How to find the most vulnerable systems on your internal network

Windows passwords

Almost every large organisation uses Microsoft’s Windows operating system (OS) as their primary authentication domain. Subvert Windows in the right way and the assailant will have direct or indirect access to every piece of valuable and sensitive information in the business, no matter where it is stored.

Using freely available tools, an insider with low-privilege access can discover how many password attempts he can try in what period before locking an account. He can also examine the names in the administrators and domain admins groups to build a list of target accounts. Selecting each of these accounts in turn and attempting to guess its password becomes straightforward – and invisible – over a lengthy period. Of course there are also published lists of default service account names and passwords which he can try.

Unfortunately it is not only Windows administrator accounts at risk. Senior staff and decision-makers will have access to plenty of sensitive information but often have poor quality passwords. The same password-guessing techniques will frequently succeed in giving a miscreant access without setting off any alarm bells.

Windows admins can use tools like Cain and Abel, SAMInside or Ophcrack to perform regular password audits on domain accounts. The results can be used to correct misconfigured admin accounts and persuade key users to improve their passwords, reducing risk to an acceptable level. Implementing passphrases in place of simple passwords will make the opportunistic attacker’s job significantly more difficult.

Unused services

Another area of concern is the large number of services running on a typical Windows, Unix or Linux server. These are often more than enough to discourage an admin with too little time and too few resources from determining which are needed and which are redundant. As a result there are many different routes into an otherwise secure server.

For example, many Windows server installations have Internet Information Server (IIS) installed by default. Since it is a huge job to patch every Windows system in a corporate network, the focus is typically on internet-facing devices first. This leaves unpatched servers vulnerable to attack, potentially giving the attacker administrative access and thus the ability to harvest all the information they want.

Business systems running on Unix or Linux operating systems may suffer when most in-house technical expertise is on Windows systems. These systems are sometimes administered remotely by the third parties who supplied the application, who are not always motivated to install the latest patches or to harden the operating system configuration. This results in a variety of older services all ripe for exploitation, often on business-critical systems running finance applications.

Unused and unpatched services can be addressed by the selective and careful use of one of many commonly available vulnerability scanners. Nessus and Qualys remain the most popular scanners and provide you with a good overview of your network exposure. Alternatively, an occasional visit by a third party to conduct a vulnerability assessment and penetration test can be a cost-effective alternative.

Routers and switches

Organisations frequently overlook the security of routers and switches. Common management protocols can provide the opportunity to intercept traffic, selectively eavesdrop on critical business communications or cause disruption on a massive scale throughout the organisation.

Simple Network Management Protocol (SNMP) was developed to manage devices on an IP network. It is also one of the easiest ways for someone to control your network, steal information and eavesdrop on traffic. SNMP is enabled by default on routers, switches and sometimes even servers. If you’re using network management software like HP OpenView or IBM Tivoli then you’re using SNMP. However, even if you’re not using any network management tools, you’ll still have SNMP somewhere on your network.

There are two passwords, called community strings, which control access to SNMP-enabled devices: the read string and the read-write string. These are often left at their default values, and in SNMP version 1 this is your only protection. An inside attacker only needs to feed his default gateway address and the read string into a network discovery tool and he will soon have a detailed map of your network.

If the assailant knows the SNMP read-write string, he can also download the configuration from each router and switch. If he’s lucky he can alter and then upload the configuration, causing all kinds of problems, or perhaps read the administrative passwords, giving him unlimited control of your network infrastructure.

If you have servers running SNMP – and the chances are you do – an attacker can also list the name of every user and group on that server without any further authentication. This is an excellent starting point for password-guessing and dictionary attacks, as described above.

A network discovery exercise using a tool like NetworkView, WhatsUp Gold or SolarWinds Engineer’s Toolset can provide you with valuable information on your network infrastructure weaknesses and allow you to develop a remediation plan for your networks team. Understanding how these and other default infrastructure configurations can provide unrestricted access to your network is a major weapon in the battle against hackers and insiders.

Communications links to business partners are proliferating as organisations become more interdependent. These connections are often poorly documented and sometimes unprotected. A network discovery exercise can also highlight these weak spots, by analysing routing tables and exposing third party addresses that are not firewalled or filtered.

Peter Wood is the chief executive officer at First Base Technologies LLP and Member of the ISACA London Chapter Security Advisory Group