 15256549
• Flexera FlexNet Publisher version 11.16.0
• IIS version 7.5
• ISC BIND version 9.6.2-P2
• Microsoft DNS Server version 6.1.7601.24261
• Microsoft SQL Server version 11.0.6594.0
• Netatalk OpenSession version < 3.1.12
• PHP version < 7.3.11
• Rockwell Automation RSLinx Classic

Above lists all critical and high-rated deprecated software, the majority of which
permit serious vulnerabilities, such as remote code execution. For a full
patching list, please review the provided Nessus scan documentation.
Risk: Likelihood: High – An attacker can discover these vulnerabilities with basic
tools.

Impact: Very High – If exploited, an attacker could possibly gain full remote
code execution on or deny service to a system.
Tools Used: Nessus
References: NIST SP800-53 r4 MA-6 – Timely Maintenance
NIST SP800-53 r4 SI-2 – Flaw Remediation

Remediation
Update to the latest software version. For a full list of vulnerable systems, versions, and patching
requirements, please see the below document.
[file removed]

Demo Corp
BUSINESS CONFIDENTIAL Page 20 of 38
Copyright © TCM Security (tcm-sec.com)
Finding IPT-009: Insufficient Patch Management – Operating Systems (Critical)
Description: Demo Corp permitted various deprecated software in their network. This
includes:

• Windows Server 2003 (end of life on July 14, 2015)


• Windows Server 2008 R2 (end of life on January 14, 2020)
• Windows XP (end of life on April 8, 2014)
• Windows 7 (end of life on January 14, 2020)
• Ubuntu 11 (end of life on May 9, 2013)
• FreeBSD 11.0 (end of life on October, 2016)

End of life systems are susceptible to a multitude of vulnerabilities. TCMS did


not attempt any attacks against these servers due to the risk of a denial of
service, which is out of scope.
Risk: Likelihood: High – An attacker can discover these vulnerabilities with basic
tools.

Impact: High – If exploited, an attacker could possibly gain full remote code
execution on or deny service to a system.
System: Identified 139 machines, please see the below file for listing.

[file removed]
Tools Used: Nessus
References: NIST SP800-53 r4 MA-6 – Timely Maintenance
NIST SP800-53 r4 SI-2 – Flaw Remediation

Remediation
Update Operating Systems to the latest version.

Demo Corp
BUSINESS CONFIDENTIAL Page 21 of 38
Copyright © TCM Security (tcm-sec.com)
Finding IPT-010: Insufficient Patching – MS08-067 - ECLIPSEDWING/NETAPI (Critical)
Description: Demo Corp permitted an unpatched system on the internal network that is
vulnerable to MS08-067. TCM Security confirmed that the vulnerability likely
exists but did not attempt the exploit to prevent any denial of service.
Risk: Likelihood: High – Considered one of the most exploited vulnerabilities in
Microsoft Windows as it ships natively with Windows XP.

Impact: Very High – If exploited, an attacker gains code execution as the system
user. An adversary will require additional techniques to obtain domain
administrator access.
System: 10.x.x.x
Tools Used: Nessus, Nmap
References: NIST SP800-53 r4 MA-6 – Timely Maintenance
NIST SP800-53 r4 SI-2 – Flaw Remediation

Evidence

Figure 10: Unpatched MS08-067

Remediation
Apply the appropriate Microsoft patches to remediate the issue. More information on patching
MS08-067 can be found here: https://docs.microsoft.com/en-us/security-
updates/SecurityBulletins/2008/ms08-067

Demo Corp
BUSINESS CONFIDENTIAL Page 22 of 38
Copyright © TCM Security (tcm-sec.com)
Finding IPT-011: Insufficient Patching – MS12-020 – Remote Desktop RCE (Critical)
Description: Demo Corp permitted an unpatched system on the internal network that is
vulnerable to MS12-020. TCM Security confirmed that the vulnerability likely
exists but did not attempt the exploit to prevent any denial of service.
Risk: Likelihood: High – The vulnerability is easily discoverable and exploitable with
open-source tools.

