DEMO CORP

Security Assessment Findings

Report

Business Confidential

Date: March 9th, 2021

Project: DC-001
Version 1.0

DEMO CORP
BUSINESS Page 1 of
CONFIDENTIAL

Table of Contents
Table of Contents ......................................................................................................................................2

Con dentiality Statement .........................................................................................................................4

Disclaimer ..................................................................................................................................................4

Contact Information ...................................................................................................................................4

Assessment Overview ...............................................................................................................................5

Assessment Components .........................................................................................................................5

Internal Penetration Test ...........................................................................................................5

Finding Severity Ratings ............................................................................................................................6

Risk Factors ...............................................................................................................................................6

Likelihood .................................................................................................................................6

Impact .......................................................................................................................................6

Scope ........................................................................................................................................................7

Scope Exclusions .....................................................................................................................7

Client Allowances .....................................................................................................................7

Executive Summary ...................................................................................................................................8

Scoping and Time Limitations ..................................................................................................8

Testing Summary ......................................................................................................................8

Tester Notes and Recommendations ........................................................................................9

Key Strengths and Weaknesses .............................................................................................10

Vulnerability Summary & Report Card .....................................................................................................11

Internal Penetration Test Findings ..........................................................................................11

Technical Findings ...................................................................................................................................13

Internal Penetration Test Findings ..........................................................................................13

Finding IPT-001: Insu cient LLMNR Con guration (Critical) .............................................................13

Finding IPT-002: Security Miscon guration – Local Admin Password Reuse (Critical) ......................14

Finding IPT-003: Security Miscon guration – WDigest (Critical) ........................................................15

Finding IPT-004: Insu cient Hardening – Token Impersonation (Critical) ..........................................16

Finding IPT-005: Insu cient Password Complexity (Critical) ............................................................17

Finding IPT-006: Security Miscon guration – IPv6 (Critical) ..............................................................18

Finding IPT-007: Insu cient Hardening – SMB Signing Disabled (Critical) .......................................19

Finding IPT-008: Insu cient Patch Management – Software (Critical) ..............................................20

Finding IPT-009: Insu cient Patch Management – Operating Systems (Critical) ..............................21

Finding IPT-010: Insu cient Patching – MS08-067 - ECLIPSEDWING/NETAPI (Critical) ..................22

Finding IPT-011: Insu cient Patching – MS12-020 – Remote Desktop RCE (Critical) ......................23

Finding IPT-012: Insu cient Patching – MS17-010 - EternalBlue (Critical) .......................................24

Finding IPT-013: Insu cient Patching – CVE-2019-0708 - BlueKeep (Critical) .................................25

Finding IPT-014: Insu cient Privileged Account Management – Kerberoasting (High) .....................26

fi
ffi
ffi
ffi
ffi
ffi
ffi
ffi
ffi
ffi
ffi
ffi

fi
fi
fi
fi
 Finding IPT-015: Security Miscon guration – GPP Credentials (High) ..............................................27

Finding IPT-016: Insu cient Authentication - VNC (High) .................................................................28

Finding IPT-017: Default Credentials on Web Services (High) ...........................................................29

Finding IPT-018: Insu cient Hardening – Listable Directories (High) ................................................30

Finding IPT-019: Unauthenticated SMB Share Access (Moderate) ...................................................31

Finding IPT-020: Insu cient Patch Management – SMBv1 (Moderate) ............................................32

Finding IPT-021: IPMI Hash Disclosure (Moderate) ...........................................................................33

Finding IPT-022: Insu cient SNMP Community String Complexity (Moderate) ................................34

Finding IPT-023: Insu cient Data in Transit Encryption - Telnet (Moderate) ......................................35

Finding IPT-024: Insu cient Terminal Services Con guration (Moderate) .........................................36

Finding IPT-025: Steps to Domain Admin (Informational) ..................................................................37

Additional Scans and Reports ................................................................................................37

ffi
ffi
ffi
ffi
ffi
ffi
fi
fi
 Confidentiality Statement
This document is the exclusive property of Demo Corp and TCM Security (TCMS). This
document contains proprietary and con dential information. Duplication, redistribution, or
use, in whole or in part, in any form, requires consent of both Demo Corp and TCMS.

Demo Corp may share this document with auditors under non-disclosure agreements to
demonstrate penetration test requirement compliance.

Disclaimer
A penetration test is considered a snapshot in time. The ndings and recommendations
re ect the information gathered during the assessment and not any changes or modi cations
made outside of that period.

Time-limited engagements do not allow for a full evaluation of all security controls. TCMS
prioritized the assessment to identify the weakest security controls an attacker would exploit.
TCMS recommends conducting similar assessments on an annual basis by internal or third-
party assessors to ensure the continued success of the controls.

Contact Information

Nam Titl Contact Information

e e
Demo Corp
John Smith Global Information Email: jsmith@democorp.com
Security Manager
TCM Security
Heath Adams Lead Penetration Tester Email: heath@tcm-sec.com

Demo Corp
BUSINESS Page 4 of 54
CONFIDENTIAL

fl

fi
fi
fi
 Assessment Overview
From February 22nd, 2021 to March 5th, 2021, Demo Corp engaged TCMS to evaluate the
security posture of its infrastructure compared to current industry best practices that included
an internal network penetration test. All testing performed is based on the NIST SP 800-115
Technical Guide to Information Security Testing and Assessment, OWASP Testing Guide (v4),
and customized testing frameworks.

Phases of penetration testing activities include the following:

• Planning – Customer goals are gathered and rules of engagement obtained.

• Discovery – Perform scanning and enumeration to identify potential vulnerabilities,

weak areas, and exploits.

• Attack – Con rm potential vulnerabilities through exploitation and perform

additional discovery upon new access.

• Reporting – Document all found vulnerabilities and exploits, failed attempts, and
company strengths and weaknesses.

Assessment Components
Internal Penetration Test
An internal penetration test emulates the role of an attacker from inside the network. An
engineer will scan the network to identify potential host vulnerabilities and perform common
and advanced internal network attacks, such as: LLMNR/NBT-NS poisoning and other man-
in-the-middle attacks, token impersonation, kerberoasting, pass-the-hash, golden ticket, and
more. The engineer will seek to gain access to hosts through lateral movement, compromise
domain user and admin accounts, and ex ltrate sensitive data.

