Hacking a companies network (how secure is yours)

[glenimp617]

Well....I wouldn't call it hacking.

Today I was called in to check another companies network. The first thing I usually do is see if I can very easily hack their network. Although I'd hardly call it hacking, it tells me quite a few things straight off the bat.

The steps I use are as follows:

1. Write a very simple piece of code, along the lines of
Create LDAP connection, search for user objects, capture pieces of information into variables, loop. Secondly, take one account and write back a small piece of information. This is good because you'd be surprised how often you can access all this without any credentials.

2. Compile and save as an exe
3. Copy to onedrive, dropbox, google drive
4. Login as a standard user and see if a) you can access those sites b) if you can download exe or zips c) if the exe runs d) if the code works

Well today it did If someone really wanted to cause damage, they could reset everyones password.

What tends to confuse a lot of IT engineers is that although Microsoft states "access to changing user accounts requires at minimum the account operators permission" that is not always true. The account I used was only a member of domain users. Historical misuse of delegation is what catches most people out....or testing things out and forgetting about them.

Just wondering how often you all try and find problems with your own networks.

 

[BongoHunter]

I've found that looking up the IP's of all the boxes owned by security and then blocking said IPs explicitly on every host I own has been very useful in reducing the amount of security incidents I get arriving at my door

Now where did I leave that shh key for root that's valid on every box....

 

[Throrik]

At a previous large global Enterprise we did fail on a security test, when the PenTester rocked up, told reception that he was an AirCon Engineer and she let him into the server room without question access rights were soon locked down to just certain members of IT then.

 

[Rroff]

At a previous large global Enterprise we did fail on a security test, when the PenTester rocked up, told reception that he was an AirCon Engineer and she let him into the server room without question access rights were soon locked down to just certain members of IT then.

A lot of companies will fail a physical test - most people are complacent, lazy and/or don't like to challenge perceived authority - I've worked for a few companies where an auditor has rocked up in a high vis and acted confident and people just open doors for them.

 

[Throrik]

A lot of companies will fail a physical test - most people are complacent, lazy and/or don't like to challenge perceived authority - I've worked for a few companies where an auditor has rocked up in a high vis and acted confident and people just open doors for them.

Yup, I was only a junior at the time and it was an interesting introduction to the physical aspect of security and social engineering.

 

[glenimp617]

At a previous large global Enterprise we did fail on a security test, when the PenTester rocked up, told reception that he was an AirCon Engineer and she let him into the server room without question access rights were soon locked down to just certain members of IT then.

Oh that's quite a basic fail right there. Server rooms should have key fob access.

 

[Throrik]

Oh that's quite a basic fail right there. Server rooms should have key fob access.

It did, unfortunately the person who programmed the fobs was reception, so they used theirs which they'd programmed for access to all carded entries. It was an excellent learning piece for multiple people.

 

[Jamauk]

Where I used to work the the server room was rarely locked and the key was kept in a draw next to the door. When a message came from head office stating that it must be locked at all times and the key kept in a secure location it was. A key box was put on the wall next to the server room, with the server room key inside, the key to the box was then kept in the draw next to the box and server room.

 

[Semple]

It was an excellent learning piece for multiple people.

If people struggle with a physical intrusion, then they've probably got absolutely no help when it comes to things like phishing emails.

Our data center is insanely well locked down, and the most ridiculous part is that 90-95% of the racks only contain R&D equipment that only have test data on them. I'm sure a hacker would have a great deal of fun transferring petabytes of what's effectively randomised data.

 

[ecksmen]

Secure is really just about risk mitigation, or accepting of the risk. A lot of companies haven't even started the path. I really fear for the next couple of years from the various issues we'll see from the COVID 19 WFH policies / ad hoc bring your own devices. I think we're going to see a lot of data breaches, and very little will be able to understand where / when it happened in such distributed, ill controlled IT that is present in every country.