Impact: Very High – If exploited, an attacker gains code execution as the system
user. An adversary will require additional techniques to obtain domain
administrator access.
System: 10.x.x.x
Tools Used: Nessus, Nmap
References: NIST SP800-53 r4 MA-6 – Timely Maintenance
NIST SP800-53 r4 SI-2 – Flaw Remediation

Evidence

Figure 11: Unpatched MS12-020

Remediation
Apply the appropriate Microsoft patches to remediate the issue. More information on patching
MS12-020 can be found here: https://docs.microsoft.com/en-us/security-
updates/securitybulletins/2012/ms12-020

Demo Corp
BUSINESS CONFIDENTIAL Page 23 of 38
Copyright © TCM Security (tcm-sec.com)
Finding IPT-012: Insufficient Patching – MS17-010 - EternalBlue (Critical)
Description: Demo Corp permitted several unpatched systems on the internal network that
are vulnerable to MS17-010 (EternalBlue). TCM Security confirmed that the
vulnerability likely exists but did not attempt the exploit to prevent any denial of
service.
Risk: Likelihood: High – Malicious actors have used SMB exploitations like
EternalBlue in recent breaches.

Impact: Very High – If exploited, an attacker gains code execution as the system
user. An adversary will require additional techniques to obtain domain
administrator access.
System: 10.x.x.x

Tools Used: Nessus, Metasploit, AutoBlue


References: NIST SP800-53 r4 MA-6 – Timely Maintenance
NIST SP800-53 r4 SI-2 – Flaw Remediation

Evidence

Figure 12: Unpatched MS17-010

Remediation
Apply the appropriate Microsoft patches to remediate the issue. More information on patching
MS17-010 can be found here: https://docs.microsoft.com/en-us/security-
updates/securitybulletins/2017/ms17-010

Demo Corp
BUSINESS CONFIDENTIAL Page 24 of 38
Copyright © TCM Security (tcm-sec.com)
Finding IPT-013: Insufficient Patching – CVE-2019-0708 - BlueKeep (Critical)
Description: Demo Corp permitted several unpatched systems on the internal network that
are vulnerable to CVE-2019-0708 (BlueKeep). TCM Security confirmed that the
vulnerability likely exists but did not attempt the exploit to prevent any denial of
service.
Risk: Likelihood: High – The vulnerability is easily discoverable and exploitable with
open-source tools.

Impact: Very High – If exploited, an attacker gains code execution as the system
user. An adversary will require additional techniques to obtain domain
administrator access.
System: 10.x.x.x
Tools Used: Nessus, Nmap
References: NIST SP800-53 r4 MA-6 – Timely Maintenance
NIST SP800-53 r4 SI-2 – Flaw Remediation

Evidence

Figure 13: Unpatched CVE-2019-0708

Remediation
Apply the appropriate Microsoft patches to remediate the issue. More information on patching CVE-
2019-0708 can be found here: https://support.microsoft.com/en-us/topic/customer-guidance-for-
cve-2019-0708-remote-desktop-services-remote-code-execution-vulnerability-may-14-2019-
0624e35b-5f5d-6da7-632c-27066a79262e

Demo Corp
BUSINESS CONFIDENTIAL Page 25 of 38
Copyright © TCM Security (tcm-sec.com)
Finding IPT-014: Insufficient Privileged Account Management – Kerberoasting (High)
Description: TCMS retrieved all user service principal names (SPNs) from the Demo Corp
domain controller using a domain user-level account (IPT-001) in a
Kerberoasting attack. Retrieving these user SPNs permitted TCMS to crack 4
account passwords.

No service accounts were observed running as domain administrators. User


accounts were observed running as a service, which is not best practice.
Risk: Likelihood: High – Any account joined to the domain can request user SPNs.