Demo Corp
BUSINESS Page 5 of 54
CONFIDENTIAL

fi

fi
 Finding Severity Ratings
The following table de nes levels of severity and corresponding CVSS score range that are
used throughout the document to assess vulnerability and risk impact.

Severity CVSS V3 Definitio

Score n
Range
Exploitation is straightforward and usually results in system-level
compromise. It is advised to form a plan of action and patch
Critical 9.0-10.0
immediately.

Exploitation is more di cult but could cause elevated

privileges and potentially a loss of data or downtime. It is
High 7.0-8.9
advised to form a plan of action and patch as soon as
possible.
Vulnerabilities exist but are not exploitable or require extra steps
such as social engineering. It is advised to form a plan of action
Moderate 4.0-6.9
and patch after high-priority issues have been resolved.

Vulnerabilities are non-exploitable but would reduce an

organization’s attack surface. It is advised to form a plan of
Low 0.1-3.9
action and patch during the next maintenance window.

No vulnerability exists. Additional information is provided

regarding items noticed during testing, strong controls, and
Information N/A
additional documentation.
al

Risk Factors
Risk is measured by two factors: Likelihood and Impact:

Likelihood
Likelihood measures the potential of a vulnerability being exploited. Ratings are given based on
the di culty of the attack, the available tools, attacker skill level, and client environment.

Impact
Impact measures the potential vulnerability’s e ect on operations, including con dentiality,
integrity, and availability of client systems and/or data, reputational harm, and nancial loss.

Demo Corp
BUSINESS Page 6 of 54
CONFIDENTIAL

ffi

fi
ffi

ff
fi
fi
Scope
Assessme Detai
nt ls

Internal Penetration Test 10.x.x.x/8

Scope Exclusions
Per client request, TCMS did not perform any of the following attacks during testing:

• Denial of Service (DoS)

• Phishing/Social Engineering

All other attacks not speci ed above were permitted by Demo Corp.

Client Allowances
Demo Corp provided TCMS the following allowances:

• Internal access to network via dropbox and port allowances

Demo Corp
BUSINESS Page 7 of 54
CONFIDENTIAL

fi
 Executive Summary
TCMS evaluated Demo Corp’s internal security posture through penetration testing from
February 22nd, 2021 to March 5th, 2021. The following sections provide a high-level overview of
vulnerabilities discovered, successful and unsuccessful attempts, and strengths and
weaknesses.

Scoping and Time Limitations

Scoping during the engagement did not permit denial of service or social engineering across
all testing components.

Time limitations were in place for testing. Internal network penetration testing was permitted for
ten

(10) business days.

Testing Summary
The network assessment evaluated Demo Corp’s internal network security posture. From an
internal perspective, the TCMS team performed vulnerability scanning against all IPs provided
by Demo Corp to evaluate the overall patching health of the network. The team also
performed common Active Directory based attacks, such as Link-Local Multicast Name
Resolution (LLMNR) Poisoning, SMB relaying, IPv6 man-in-the-middle relaying, and
Kerberoasting. Beyond vulnerability scanning and Active Directory attacks, the TCMS
evaluated other potential risks, such as open le shares, default credentials on servers/
devices, and sensitive information disclosure to gain a complete picture of the network’s
security posture.

The TCMS team discovered that LLMNR was enabled in the network (Finding IPT-001), which
permitted the interception of user hashes via LLMNR poisoning. These hashes were taken
o ine and cracked via dictionary attacks, which signals a weak password policy (Finding
IPT-005). Utilizing the cracked passwords, the TCMS team gained access to several machines
within the network, which indicates overly permissive user accounts.

With machine access, and the use of older operating systems in the network (Finding
IPT-009), the team was able to leverage WDigest (Finding IPT-003) to recover cleartext
credentials to accounts. The team was also able to dump local account hashes on each
machine accessed. The TCMS team discovered that the local account hashes were being re-
used across devices (Finding IPT-002), which lead to additional machine access through pass-
the-hash attacks.

Ultimately, the TCMS team was able to leverage accounts captured through WDigest and hash
dumps to move laterally throughout the network until landing on a machine that had a Domain
Administrator credential in cleartext via WDigest. The testing team was able to use this
Demo Corp
BUSINESS Page 8 of 54
CONFIDENTIAL

ffl

fi
credential to log into the domain controller and compromise the entire domain. For a full
walkthrough of the path to Domain Admin, please see Finding IPT-025.

Demo Corp
BUSINESS Page 9 of 54
CONFIDENTIAL

 In addition to the compromise listed above, the TCMS team found that users could be
impersonated through delegation attacks (Finding IPT-004), SMB relay attacks were possible
due to SMB signing being disabled (Finding IPT-007), and IPv6 tra c was not restricted,
which could lead to LDAPS relaying and domain compromise (Finding IPT-006).

The remainder of critical ndings relate to patch management as devices with critical out-of-
date software (Finding IPT-008), operating systems (Finding IPT-009), and Microsoft RCE
vulnerabilities (Findings IPT-010, IPT-011, IPT-012, IPT-013), were found to be present within
the network.

The remainder of the ndings were high, moderate, low, or informational. For further
information on ndings, please review the Technical Findings section.

Tester Notes and Recommendations

Testing results of the Demo Corp network are indicative of an organization undergoing its rst
penetration test, which is the case here. Many of the ndings discovered are vulnerabilities
within Active Directory that come enabled by default, such as LLMNR, IPv6, and
Kerberoasting.

During testing, two constants stood out: a weak password policy and weak patching. The
weak password policy led to the initial compromise of accounts and is usually one of the rst
footholds an attacker attempts to use in a network. The presence of a weak password policy
is backed up by the evidence of our testing team cracking over 2,200 user account
passwords, including a majority of the Domain Administrator accounts, through basic
dictionary attacks.

We recommended that Demo Corp re-evaluates their current password policy and considers a
policy of 15 characters or more for their regular user accounts and 30 characters or more for
their Domain Administrator accounts. We also recommend that Demo Corp explore password
blacklisting and will be supplying a list of cracked user passwords for the team to evaluate.
Finally, a Privilege Access Management solution should be considered.

