3. Your remote access technology uses a blank or easily guessable password
You may be noticing a pattern by now; blank or weak passwords that lead directly to system administration. Remote administration technologies make life easier for administrators, but usually we don’t find just one, well-secured solution. Instead, we find multiple, sometimes insecure solutions including Remote Desktop, PCAnywhere, Dameware, X11, and VNC.
How the attack works:
- Find the remote administration protocols on the network by port scanning the network for specific ports that host these services.
- Once a list of remote administration services are identified, use tools to test for blank or weak passwords.
- When one or more are identified, connect to the server and either passively observe the user to identify sensitive information or take administrative control and extract password hashes to further propagate access throughout the network.
Sample of open source tools used:
Nmap, PuTTy (for telnet, SSH), TightVNC
How to mitigate it:
- Use a port scanner or your existing vulnerability scan process to proactively scan for unapproved remote access technologies on your network. Once identified, notify the business owner and work with them to use the corporate standard remote access technology with a strong password.
- Use your software inventory system (SMS, BigFix) to identify rouge remote access technologies installed on workstations and servers.
Chris leads SRA’s 24x7 CyberSOC services. His background is in cybersecurity strategy based on NIST CSF, red and purple teams, improving network defenses, technical penetration testing and web applications.
Prior to shifting his focus to defense and secops, he led hundreds of penetration tests and security assessments and brings that deep expertise to the blue team.
Chris has been a distinguished speaker at BlackHat Arsenal, RSA, B-Sides and SecureWorld.
Prior to Security Risk Advisors, Chris was the lead penetration tester for a Big4 security practice.