Impact: High – Using SPNs, it is possible to retrieve sensitive account password


hashes and crack them offline.
Tools Used: Impacket, Hashcat
References: Kerberoasting details: https://adsecurity.org/?p=2293
Group Managed Service Accounts Overview

Evidence

Figure 14: Cracked service accounts

Remediation
Use Group Managed Service Accounts (GMSA) for privileged services. GMSA accounts can be used
to ensure passwords are long, complex, and change frequently. Where GMSA is not applicable,
protect accounts by utilizing a password vaulting solution.
TCMS recommends configuring alert logging on domain controllers for Windows event ID 4769
whenever requesting a Kerberos service ticket. These alerts are prone to high false-positive rates
but are a supplementary detective control. Tailor a security information and event management tool
(SIEM) to alert on excessive user SPN requests.

Demo Corp
BUSINESS CONFIDENTIAL Page 26 of 38
Copyright © TCM Security (tcm-sec.com)
Finding IPT-015: Security Misconfiguration – GPP Credentials (High)
Description: Demo Corp utilized “cpasswords” in Group Policy Preference (GPP) which any
domain user can query from a domain controller’s SYSVOL folder. Microsoft
published the key to decrypt these passwords.
Risk: Likelihood: High – Any authenticated user can obtain this information and
decrypt the password with open source tools.

Impact: High – An adversary can use these credentials to move laterally within
the network.
Tools Used: Metasploit
References: NIST SP800-53 IA-5(1) - Authenticator Management

Evidence

Figure 15: Dumped GPP credentials

Remediation
Apply vendor patching. Do not use GPP cpasswords. Additionally, enabling authentication on the
NFS share will protect the confidentiality of the stored information. Exporting authentication logs to
a SIEM solution will give incident response teams insights to brute force login attempts.

Demo Corp
BUSINESS CONFIDENTIAL Page 27 of 38
Copyright © TCM Security (tcm-sec.com)
Finding IPT-016: Insufficient Authentication - VNC (High)
Description: Demo Corp deployed 3 servers that permitted unauthenticated access via VNC
Server.
Risk: Likelihood: High – Discovering unauthenticated VNC servers is trivial and can
be done with open-source tools.

Impact: High – Attackers can control industrial devices, destroy data, or shut
down systems.
System: 10.x.x.x, 10.x.x.x, 10.x.x.x
Tools Used: Nessus, VNC Viewer
References: NIST SP800-53 IA-5(1) - Authenticator Management

Evidence
[image redacted]
Figure 16: Access to system via VNC

Remediation
Enable authentication on the VNC Server.

Demo Corp
BUSINESS CONFIDENTIAL Page 28 of 38
Copyright © TCM Security (tcm-sec.com)
Finding IPT-017: Default Credentials on Web Services (High)
Description: TCMS validated default credentials worked on multiple web applications within
the Demo Corp environment.
Risk: Likelihood: High – Credentials are published for these devices and an attackers
first authentication attempt.

Impact: High – Attackers can control devices, destroy data, or shut down
systems.
System: Default credentials were tested on a sample set of web applications, but
suggests checking the following addresses at a minimum:

[file removed]
Tools Used: Manual Review
References: NIST SP800-53 IA-5(1) - Authenticator Management

Evidence

Figure 17: Dell iDRAC access via default credentials

Remediation
Change default credentials or disable unused accounts.

Demo Corp
BUSINESS CONFIDENTIAL Page 29 of 38
Copyright © TCM Security (tcm-sec.com)
Finding IPT-018: Insufficient Hardening – Listable Directories (High)
Description: Demo Corp disclosed information by allowing listable directories and storing
potentially critical items on web server. It is strongly recommended that Demo
Corp perform a thorough web app assessment on this resource.
Risk: Likelihood: Moderate – Adversaries will discovery content with open source
tools.

Impact: High – Attackers use this information in conjunction with other attacks
for enumeration and cataloging for rapid attacks when vulnerabilities arise.
System: Full list of discovered listable directories:

[file removed]
Tools Used: Manual Review
References: NIST SP800-53r4 CM-7 - Least Functionality
NIST SP800-53r4 AC-6(3) - Least Privilege

Evidence

Figure 18: Listable directory

Remediation
Restrict access and conduct web app assessment.

Demo Corp
BUSINESS CONFIDENTIAL Page 30 of 38
Copyright © TCM Security (tcm-sec.com)
Finding IPT-019: Unauthenticated SMB Share Access (Moderate)
Description: Demo Corp exposed multiple servers with unauthenticated file server access.
Risk: Likelihood: Moderate – Adversaries will discover these shares with low-noise,
basic reconnaissance techniques.