Weak patching and dated operating systems led to the compromise of dozens of machines
within the network. We believe the number of compromised machines would have been
signi cantly larger, however the TCMS and Demo Corp teams agreed it was not necessary to
attempt to exploit any remote code execution (RCE) based vulnerabilities, such as MS17-010
(Finding IPT-012), as the domain controller had already been compromised and the teams did
not want to risk any denial of service through failed attacks.

We recommend that the Demo Corp team review the patching recommendations made in the
Technical Findings section of the report along with reviewing the provided Nessus scans for a
full overview of items to be patched. We also recommend that Demo Corp improve their patch
management policies and procedures to help prevent potential attacks within their network.

Demo Corp
BUSINESS Page 10 of
CONFIDENTIAL

fi
fi
fi
fi

fi
ffi
fi
fi
On a positive note, our testing team triggered several alerts during the engagement. The
Demo Corp Security Operations team discovered our vulnerability scanning and was alerted
when we attempted to use noisy attacks on a compromised machine. While not all attacks
were discovered during testing, these alerts are a positive start. Additional guidance on
alerting and detection has been provided for ndings, when necessary, in the Technical
Findings section.

Overall, the Demo Corp network performed as expected for a rst-time penetration test. We
recommend that the Demo Corp team thoroughly review the recommendations made in this
report, patch the ndings, and re-test annually to improve their overall internal security
posture.

Key Strengths and Weaknesses

The following identi es the key strengths identi ed during the assessment:

1. Observed some scanning of common enumeration tools (Nessus)

2. Mimikatz detected on some machines

3. Service accounts were not running as domain administrators

4. Demo Corp local administrator account password was unique to each

device The following identi es the key weaknesses identi ed during the

assessment:

1. Password policy found to be insufficient

2. Critically out-of-date operating systems and weak patching exist within the network

3. Passwords were observed in cleartext due to WDigest

4. LLMNR is enabled within the network

5. SMB signing is disabled on all non-server devices in the work

6. IPv6 is improperly managed within the network

7. User accounts can be impersonated through token delegation

8. Local admin accounts had password re-use and were overly permissive

9. Default credentials were discovered on critical infrastructure, such as iDRACs

10. Unauthenticated share access was permitted

11. User accounts were found to be running as service accounts

12. Service accounts utilized weak passwords

13. Domain administrator utilized weak passwords

Demo Corp
BUSINESS Page 11 of
CONFIDENTIAL

fi
fi
fi

fi
fi
fi
fi
 Vulnerability Summary & Report Card
The following tables illustrate the vulnerabilities found by impact and recommended
remediations:

Internal Penetration Test Findings

13 5 6 0 1

Critical High Modera Low Information

te al

Findin Severity Recommendation

g
Internal Penetration Test
IPT-001: Insu cient LLMNR Critical Disable multicast name resolution
Configuration via GPO.
IPT-002: Security Critical Utilize unique local admin
Miscon guration – Local Admin passwords

Password Reuse and limit local admin users via least

privilege.
IPT-003: Security Critical Disable WDigest via GPO.
Miscon guration – Wdigest
IPT-004: Insu cient Hardening – Critical Restrict token delegation.
Token Impersonation
IPT-005: Insu cient Password Critical Implement CIS Benchmark
Complexity password requirements / PAM
solution.
IPT-006: Security Critical Restrict DHCPv6 tra c and
Miscon guration – IPv6 incoming router advertisements in
Windows Firewall via GPO.
IPT-007: Insu cient Hardening – Critical Enable SMB signing on all Demo
SMB Signing Disabled Corp domain computers.
IPT-008: Insu cient Patch Critical Update to the latest software
Management – Software version.
IPT-009: Insu cient Patch Critical Update Operating Systems to the
Management – Operating latest version.
Systems
Demo Corp
BUSINESS Page 12 of
CONFIDENTIAL

fi
fi
fi
ffi
ffi
ffi
ffi
ffi
ffi
ffi

 IPT-010: Insu cient Patching – Critical Apply the appropriate Microsoft

MS08-067 - ECLIPSEDWING/ patches to remediate the issue.
NETAPI
IPT-011: Insu cient Patching –
Critical Apply the appropriate Microsoft

MS12-020 – Remote Desktop RCE patches to remediate the issue.

IPT-012: Insu cient Critical Apply the appropriate Microsoft
Patching – MS17-010 - patches to remediate the issue.
EternalBlue
IPT-013: Insu cient Patching – Critical Apply the appropriate Microsoft
CVE- 2019-0708 - BlueKeep patches to remediate the issue.

Findin Severity Recommendation

g

IPT-014: Insu cient Privileged High Use Group Managed Service

Account Management –
Accounts (GMSA) for privileged

Kerberoasting services.
IPT-015: Security High Apply vendor patching. Do not
Miscon guration – GPP use GPP cpasswords.
Credentials
IPT-016: Insu cient Authentication High Enable authentication on the VNC
- VNC Server.
IPT-017: Default Credentials on High Change default credentials or
Web Services disable unused accounts.
IPT-018: Insu cient Hardening – High Restrict access and conduct web
Listable Directories app assessment.
IPT-019: Unauthenticated SMB Moderate Disable SMB share or require
Share Access authentication.
IPT-020: Insu cient Patch Moderate Upgrade to SMBv3 and apply
Management – SMBv1 latest patching.
IPT-021: IPMI Hash Disclosure Moderate Disable IPMI over LAN if it is not
needed.
IPT-022: Insu cient SNMP Moderate Disabled SNMP if not required.
Community String Complexity
IPT-023: Insu cient Data in Moderate Migrate to TLS protected
Transit Encryption - Telnet protocols.
IPT-024: Insu cient Terminal Moderate Enable Network Level
Services Con guration Authentication (NLA) on the remote
RDP server.

Demo Corp
BUSINESS Page 13 of
CONFIDENTIAL

fi
ffi
ffi
ffi
ffi
ffi
ffi
ffi
ffi
ffi
ffi
ffi
fi
IPT-025: Steps to Domain Admin Information Review action and remediation
al steps.