 

[Hellsmk2]

My favourite starting point is simply to run Zenmap/ nmap against a companies public IP range. There's very few times it doesn't turn up interesting results; did a quick audit for a company a couple of weeks back and picked up several RDS servers directly accessible over 3389, and some switches and ESX hosts with SSH open externally. Slack doesn't come into it with things like that... just pure mismanagement and incompetence.

 

[glenimp617]

My favourite starting point is simply to run Zenmap/ nmap against a companies public IP range. There's very few times it doesn't turn up interesting results; did a quick audit for a company a couple of weeks back and picked up several RDS servers directly accessible over 3389, and some switches and ESX hosts with SSH open externally. Slack doesn't come into it with things like that... just pure mismanagement and incompetence.

That's really quite shocking

 

[Deleted member 77746]

All internal resources should be only accessible via VPN into the companies network. They should have a capable router to allow this config. Absolute joke when a company puts facing software directly on web.

 

[Hellsmk2]

That's really quite shocking

What was worse, particularly for the exposed RDS servers, is that they'd turned off password complexity & forced password change in AD across the estate. They'd left an open door with big neon signs around it inviting people in. This was not a small company either.

For me though... great... the audit writes itself very quickly

 

[glenimp617]

What was worse, particularly for the exposed RDS servers, is that they'd turned off password complexity & forced password change in AD across the estate. They'd left an open door with big neon signs around it inviting people in. This was not a small company either.

For me though... great... the audit writes itself very quickly

That password change at next logon could have come from the credssp fix back in 2018. We had that, although our RDS is on server 2019, in a DMZ, open only on 443. The workaround for us, was password complexity, and we are trialing Azure MFA for RDS.

I would be 99% sure that's why they disable that tick box on the users account. They do need a lockout policy though lol

 

[arknor]

there used to be a windows IIS buffer overflow exploit or whatever it was that hardly any companies patched like 20 years ago, you could scan a huge IP range with software that checks for vulnerabilities and get a whole list of computers that were vulnerable.
inject some code in to a web browser and it would upload an FTP daemon giving you full root access to the drive.

there used to be tons of websites that had some vulnerability that let you deface them to

I guess auto updates have since saved a lot of peoples jobs...

 

[Hellsmk2]

there used to be a windows IIS buffer overflow exploit or whatever it was that hardly any companies patched like 20 years ago, you could scan a huge IP range with software that checks for vulnerabilities and get a whole list of computers that were vulnerable.
inject some code in to a web browser and it would upload an FTP daemon giving you full root access to the drive.

there used to be tons of websites that had some vulnerability that let you deface them to

I guess auto updates have since saved a lot of peoples jobs...

You give them too much credit. They set these policies because some of the directors complained it was too difficult to remember passwords.

I wish I was making any of this up.

Edit - Another thing that blew me away with these guys was their desktop estate... not from a security perspective, but a genuine WTF moment. They didn't purchase desktops from Dell, HP, or whoever... they were literally custom building desktops in the same way we do as a hobby (not gaming desktops, but still..). Their office was a graveyard to custom cases, ASRock mobos, SSD's, etc.

This company is literally what would happen if your average amateur PC enthusiast was let loose on a corporate network. Size of company is around 900, so not a small outfit.

To be fair - it's probably the worst case of IT mismanagement I've seen in 20+ years, so thankfully not the norm.

 

[Deleted member 77746]

You give them too much credit. They set these policies because some of the directors complained it was too difficult to remember passwords.

I wish I was making any of this up.

Edit - Another thing that blew me away with these guys was their desktop estate... not from a security perspective, but a genuine WTF moment. They didn't purchase desktops from Dell, HP, or whoever... they were literally custom building desktops in the same way we do as a hobby (not gaming desktops, but still..). Their office was a graveyard to custom cases, ASRock mobos, SSD's, etc.

This company is literally what would happen if your average amateur PC enthusiast was let loose on a corporate network. Size of company is around 900, so not a small outfit.

To be fair - it's probably the worst case of IT mismanagement I've seen in 20+ years, so thankfully not the norm.

That would have been an absolute nightmare to manage that!