EvilZone
Hacking and Security => Hacking and Security => : Mordred May 16, 2013, 11:11:04 AM
-
Hey guys. For my final thesis that I'm currently busy with, and actually close to finishing, I need to find a bit of information regarding what are the most encountered vulnerabilities in a normal working environment (i.e. in an office building network) because I have to compare them with my results from the audits I'm conducting.
The issue that I'm having is that I can't locate some sort of report or briefing which would show these kind of vulns. Most of the stuff is either really basic level or it deals with social engineering shit. Nothing mentioned about common vulns pertaining to software or operating systems or the likes.
That being said I'd like to make a request to anybody who could offer me this kind of information. I have discussed it with my Supervisor and he said that the results of a blackhat hacker are also completely acceptable as long as I can reference his results somehow without compromising his identity or any of his security.
Can anybody offer me some assistance in this? I have milk and cookies to give out, srsly.
Thank you.
For more info on the project itself (in case you want a bit of clarification on what's the idea) you can check this thread (http://evilzone.org/projects-and-discussion/b-eng-final-thesis-comparing-pentesting-methodologies/).
-
Ill assume that just listing some stuff is oke?
Ive encountered serveral outdated linux system, from what I noticed is that people often leave cirtical systems as they are because they fear knocking it down etc.
That and the fact that there are a lot of sysadmins who dont know too much about linux and are very windows minded.
Another interesting thing is that often internal websites/services etc are poorly protected that is; lame passwords or outdated version.
Often it is assumed that the external defense is strong enough to keep people, once inside its a playground.
Again this is from personal experience.
Miscofiguration is very common.
"Oke it works" hands off.
Firewall gaps is something I encounter every now and then.
Old stuff doesnt get removed again probably afraid of killing stuff.
Ill continue if you want?
-
The catch is that this is a scientific paper. Everything in it must be referenced by APA standards, which means my sources should be books, articles, web-sites and along these lines.
It's not that I don't believe your results, but I cannot reference a forum post because it can have doubtful credibility from the point of view of a scientific paper.
On the other hand though I appreciate all input, so if you have information just give it to me and I will discuss it with my teacher if it would be possible to somehow reference this.
Thank you proxx.
-
The catch is that this is a scientific paper. Everything in it must be referenced by APA standards, which means my sources should be books, articles, web-sites and along these lines.
It's not that I don't believe your results, but I cannot reference a forum post because it can have doubtful credibility from the point of view of a scientific paper.
On the other hand though I appreciate all input, so if you have information just give it to me and I will discuss it with my teacher if it would be possible to somehow reference this.
Thank you proxx.
Thats alright.
Ill see if I can dig up some stuff.
Might have some, other drive , other city :P
-
I would love to help by giving you our reports from the audit we had recently that shows some common things. Unfortunately being a financial organization I can not do that :(
-
Make sure to reference the OWASP Top 10 http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf . A major problem is Patch Management but I don't have any sources to cite that but maybe some googling will lead you in the right direction :)
Good luck
-
Besides OWASP, you can perhaps try referencing findings from various information security certification organizations, such as the EC-Council.
You should really try looking in the less technical directions, too. Physical vulnerabilities, weak passwords, etc.
-
Hi Mordred,
guess I can't really help but here are some impressions I gathered through IT projects in various companies in the manufacturing sector.
1. One big point are the system (mainly windows) updates on the server systems. Typically there is a WSUS (windows server update service) which centrally downloads the updates and pushes them to the clients/server. As you can never be sure that a certain update won't crash a needed application on a server. There are typically a couple of guys who approve the updates and install them on the system. Pretty often this is done in an monthly interval and worse. This means they can't react to a newly discovered vulnerability regarding microsoft software in a short time period.
2. There are often machine control applications written in Java and whatnot requiring a specific Java version which can't be updated to ensure the functionality of the software.
3. Old machines (lifetime for an industrial machine is at least 10 years and above) with computer based control software running on old windows versions. Damn.. in 2011 I have seen a couple of machine control computers running windows NT or 2000 because the software is not running under a newer release. Typically updates are completely disabled and no security features are installed.
4. System Administrators have a lot to deal with and therefor don't have the time necessary to focus and gain indepth knowledge about a specific software that is running elsewhere on the cooperate network. They buy software with support for a specific period and many times they don't get updates after the support contract ran out but they keep using the software for many years.
5. You can't imagine how often I have seen a network ran by complete idiots.. lol. They buy cisco or similar expensive network equipment without any knowledge. The worst thing is that they can use the switch without ever doing a configuration on them. Guess I don't need to say that a network device with factory default settings has some nice attack vectors :)
Feels like I could write a whole book about this stuff but its 6 pm and I can go home now :) If this is close to the informations you are looking for I could go on later. If it does not fit just forget what you just read.. lol. Please forgive me for any type.. I was writing this in a hurry and without an eng. spell checker :)
Cheers,
RBA
-
@panda: that's unfortunate and understandable at the same time. However even if it were possible, it's still only the results of 1 company, and I need to do a statistical computation which requires a large sample. Basically I'm trying to identify if the vulnerabilities I have located in my audit are in their majority vulnerabilities that you are very likely to encounter in the networks of most companies.
@evilone: I have indeed already checked out the OWASP Top 10, but that doesn't fit because those are web vulns. I require vulns in the network infrastructure that a company uses. i.e. in their machines, servers, firewalls, switches, routers and access points.
@vezzy: I tried searching EC-Council's white-papers for this stuff, but I came up empty handed unfortunately. And the scope is in technical vulnerabilities. I already covered Social Engineering aspects in another chapter of the thesis.