Demo Corp
BUSINESS Page 14 of
CONFIDENTIAL

 Technical Findings
Internal Penetration Test Findings
Finding IPT-001: Insu cient LLMNR Con guration (Critical)

Description: Demo Corp allows multicast name resolution on their end-user networks.
TCMS captured 20 user account hashes by poisoning LLMNR tra c and
cracked 2 with commodity cracking software.

The cracked accounts were used to leverage further access that led to the
compromise of the Domain Controller.
Risk: Likelihood: High – This attack is e ective in environments allowing
multicast name resolution.

Impact: Very High – LLMNR poisoning permits attackers to capture

password hashes to either crack o ine or relay in real-time and pivot
laterally in the environment.
System: All
Tools Used: Responder, Hashcat
References: Stern Security - Local Network Attacks: LLMNR and NBT-NS
Poisoning NIST SP800-53 r4 IA-3 - Device Identi cation and
Authentication NIST SP800-53 r4 CM-6(1) - Con guration
Settings

Evidence

Figure 1: Captured hash of “production”

Remediatio
n

Demo Corp
BUSINESS Page 15 of
CONFIDENTIAL

ffi

ff
ffl

fi
fi
fi
ffi
Figure 2: of “production”
Cracked hash
Disable multicast name resolution via GPO. For full mitigation and detection guidance,
please reference the MITRE guidance here.

The cracked hashes demonstrate a de cient password complexity policy. If multicast name
resolution is required, Network Access Control (NAC) combined with application whitelisting
can limit these attacks.

Demo Corp
BUSINESS Page 16 of
CONFIDENTIAL

fi
 Finding IPT-002: Security Miscon guration – Local Admin Password Reuse (Critical)

Description: TCMS utilized local administrator hashes to gain access to other

machines in the network via a ‘pass-the-hash’ attack. The local
administrator hashes were obtained via machine access provided by
the cracked account in IPT-001.

Pass-the-hash attacks do not require knowing the account password to

successfully log into a machine. Thus, reusing the same local admin
password (and therefore the same hash) on multiple machines will permit
system access to those computers.

TCMS leveraged this attack to gain access to ~50 machines within the
main

o ce. This led to further account access and the eventual compromise of
the domain controller.
Risk: Likelihood: High – This attack is e ective in large networks with local
admin password reuse.

Impact: Very High – Pass-the-hash permits an attacker to move laterally

and vertically throughout the network.
System: All
Tools Used: Impacket, Crackmapexec
References: https://capec.mitre.org/data/definitions/644.html

https://tcm-sec.com/pentest-tales-001-you-spent-how-much-on-security/

Evidence

Figure 3: Local admin hash used to gain access to machine

Remediation

Utilize unique local admin passwords. Limit local admin users via least privilege. Consider
implementing a PAM solution. For full mitigation and detection guidance, please reference
the MITRE guidance here.

Demo Corp
BUSINESS Page 17 of
CONFIDENTIAL

ffi
fi
ff
 Finding IPT-003: Security Miscon guration – WDigest (Critical)

Description: Demo Corp permitted out-of-date operating systems within their network,
including Windows 7, 8, Server 2008, and Server 2012.

These operating systems, by default, permit WDigest, which stores all

current logged-in user’s passwords in clear-text.

TCMS leveraged machine access gained in IPT-001 and IPT-002 to move

laterally throughout the network until uncovering a machine with Domain
Admin

credentials stored in WDigest.

Risk: Likelihood: Moderate – This attack is e ective in networks with older
operating systems.

Impact: Very High – WDigests credentials are stored in clear text, which
can permit the theft of sensitive accounts, such as Domain
Administrators.
System: All systems older than Windows 10 and Server 2016
Tools Used: Metasploit, Kiwi
References: https://stealthbits.com/blog/wdigest-clear-text-passwords-stealing-
more-than- a-hash/

Evidence

Figure 4: Cleartext passwords of Domain Administrators

Remediation

Disable WDigest via GPO. For full mitigation and detection guidance, please reference the
guidance here.

Demo Corp
BUSINESS Page 18 of
CONFIDENTIAL

fi
ff
 Finding IPT-004: Insu cient Hardening – Token Impersonation (Critical)

Description: TCMS impersonated the token of “supcb” to obtain Domain Administrator

privileges.
Risk: Likelihood: High – The penetration tester viewed and impersonated tokens
with the use of open-source tools.

Impact: Very High - If exploited, an attacker gains domain administrator

access.
System: All
Tools Used: Metasploit, Incognito
References: NIST SP800-53 r4 CM-7 - Least
Functionality NIST SP800-53 r4 AC-6 -
Least Privilege

https://docs.microsoft.com/en-us/windows-server/
identity/ad- ds/manage/how-to-con gure- protected-
accounts

Evidence

Figure 5: Impersonation of “sup”

Demo Corp
BUSINESS Page 19 of
CONFIDENTIAL

ffi
fi
 Figure 6: Shell access as Domain Admin “sup”

Remediatio
n

Restrict token delegation. For full mitigation and detection guidance, please reference the MITRE
guidance here.

Demo Corp
BUSINESS Page 20 of
CONFIDENTIAL

 Finding IPT-005: Insu cient Password Complexity (Critical)

Description: TCMS dumped hashes from the domain controller and proceeded to
attempt common password guessing attacks against all users.

TCMS cracked 2,226 passwords using basic password list guessing

attacks and low e ort brute forcing attacks. 17 cracked accounts had
domain administrator rights.
Risk: Likelihood: High - Simple passwords are susceptible to password
cracking attacks. Encryption provides some protection, but dictionary
attacks base on common word lists often crack weak passwords.

Impact: Very High - Domain admin accounts with weak passwords could
lead to an adversary critically impacting Demo Corp ability to operate.
System: All
Tools Used: Manual Review
References: NIST SP800-53 IA-5(1) - Authenticator Management https://
www.cisecurity.org/white-papers/cis-password-policy-guide/

Evidence

Figure 7: Excerpt of cracked domain hashes

Remediatio
n

Implement CIS Benchmark password requirements / PAM solution. TCMS recommends that
Demo Corp enforce industry best practices around password complexity and management. A
Demo Corp
BUSINESS Page 21 of
CONFIDENTIAL

ff
ffi
password lter to prevent users from using common and easily guessable passwords is also
recommended. Additionally, TCMS recommends that Demo Corp enforce stricter password
requirements for Domain Administrator and other sensitive accounts.

