1. Case Studies in
Network Vulnerability
Assessments

2. About Chris
 I am a VP and a Senior Security Engineer at
PatchAdvisor
 In 1991 I started one of the first companies to
ever provide comprehensive penetration
testing/vulnerability assessment services
 I’ve examined networks in every industry
sector, in dozens of countries

3. Industry Expertise

4. Network Vulnerability Assessments
 Internal and external reviews
 Validation of existing security mechanisms
 Detailed analysis of networked devices and
services
 Not merely running a commercial scanning
tool
 Audit for policy compliance
 Prioritized recommendations for improving
security posture

5. Vulnerability Assessments: WHY?
 Only realistic way to determine vulnerabilities
 Get a baseline of vulnerability state
 Prioritize remedial actions
 Correct serious problems quickly
 Assure that policies address real
vulnerabilities
 Industry best practice

6. Vulnerability Assessments: HOW?
 Internet-based attack
 Preferably, should include in-depth web
application assessments
 On-site engagement
 Internal attacks
 Simultaneous war dialing / wireless / partner
connections
 Initial out-briefing
 Report delivery
 Executive briefing

7. Web Application Assessments
 Comprehensive evaluation of application
 Network perspective
 Server configuration
 Software settings
 Authenticated and Unauthenticated attacks
 Emulate both internet-based attacker, and valid user
exceeding authorized access
 Examine applications for all types of security issues
 SQL Injection
 XSS/CSRF
 Buffer Overflows
 Cookie Manipulation
 URL Replay attacks
 Denials of Service

8. How PatchAdvisor Sees A Network

9. The Most Common Issues
 Patch management
 Nearly every organization I have examined has been
woefully behind in patches, especially on Non-OS/3rd
party
applications
 Misconfigured Services
 Insecure file shares, poor access control, default settings
 Poor Coding
 Vulnerable web applications, desktop applications & mobile
apps
 Passwords
 Weak passwords and poor password discipline are still the
number one mechanism used by attackers to gain access

10. Attacks Can Start Anywhere…
 Unpassworded TELNET access into print server
 SNMP Read/Write community string exposed in printer
configuration menu
 Community string also used on devices such as routers,
switches, etc.
 “Level 7” hashes in Cisco config files exposed the password
“mbhafnitsoscar”
 This password also used by a Windows Domain Administrator
 Windows Domain also tied to NetWare eDirectory
 In total, compromise of nearly 15,000 accounts and 99.99% of
all systems and network devices…all from one insecure printer

11. Real War Stories – Healthcare
 Internet scans found a SharePoint Server with some
limited unauthenticated access
 Search queries exposed numerous documents with
“password”
 One was a set of instructions for training new users on
electronic medical records application
 This included a Windows domain account and password
 This account and password gave access through a Citrix
remote desktop server
 This gave us access to the organization’s Internal network
 NOTE: I have followed this same attack path to
compromise other entities, including banks, law firms, and
insurance companies

12. Real War Stories – Hedge Fund
 During internal network assessment, NetBIOS name
spoofing exposed numerous accounts
 System Administrators appeared to be remotely
connecting to Windows-based systems as the
Administrator account
 Password was quickly cracked
 Same local administrator password was used on
EVERY workstation and server

13. Real War Stories – Government
Agency
 On the internal network several Isilon file servers were found
 HDFS was running without any access control restrictions set
 One directory on the file server had virtual machine images
 Pulled down copies and loaded them under local VMware workstation
on our attacker laptops
 Extracted usernames and passwords from the virtual machine by first
booting to virtual CD image of kon-boot and bypassing local login
 Could have also gained access by replacing “sticky keys
app”, copying SAM and SYSTEM files, etc.
 Local administrator-level accounts recovered worked on numerous
other servers
 Used Mimikatz to recover accounts from each of the additional systems
and exposed numerous Domain Administrator-level accounts
 This led to the compromise of several thousand Windows-based
systems

14. Real War Stories - Financial Industry
 On the internal network there were numerous
systems running server-based JAVA applications
 Many were commercial applications from major
industry leaders (IBM, HP, VMware, etc.)
 Numerous attacks over JavaRMI led to remote code
execution
 Missing patches, insecure libraries,
unauthenticated access to JMX consoles, etc.
 Extracted cached accounts and plaintext passwords
using Mimikatz program including Domain
Administrator-level accounts

15. The Inevitable Conclusion
It’s not about perfect security;
it’s about DUE DILIGENCE.
“Given the inevitability of computer losses, you’ll
be judged not by whether you were the victim of
an attack, but by how well you planned for it."
- Computer Security Institute

16. In Closing…
 Due diligence requires a full spectrum of
countermeasures
 Vulnerability assessments are a critical
component of successful security programs
 Understand that your organization is not as
unique as you think it is

17. PatchAdvisor, Inc
703-256-0156
5510 Cherokee Ave
Suite 120
Alexandria, VA. 22312