4 Discovering network vulnerabilities

 

This chapter covers

  • Creating effective password lists
  • Brute-force password-guessing attacks
  • Discovering patching vulnerabilities
  • Discovering web server vulnerabilities

Now that our movie heist crew has finished mapping out all of the entry points leading into their target facility, the next thing they have to do is determine which (if any) are vulnerable to attack. Are there any open windows that somebody forgot to close? Are there any closed windows that somebody forgot to lock? Do the freight/service elevators around the back of the building require the same type of keycard access as the main elevators in the lobby? Who has access to one of those keycards? These and many more are the types of questions our “bad guys” should be asking themselves during this phase of the break-in.

From the perspective of an internal network penetration test (INPT), we want to figure out which of the services we just identified (the network entry points) are vulnerable to a network attack. So, we need to answer questions like the following:

  • Does system XYZ still have the default administrator password?
  • Is the system current? Meaning is it using all the latest security patches and vendor updates?
  • Is the system configured to allow anonymous or guest access?

Being able to think like an attacker whose sole purpose is to get inside by any means necessary is critical to uncovering weaknesses in your target environment.

4.1 Understanding vulnerability discovery

4.1.1 Following the path of least resistance

4.2 Discovering patching vulnerabilities

4.2.1 Scanning for MS17-010 Eternal Blue

4.3 Discovering authentication vulnerabilities

4.3.1 Creating a client-specific password list

4.3.2 Brute-forcing local Windows account passwords

4.3.3 Brute-forcing MSSQL and MySQL database passwords

4.3.4 Brute-forcing VNC passwords

4.4 Discovering configuration vulnerabilities