Security Risk Advisors

Top 5 Simple Ways I Became Domain Administrator on your Internal Network and How to Prevent them from Happening (Part 3 of 5)

May 16, 2011 | Posted in Red Teams by Chris Salerno

3. Your remote access technology uses a blank or easily guessable password

You may be noticing a pattern by now; blank or weak passwords that lead directly to system administration.  Remote administration technologies make life easier for administrators, but usually we don’t find just one, well-secured solution.  Instead, we find multiple, sometimes insecure solutions including Remote Desktop, PCAnywhere, Dameware, X11, and VNC.

How the attack works:

  1. Find the remote administration protocols on the network by port scanning the network for specific ports that host these services.
  2. Once a list of remote administration services are identified, use tools to test for blank or weak passwords.
  3. When one or more are identified, connect to the server and either passively observe the user to identify sensitive information or take administrative control and extract password hashes to further propagate access throughout the network.

Sample of open source tools used:

Nmap, PuTTy (for telnet, SSH), TightVNC

How to mitigate it:

  1. Use a port scanner or your existing vulnerability scan process to proactively scan for unapproved remote access technologies on your network.  Once identified, notify the business owner and work with them to use the corporate standard remote access technology with a strong password.
  2. Use your software inventory system (SMS, BigFix) to identify rouge remote access technologies installed on workstations and servers.