@RBA: that's a bit closer to what I need. Initially I was actually trying to find a list of vulnerabilities with CVE codes and all, but now I've realized that I won't find that. So I switched to the most encountered weaknesses and out of those I will "extract" the vulnerabilities themselves with their CVE codes and all. If you have any more information I would love it, but I also have to ask for your permission to reference your posts in my thesis. This means that they will be read by quite a lot of people and most likely I will have to offer a direct link to your post as per APA reference standards. I need your permission in order to do so, explicitly and in writing in the post. I would love you long time if you do this, I swear.
Thank you all for your input though. It is highly appreciated!
-
Hi Mordred,
sure you can reference to this post. But before that I should remove all the typos... lol. As promised here are some other things I found in the past during my consulting time.
- As the smartphones become more and more popular the administrators needed to integrate them to the company infrastructure. An Iphone for example needs to receive the company emails and for this I have seen at least three companies (due to a lack of better knowledge) who connected their exchange server directly to the internet to sync the mails via active sync
- Another threat I have seen pretty often regarding the smart phones is a lack of implemented security. No password enforcement to unlock the phone, no remote wipe features and so on.
- Many companies have a firewall in place to protect the internal network from connections established from the outsite. Thats the reason why there are reverse shells. To make sure they can't establish a connection from the inside network to a machine on the internet most often a proxy server is in use (I know there are also solutions for this scenario for example a shell that is able to read and use the configured proxy from the internet explorer.). But it is pretty uncommon that a proxy would not block a connection to IP address it could not verify. To get to the point.. there are a lot of applications which need to get updates from the internet and are not able to authenticate properly with the used proxy server (ntlm or whatever). Therefore the admins create rules on the proxy to allow the specific client the connection to everything without user or target verification :)
- In addition to the point above (and thats something I have seen pretty often) the admins create a rule on the firewall to allow the client a direct connection to the internet which bypasses the proxy. I always ask why they have such a rule and the main answer was: "the application is not able to authenticate with our proxy server". This is even worst than the above stuff
- I know you already have your part about social engineering but this is something I know from experience. You don't want to know how many help desk employees will reset a password for a specific account without even knowing you.. lol
- This is something I only saw ones but I am pretty sure you will find it more often. At a customer site I helped migrating clients from one domain to another. I asked the IT guys why they don't encrypt the harddrives and what happens when someone would steel a notebook with confidential data on it. The answer was just amazing :) He said "The Administrator account is password protected and the users are not allowed to store confidential data on their local drive." We all know that a local password is absolutely no problem and users don't give a damn if they are allowed to store data localy or not.
- Again something I only saw ones but again I am sure you will find similar things out there. A company used wlan scanners to scan barcodes on produced components to get them into their sap system. The wlan scanner did not support any type of encryption so they implemented a mac authentication and thats all. This means they had a open wireless network with access to the complete company network. Guess I don't need to mention that the scanners where wep and wpa capable after a firmware update.. lol
- While we are on mac-based network authentication I just remembered this :) http://evilzone.org/hacking-and-security/get-into-802-1x-protected-networks/ (http://evilzone.org/hacking-and-security/get-into-802-1x-protected-networks/)
To summarize it all.. the most often found security problems are caused by administrators with no indepth knowledge about what they are doing or just don't have time to read about it. They are forced to solve a problem as fast as possible and mostly it is quick and dirty and no one cleans up the mess afterwards :)
If more points come back to my mind I will update this post :)
EDIT:
shortly after I posted this I remembered another thing. Thats not really a attack vector but it makes the information gathering pretty easy. Some time ago I have been at a customer site and talked with the admin about their monitoring solutions. He told me that they would monitor everything via snmp which isn't so bad. Curious as I am I tried to snmpwalk some of the machines and I was amazed to see that all machines used the snmp community "public" for read and "private" for write access. I showed him how easy it is to get a lot of system informations by snmpwalking the machines and told him to completely delete the write access as he does not need it for monitoring purposes. To help him understand I disabled some unimportant services on a windows host with simple snmpset commands.
Cheers,
RBA
-
from my little experience i can say admin shares i.e c$ is biggest flaw in business environment. if enabled it can give a lot of stuffs.
also there is most common zero day vulnerability in most of the proxies.
-
Thank you for all your input guys! Especially RBA!
I have indeed used your information in my thesis as well. Prolly gonna see a few weird hits on the thread whilst people check referencing in my thesis, and it might be possible that you will be asked via PM to verify that indeed you have agreed to let me use the information, however I don't think that will be necessary as I have a really big reference list which shows basically the results I want :).
-
Have you looked at the Verizon or WhiteHat security reports? They usually have a lot of information pertaining to the enterprise.
-
cold boot attacks make any computer vulnerable as long as the password is stored on the ram. Any computer running windows that is "locked" stores its password in the ram. therefore most businesses that run windows (that do not boot with the entire drive encrypted) are vulnerable.
Princeton University has a video and article on how this is done and what systems are vulnerable here: [size=78%]https://citp.princeton.edu/research/memory/ (https://citp.princeton.edu/research/memory/)[/size]
-
cold boot attacks make any computer vulnerable as long as the password is stored on the ram. Any computer running windows that is "locked" stores its password in the ram. therefore most businesses that run windows (that do not boot with the entire drive encrypted) are vulnerable.
The attack isn't solely dependent on that though, there are plenty of mitigations, e.g. setting the BIOS or UEFI to overwrite memory during the POST process.
-
@mord Yeah just kind of want to confirm what all RBA was talking about, its been my experience as well. i know for a fact for instance that in 2006 one of the computers on our network was win 3.1 ....As well any place ive ever worked with windows servers does update pushes at best a week after they have been released. It's ugly out their.
-
yeah im not really an expert on the subject but read the article there'sa lot more information there :)
-
Thank you for the help guys! The thesis is over and I scored an 8/10! Which is fucking incredible!
Thank you!