Demo Corp
BUSINESS Page 22 of
CONFIDENTIAL

fi
 Finding IPT-006: Security Miscon guration – IPv6 (Critical)

Description: Through IPv6 DNS poisoning, the TCMS team was able to successfully
relay credentials to the Demo Corp domain controller.
Risk: Likelihood: High – IPv6 is enabled by default on Windows networks. The
tools and techniques required to perform this task are trivial.

Impact: Very High - If exploited, an attacker can gain domain

administrator access.
System: All
Tools Used: Mitm6, Impacket
References: https://blog.fox-it.com/2018/01/11/mitm6-compromising-ipv4-networks-
via- ipv6/

Evidence

Figure 8: Successfully relayed LDAP credentials via mitm6

Remediatio
n

1. IPv6 poisoning abuses the fact that Windows queries for an IPv6 address even in IPv4-
only environments. If you do not use IPv6 internally, the safest way to prevent mitm6 is
to block DHCPv6 tra c and incoming router advertisements in Windows Firewall via
Group Policy. Disabling IPv6 entirely may have unwanted side e ects. Setting the
following prede ned rules to Block instead of Allow prevents the attack from working:

a. (Inbound) Core Networking - Dynamic Host Con guration Protocol for IPv6(DHCPV6-
In)

b. (Inbound) Core Networking - Router Advertisement (ICMPv6-In)

c. (Outbound) Core Networking - Dynamic Host Con guration Protocol for

IPv6(DHCPV6- Out)

2. If WPAD is not in use internally, disable it via Group Policy and by

disabling the WinHttpAutoProxySvc service.

3. Relaying to LDAP and LDAPS can only be mitigated by enabling both LDAP signing
and LDAP channel binding.

Demo Corp
BUSINESS Page 23 of
CONFIDENTIAL

fi
ffi
fi
fi
fi
ff
Consider Administrative users to the Protected Users group or marking them as Account is
sensitive and cannot be delegated, which will prevent any impersonation of that user via
delegation.

Demo Corp
BUSINESS Page 24 of
CONFIDENTIAL

 Finding IPT-007: Insu cient Hardening – SMB Signing Disabled (Critical)

Description: Demo Corp failed to implement SMB signing on multiple devices. The
absence of SMB signing could lead to SMB relay attacks, yielding
system-level shells without requiring a user password.
Risk: Likelihood: High – Relaying password hashes is a basic technique not
requiring o ine cracking.

Impact: High – If exploited, an adversary gains code execution, leading to

lateral movement across the network.
System: Identi ed 709 machines, please see the below le for listing.

[ le removed]
Tools Used: Nessus, Nmap, MultiRelay, Responder
References: CIS Microsoft Windows Server 2012 R2 v2.2.0 (Page 180) https://
github.com/lgandx/Responder/blob/master/tools/MultiRelay.py

Evidence

Figure 9: Successful SMB relay

Remediatio
n

Enable SMB signing on all Demo Corp domain computers. Alternatively, as SMB signing can
cause performance issues, disabling NTLM authentication, enforcing account tiering, and
limiting local admin users can e ectively help mitigate attacks. For full mitigation and detection
guidance, please reference the MITRE guidance here.

Demo Corp
BUSINESS Page 25 of
CONFIDENTIAL

fi
fi
ffl
ffi
ff
fi
 Finding IPT-008: Insu cient Patch Management – Software (Critical)

Description: Demo Corp permitted various deprecated software in their network. This
includes:

• Apache version < 2.4.46

• Apache Tomcat version < 7.0.100, 8.5.51, 9.0.31

• Cisoco AireOS version 8.5.151.10

• CodeMeter version 3.05 (5.21.1478.500)

• Dropbear SSH Server version 2015.68

• Dell iDRAC7 version 2.63.60.62.01

• Dell iDRAC8 version 2.63.60.61.06

• Dell iDRAC9 version 3.36.36.36.21

• ESXi version 5.5

• ESXi version 6.5 build 15256549

• Flexera FlexNet Publisher version 11.16.0

• IIS version 7.5

• ISC BIND version 9.6.2-P2

• Microsoft DNS Server version 6.1.7601.24261

• Microsoft SQL Server version 11.0.6594.0

• Netatalk OpenSession version < 3.1.12

• PHP version < 7.3.11

• Rockwell Automation RSLinx Classic

Above lists all critical and high-rated deprecated software, the majority of
which permit serious vulnerabilities, such as remote code execution. For a
full

patching list, please review the provided Nessus scan documentation.

Risk: Likelihood: High – An attacker can discover these vulnerabilities with
basic tools.

Impact: Very High – If exploited, an attacker could possibly gain full

remote code execution on or deny service to a system.
Tools Used: Nessus
References: NIST SP800-53 r4 MA-6 – Timely
Maintenance NIST SP800-53 r4 SI-2 – Flaw
Remediation

Remediation

Update to the latest software version. For a full list of vulnerable systems, versions, and patching
Demo Corp
BUSINESS Page 26 of
CONFIDENTIAL

ffi
 requirements, please see the below document.

[ le removed]

Demo Corp
BUSINESS Page 27 of
CONFIDENTIAL

fi
 Finding IPT-009: Insu cient Patch Management – Operating Systems (Critical)

Description: Demo Corp permitted various deprecated software in their network. This
includes:

• Windows Server 2003 (end of life on July 14, 2015)

• Windows Server 2008 R2 (end of life on January 14, 2020)

• Windows XP (end of life on April 8, 2014)

• Windows 7 (end of life on January 14, 2020)

• Ubuntu 11 (end of life on May 9, 2013)

• FreeBSD 11.0 (end of life on October, 2016)

End of life systems are susceptible to a multitude of vulnerabilities.

TCMS did not attempt any attacks against these servers due to the risk
of a denial of service, which is out of scope.
Risk: Likelihood: High – An attacker can discover these vulnerabilities with
basic tools.

Impact: High – If exploited, an attacker could possibly gain full remote

code execution on or deny service to a system.
System: Identi ed 139 machines, please see the below le for listing.