Impact: Moderate – Attackers learn about the environment through information


leaks.
System: 10.x.x.x

Tools Used: Nessus, smbclient


References: NIST SP800-53r4 AC-6(3) - Least Privilege
NIST SP800-53 r4 SC-4 - Information in Shared Resources

Evidence

Figure 19: Unauthenticated Share access

Remediation
Disable SMB share or require authentication. Enabling authentication on the share will protect the
confidentiality of the stored information. Exporting authentication logs to a SIEM solution will give
incident response teams insights to brute force login attempts.

Demo Corp
BUSINESS CONFIDENTIAL Page 31 of 38
Copyright © TCM Security (tcm-sec.com)
Finding IPT-020: Insufficient Patch Management – SMBv1 (Moderate)
Description: Demo Corp failed to patch SMBv1. This version is vulnerable to multiple denial
of service and remote code execution attacks. TCM Security confirmed that the
vulnerability likely exists but did not attempt the exploit to prevent any denial of
service.
Risk: Likelihood: Moderate – Basic scans would identify the SMB version but would
require an adversary to be on the internal network and identify an exploit.

Impact: Moderate – If exploited, an attacker gains denial of service and code


execution capability.
System: 10.x.x.x

Tools Used: Nessus, Nmap


References: https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/
NIST SP800-53 r4 SI-2 - Flaw Remediation

Evidence

Figure 20: Unauthenticated Share access

Remediation
Upgrade to SMBv3 and apply latest patching.

Demo Corp
BUSINESS CONFIDENTIAL Page 32 of 38
Copyright © TCM Security (tcm-sec.com)
Finding IPT-021: IPMI Hash Disclosure (Moderate)
Description: Demo Corp deployed remote host supporting IPMI v2.0. The (IPMI) protocol is
affected by an information disclosure vulnerability due to the support of RMCP+
Authenticated Key-Exchange Protocol (RAKP) authentication. A remote attacker
can obtain password hash information for valid user accounts via the HMAC
from a RAKP message 2 response from a BMC.
Risk: Likelihood: High – Basic network scans will identify this vulnerability.

Impact: Moderate – If exploited, an attacker can gain access to sensitive


management devices. TCMS was unable to crack any hashes during the
assessment.
System: Identified 34 machines, please see the below file for listing.

[file removed]
Tools Used: Metasploit
References: https://blog.rapid7.com/2013/07/02/a-penetration-testers-guide-to-ipmi/

Evidence

Figure 21: IPMI Hash Disclosure

Remediation
There is no patch for this vulnerability; it is an inherent problem with the specification for IPMI v2.0.
Suggested mitigations include:

• Disabling IPMI over LAN if it is not needed.


• Using strong passwords to limit the successfulness of off-line dictionary attacks.
• Using Access Control Lists (ACLs) or isolated networks to limit access to your IPMI
management interfaces.

Demo Corp
BUSINESS CONFIDENTIAL Page 33 of 38
Copyright © TCM Security (tcm-sec.com)
Finding IPT-022: Insufficient SNMP Community String Complexity (Moderate)
Description: Demo Corp deployed SNMP with default “public” community strings. This
configuration exposed read-only access to the system’s management
information base (MIB), including the network configurations.
Risk: Likelihood: High – Basic network scans will identify this vulnerability.

Impact: Moderate – If exploited, an attacker can profile the device and focus
attacks.
System: Identified 45 machines, please see the below file for listing.