[ le removed]
Tools Used: Nessus
References: NIST SP800-53 r4 MA-6 – Timely
Maintenance NIST SP800-53 r4 SI-2 – Flaw
Remediation

Remediation

Update Operating Systems to the latest version.

Demo Corp
BUSINESS Page 28 of
CONFIDENTIAL

fi
fi
ffi
fi
 Finding IPT-010: Insu cient Patching – MS08-067 - ECLIPSEDWING/NETAPI (Critical)

Description: Demo Corp permitted an unpatched system on the internal network that
is vulnerable to MS08-067. TCM Security con rmed that the vulnerability
likely exists but did not attempt the exploit to prevent any denial of
service.
Risk: Likelihood: High – Considered one of the most exploited vulnerabilities in
Microsoft Windows as it ships natively with Windows XP.

Impact: Very High – If exploited, an attacker gains code execution as the

system

user. An adversary will require additional techniques to obtain domain

administrator access.
System: 10.x.x.x
Tools Used: Nessus, Nmap
References: NIST SP800-53 r4 MA-6 – Timely
Maintenance NIST SP800-53 r4 SI-2 – Flaw
Remediation

Evidence

Remediatio
n

Demo Corp
BUSINESS Page 29 of
CONFIDENTIAL

ffi
fi
Figure 10: MS08-067
Unpatched
Apply the appropriate Microsoft patches to remediate the issue. More information on
patching MS08-067 can be found here: https://docs.microsoft.com/en-us/security-
updates/SecurityBulletins/2008/ms08-067

Demo Corp
BUSINESS Page 30 of
CONFIDENTIAL

 Finding IPT-011: Insu cient Patching – MS12-020 – Remote Desktop RCE (Critical)

Description: Demo Corp permitted an unpatched system on the internal network that
is vulnerable to MS12-020. TCM Security con rmed that the vulnerability
likely exists but did not attempt the exploit to prevent any denial of
service.
Risk: Likelihood: High – The vulnerability is easily discoverable and
exploitable with open-source tools.

Impact: Very High – If exploited, an attacker gains code execution as the

system

user. An adversary will require additional techniques to obtain domain

administrator access.
System: 10.x.x.x
Tools Used: Nessus, Nmap
References: NIST SP800-53 r4 MA-6 – Timely
Maintenance NIST SP800-53 r4 SI-2 – Flaw
Remediation

Evidence

Remediation

Demo Corp
BUSINESS Page 31 of
CONFIDENTIAL

ffi
fi
Figure 11: MS12-020
Unpatched
Apply the appropriate Microsoft patches to remediate the issue. More information on
patching MS12-020 can be found here: https://docs.microsoft.com/en-us/security-
updates/securitybulletins/2012/ms12-020

Demo Corp
BUSINESS Page 32 of
CONFIDENTIAL

 Finding IPT-012: Insu cient Patching – MS17-010 - EternalBlue (Critical)

Description: Demo Corp permitted several unpatched systems on the internal network
that are vulnerable to MS17-010 (EternalBlue). TCM Security con rmed
that the vulnerability likely exists but did not attempt the exploit to prevent
any denial of service.
Risk: Likelihood: High – Malicious actors have used SMB exploitations like
EternalBlue in recent breaches.

Impact: Very High – If exploited, an attacker gains code execution as the

system user. An adversary will require additional techniques to obtain
domain

administrator access.
System: 10.x.x.x

Tools Used: Nessus, Metasploit, AutoBlue

References: NIST SP800-53 r4 MA-6 – Timely
Maintenance NIST SP800-53 r4 SI-2 – Flaw
Remediation

Evidence

Figure 12: Unpatched MS17-010

Remediatio
n

Apply the appropriate Microsoft patches to remediate the issue. More information on
patching MS17-010 can be found here: https://docs.microsoft.com/en-us/security-
Demo Corp
BUSINESS Page 33 of
CONFIDENTIAL

ffi
fi
updates/securitybulletins/2017/ms17-010

Demo Corp
BUSINESS Page 34 of
CONFIDENTIAL

 Finding IPT-013: Insu cient Patching – CVE-2019-0708 - BlueKeep (Critical)

Description: Demo Corp permitted several unpatched systems on the internal network
that are vulnerable to CVE-2019-0708 (BlueKeep). TCM Security
con rmed that the vulnerability likely exists but did not attempt the exploit
to prevent any denial of service.
Risk: Likelihood: High – The vulnerability is easily discoverable and
exploitable with open-source tools.

Impact: Very High – If exploited, an attacker gains code execution as the

system user. An adversary will require additional techniques to obtain
domain

administrator access.
System: 10.x.x.x
Tools Used: Nessus, Nmap
References: NIST SP800-53 r4 MA-6 – Timely
Maintenance NIST SP800-53 r4 SI-2 – Flaw
Remediation

Evidence

Figure 13: Unpatched CVE-2019-0708

Remediatio
n

Apply the appropriate Microsoft patches to remediate the issue. More information on
patching CVE- 2019-0708 can be found here: https://support.microsoft.com/en-us/topic/
customer-guidance-for- cve-2019-0708-remote-desktop-services-remote-code-execution-
vulnerability-may-14-2019- 0624e35b-5f5d-6da7-632c-27066a79262e

Demo Corp
BUSINESS Page 35 of
CONFIDENTIAL

fi
ffi
 Finding IPT-014: Insu cient Privileged Account Management – Kerberoasting (High)

Description: TCMS retrieved all user service principal names (SPNs) from the Demo
Corp domain controller using a domain user-level account (IPT-001) in a
Kerberoasting attack. Retrieving these user SPNs permitted TCMS to
crack 4 account passwords.

No service accounts were observed running as domain administrators.

User accounts were observed running as a service, which is not best
practice.
Risk: Likelihood: High – Any account joined to the domain can request user
SPNs.

Impact: High – Using SPNs, it is possible to retrieve sensitive account

password hashes and crack them o ine.
Tools Used: Impacket, Hashcat
References: Kerberoasting details: https://adsecurity.org/?p=2293
Group Managed Service Accounts Overview

Evidence

Figure 14: Cracked service accounts

Remediatio
n

Use Group Managed Service Accounts (GMSA) for privileged services. GMSA accounts can
be used to ensure passwords are long, complex, and change frequently. Where GMSA is not
applicable, protect accounts by utilizing a password vaulting solution.