[file removed]
Tools Used: Nessus, SNMP-Check, Ettercap
References: NIST SP800-53 r4 AC-17(2) - Remote Access Protection of
Confidentiality/Integrity using Encryption

Evidence

Figure 22: Information disclosure via public SNMP community strings

Figure 23: Non-public SNMP string captured via Ettercap

Remediation
TCM Security recommends Demo Corp consider the following corrective actions:
• Disabled SNMP if not required
• Filter UDP packets going to port UDP – 161
• Evaluate migration to SNMPv3
• Use password complexity guidelines for community strings

Demo Corp
BUSINESS CONFIDENTIAL Page 34 of 38
Copyright © TCM Security (tcm-sec.com)
Finding IPT-023: Insufficient Data in Transit Encryption - Telnet (Moderate)
Description: Demo Corp permitted Telnet which does not encrypt data in transit. Telnet uses
plain text authentication and passes all data (including passwords) in clear text
and can be intercepted by an attacker.
Risk: Likelihood: Low – An adversary requires a Man-in-the-Middle position between
the client and server.

Impact: High – If exploited an adversary may intercept administrative


credentials that can be used in other attacks.
System: Identified 53 machines, please see the below file for listing.

[file removed]
Tools Used: Telnet
References: NIST SP800-53 r4 AC-17(2) - Remote Access |Protection of Confidentiality /
Integrity Using Encryption

Evidence

Figure 24: Telnet login prompt

Remediation
Migrate to TLS protected protocols.

Demo Corp
BUSINESS CONFIDENTIAL Page 35 of 38
Copyright © TCM Security (tcm-sec.com)
Finding IPT-024: Insufficient Terminal Services Configuration (Moderate)
Description: The remote Terminal Services is not configured to use Network Level
Authentication (NLA) only. NLA uses the Credential Security Support Provider
(CredSSP) protocol to perform strong server authentication either through
TLS/SSL or Kerberos mechanisms, which protect against man-in-the-middle
attacks. In addition to improving authentication, NLA also helps protect the
remote computer from malicious users and software by completing user
authentication before a full RDP connection is established.
Risk: Likelihood: Low – An attacker can discover these vulnerabilities with basic tools.

Impact: High – If exploited, an adversary gains code execution, leading to lateral


movement across the network.
System: Identified 118 machines, please see the below file for listing.

[file removed]
Tools Used: Nessus
References: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-
2008-R2-and-2008/cc732713(v=ws.11)

Remediation
Enable Network Level Authentication (NLA) on the remote RDP server. This is generally done on the
'Remote' tab of the 'System' settings on Windows.

Demo Corp
BUSINESS CONFIDENTIAL Page 36 of 38
Copyright © TCM Security (tcm-sec.com)
Finding IPT-025: Steps to Domain Admin (Informational)

The steps below describe how the penetration tester obtained domain administrator access. Each
step also provides remediation recommendations to help mitigate risk.

Step Action Remediation


1 Poisoned LLMNR responses to obtain NetNTLMv2 Disable multicast name resolution
hash of regular network user via GPO.
2 Cracked NTLM hash offline of domain Increase password complexity.
administrator users ‘production’ and ‘[name Utilize multi-
removed]’ factor. Implement a Privileged
Account Management solution.
Utilize a password filter.
3 Leveraged password of ‘production’ account to gain Limit local administrator privileges
access to several machines within the network and enforce least privilege.
4 Dumped hashes on accessed machines to find Disable WDigest via GPO.
cleartext password of ‘Bartender’ account via
wdigest
5 Overly-permissive ‘Bartender’ account permitted Limit local administrator privileges
access to a large amount of machines within the and enforce least privilege.
network
6 Dumped hashes on accessed machines to find Disable WDigest via GPO.
cleartext password of Domain Administrator account
7 Utilized discovered credentials to log into the
domain controller.

Remediation
Review action and remediation steps.

Additional Scans and Reports


TCMS provides all clients with all report information gathered during testing. This includes Nessus
files and full vulnerability scans in detailed formats. These reports contain raw vulnerability scans
and additional vulnerabilities not exploited by TCM Security.

The reports identify hygiene issues needing attention but are less likely to lead to a breach, i.e.
defense-in-depth opportunities. For more information, please see the documents in your shared
drive folder labeled “Additional Scans and Reports”.

Demo Corp
BUSINESS CONFIDENTIAL Page 37 of 38
Copyright © TCM Security (tcm-sec.com)
Last Page

Demo Corp
BUSINESS CONFIDENTIAL Page 38 of 38
Copyright © TCM Security (tcm-sec.com)

You might also like