TCMS recommends con guring alert logging on domain controllers for Windows event ID
4769 whenever requesting a Kerberos service ticket. These alerts are prone to high false-
positive rates but are a supplementary detective control. Tailor a security information and
event management tool (SIEM) to alert on excessive user SPN requests.

Demo Corp
BUSINESS Page 36 of
CONFIDENTIAL

ffi
fi
ffl
 Finding IPT-015: Security Miscon guration – GPP Credentials (High)

Description: Demo Corp utilized “cpasswords” in Group Policy Preference (GPP) which
any domain user can query from a domain controller’s SYSVOL folder.
Microsoft published the key to decrypt these passwords.
Risk: Likelihood: High – Any authenticated user can obtain this information and
decrypt the password with open source tools.

Impact: High – An adversary can use these credentials to move laterally

within the network.
Tools Used: Metasploit
References: NIST SP800-53 IA-5(1) - Authenticator Management

Evidence

Figure 15: Dumped GPP credentials

Remediatio
n

Apply vendor patching. Do not use GPP cpasswords. Additionally, enabling authentication on
the NFS share will protect the con dentiality of the stored information. Exporting
authentication logs to a SIEM solution will give incident response teams insights to brute
force login attempts.

Demo Corp
BUSINESS Page 37 of
CONFIDENTIAL

fi
fi
 Demo Corp
BUSINESS Page 38 of
CONFIDENTIAL

Finding IPT-016: Insu cient Authentication - VNC (High)

Description: Demo Corp deployed 3 servers that permitted unauthenticated access via
VNC Server.
Risk: Likelihood: High – Discovering unauthenticated VNC servers is trivial
and can be done with open-source tools.

Impact: High – Attackers can control industrial devices, destroy data, or

shut down systems.
System: 10.x.x.x, 10.x.x.x, 10.x.x.x
Tools Used: Nessus, VNC Viewer
References: NIST SP800-53 IA-5(1) - Authenticator Management

Evidence

[image redacted]

Figure 16: Access to system via

VNC
Remediatio
n

Enable authentication on the VNC Server.

Demo Corp
BUSINESS Page 39 of
CONFIDENTIAL

ffi
 Finding IPT-017: Default Credentials on Web Services (High)

Description: TCMS validated default credentials worked on multiple web applications

within the Demo Corp environment.
Risk: Likelihood: High – Credentials are published for these devices and an
attackers rst authentication attempt.

Impact: High – Attackers can control devices, destroy data, or shut down
systems.
System: Default credentials were tested on a sample set of web applications, but
suggests checking the following addresses at a minimum:

[ le removed]
Tools Used: Manual Review
References: NIST SP800-53 IA-5(1) - Authenticator Management

Evidence

Remediation

Demo Corp
BUSINESS Page 40 of
CONFIDENTIAL

fi
fi
Figure 17: Dell via default credentials
iDRAC access
Change default credentials or disable unused accounts.

Demo Corp
BUSINESS Page 41 of
CONFIDENTIAL

 Finding IPT-018: Insu cient Hardening – Listable Directories (High)

Description: Demo Corp disclosed information by allowing listable directories and

storing potentially critical items on web server. It is strongly recommended
that Demo Corp perform a thorough web app assessment on this
resource.
Risk: Likelihood: Moderate – Adversaries will discovery content with open
source tools.

Impact: High – Attackers use this information in conjunction with other

attacks for enumeration and cataloging for rapid attacks when
vulnerabilities arise.
System: Full list of discovered listable directories:

[ le removed]
Tools Used: Manual Review
References: NIST SP800-53r4 CM-7 - Least Functionality

NIST SP800-53r4 AC-6(3) - Least Privilege

Evidence

Demo Corp
BUSINESS Page 42 of
CONFIDENTIAL

fi
ffi
 Figure 18: Listable directory

Remediatio
n

Restrict access and conduct web app assessment.

Demo Corp
BUSINESS Page 43 of
CONFIDENTIAL

 Finding IPT-019: Unauthenticated SMB Share Access (Moderate)

Description: Demo Corp exposed multiple servers with unauthenticated le server

access.
Risk: Likelihood: Moderate – Adversaries will discover these shares with low-
noise, basic reconnaissance techniques.

Impact: Moderate – Attackers learn about the environment through

information leaks.
System: 10.x.x.x

Tools Used: Nessus, smbclient

References: NIST SP800-53r4 AC-6(3) - Least Privilege

NIST SP800-53 r4 SC-4 - Information in Shared Resources

Evidence

Figure 19: Unauthenticated Share access

Remediation

Demo Corp
BUSINESS Page 44 of
CONFIDENTIAL

fi
 Disable SMB share or require authentication. Enabling authentication on the share will protect
the con dentiality of the stored information. Exporting authentication logs to a SIEM solution will
give incident response teams insights to brute force login attempts.

Demo Corp
BUSINESS Page 45 of
CONFIDENTIAL

fi
 Finding IPT-020: Insu cient Patch Management – SMBv1 (Moderate)

Description: Demo Corp failed to patch SMBv1. This version is vulnerable to multiple
denial of service and remote code execution attacks. TCM Security
con rmed that the vulnerability likely exists but did not attempt the
exploit to prevent any denial of service.
Risk: Likelihood: Moderate – Basic scans would identify the SMB version but
would require an adversary to be on the internal network and identify an
exploit.

Impact: Moderate – If exploited, an attacker gains denial of service and

code execution capability.
System: 10.x.x.x

Tools Used: Nessus, Nmap

References: https://blogs.technet.microsoft.com/ lecab/2016/09/16/stop-using-smb1/

NIST SP800-53 r4 SI-2 - Flaw Remediation

Evidence

Figure 20: Unauthenticated Share access

Remediation

Upgrade to SMBv3 and apply latest patching.

Demo Corp
BUSINESS Page 46 of
CONFIDENTIAL

fi
ffi
fi
 Finding IPT-021: IPMI Hash Disclosure (Moderate)

Description: Demo Corp deployed remote host supporting IPMI v2.0. The (IPMI)
protocol is a ected by an information disclosure vulnerability due to the
support of RMCP+ Authenticated Key-Exchange Protocol (RAKP)
authentication. A remote attacker

can obtain password hash information for valid user accounts via the
HMAC from a RAKP message 2 response from a BMC.
Risk: Likelihood: High – Basic network scans will identify this vulnerability.

Impact: Moderate – If exploited, an attacker can gain access to sensitive

management devices. TCMS was unable to crack any hashes during the

assessment.
System: Identi ed 34 machines, please see the below le for listing.

[ le removed]
Tools Used: Metasploit
References: https://blog.rapid7.com/2013/07/02/a-penetration-testers-guide-to-ipmi/

Evidence

Figure 21: IPMI Hash Disclosure

Remediation

There is no patch for this vulnerability; it is an inherent problem with the speci cation for IPMI
v2.0. Suggested mitigations include:

• Disabling IPMI over LAN if it is not needed.

• Using strong passwords to limit the successfulness of o -line dictionary attacks.

• Using Access Control Lists (ACLs) or isolated networks to limit access to

your IPMI management interfaces.

Demo Corp
BUSINESS Page 47 of
CONFIDENTIAL

fi
fi
ff
fi
ff
fi
 Finding IPT-022: Insu cient SNMP Community String Complexity (Moderate)

Description: Demo Corp deployed SNMP with default “public” community strings. This
con guration exposed read-only access to the system’s management
information base (MIB), including the network con gurations.
Risk: Likelihood: High – Basic network scans will identify this vulnerability.

Impact: Moderate – If exploited, an attacker can pro le the device and

focus attacks.
System: Identi ed 45 machines, please see the below le for listing.

[ le removed]
Tools Used: Nessus, SNMP-Check, Ettercap
References: NIST SP800-53 r4 AC-17(2) - Remote Access Protection of
Con dentiality/Integrity using Encryption

Evidence

Figure 22: Information disclosure via public SNMP community strings

Figure 23: Non-public SNMP string captured via Ettercap

Remediation

TCM Security recommends Demo Corp consider the following corrective actions:

• Disabled SNMP if not required

• Filter UDP packets going to port UDP – 161

Demo Corp
BUSINESS Page 48 of
CONFIDENTIAL

fi
fi
fi
fi
ffi
fi
fi
fi
• Evaluate migration to SNMPv3

• Use password complexity guidelines for community strings

Demo Corp
BUSINESS Page 49 of
CONFIDENTIAL

 Finding IPT-023: Insu cient Data in Transit Encryption - Telnet (Moderate)

Description: Demo Corp permitted Telnet which does not encrypt data in transit.
Telnet uses plain text authentication and passes all data (including
passwords) in clear text and can be intercepted by an attacker.
Risk: Likelihood: Low – An adversary requires a Man-in-the-Middle position
between the client and server.

Impact: High – If exploited an adversary may intercept administrative

credentials that can be used in other attacks.
System: Identi ed 53 machines, please see the below le for listing.

[ le removed]
Tools Used: Telnet
References: NIST SP800-53 r4 AC-17(2) - Remote Access |Protection of
Con dentiality / Integrity Using Encryption

Evidence

Figure 24: Telnet login prompt

Remediation

Migrate to TLS protected protocols.

Demo Corp
BUSINESS Page 50 of
CONFIDENTIAL

fi
fi
fi
ffi
fi
 Finding IPT-024: Insu cient Terminal Services Con guration (Moderate)

Description: The remote Terminal Services is not con gured to use Network Level
Authentication (NLA) only. NLA uses the Credential Security Support
Provider (CredSSP) protocol to perform strong server authentication
either through TLS/SSL or Kerberos mechanisms, which protect against
man-in-the-middle attacks. In addition to improving authentication, NLA
also helps protect the

remote computer from malicious users and software by completing user

authentication before a full RDP connection is established.
Risk: Likelihood: Low – An attacker can discover these vulnerabilities with basic
tools.

Impact: High – If exploited, an adversary gains code execution, leading to

lateral movement across the network.
System: Identi ed 118 machines, please see the below le for listing.

[ le removed]
Tools Used: Nessus
References: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-
server- 2008-R2-and-2008/cc732713(v=ws.11)

Remediation

Enable Network Level Authentication (NLA) on the remote RDP server. This is generally done on
the 'Remote' tab of the 'System' settings on Windows.

Demo Corp
BUSINESS Page 51 of
CONFIDENTIAL

fi
fi
ffi
fi
fi
fi
 Finding IPT-025: Steps to Domain Admin (Informational)

The steps below describe how the penetration tester obtained domain administrator access.
Each step also provides remediation recommendations to help mitigate risk.

Ste Acti Remediation

p on
1 Poisoned LLMNR responses to obtain Disable multicast name
NetNTLMv2 hash of regular network user resolution via GPO.
2 Cracked NTLM hash o ine of domain Increase password complexity.
administrator users ‘production’ and ‘[name Utilize multi-

removed]’ factor. Implement a

Privileged Account
Management solution.
Utilize a password lter.
3 Leveraged password of ‘production’ account to Limit local administrator
gain access to several machines within the privileges and enforce least
network privilege.
4 Dumped hashes on accessed machines to nd Disable WDigest via GPO.
cleartext password of ‘Bartender’ account via

wdigest
5 Overly-permissive ‘Bartender’ account Limit local administrator
permitted access to a large amount of privileges and enforce least
machines within the
privilege.
network
6 Dumped hashes on accessed machines to nd Disable WDigest via GPO.
cleartext password of Domain Administrator
account
7 Utilized discovered credentials to log into the
domain controller.

Remediation

Review action and remediation steps.

Additional Scans and Reports

Demo Corp
BUSINESS Page 52 of
CONFIDENTIAL

fi
ffl

fi
fi
 TCMS provides all clients with all report information gathered during testing. This includes
Nessus les and full vulnerability scans in detailed formats. These reports contain raw
vulnerability scans and additional vulnerabilities not exploited by TCM Security.

The reports identify hygiene issues needing attention but are less likely to lead to a
breach, i.e. defense-in-depth opportunities. For more information, please see the
documents in your shared drive folder labeled “Additional Scans and Reports”.

Demo Corp
BUSINESS Page 53 of
CONFIDENTIAL

fi


Last Page

Demo Corp
BUSINESS Page 54 of
CONFIDENTIAL