Security Risk Advisors

Top 5 Simple Ways I Became Domain Administrator on your Internal Network and How to Prevent them from Happening (Part 5 of 5)

May 24, 2011 | Posted in Red Teams by Chris Salerno

5. You’re still using Telnet, FTP, HTTP, [insert clear text protocol here]

Clear text protocols are all but eliminated on Internet-facing systems, but a substantial amount of them still remain on internal networks. With prevalent password reuse and single sign-on environments deployed on corporate networks, gaining access to one set of credentials could give an attacker access to multiple systems and applications.

How the attack works:

  1. Setup ARP cache poisoning to man-in-the-middle network traffic, or compromise the legitimate security monitoring systems to access their SPAN ports.  Wait for clear text passwords to fly over the wire on the local area network.
  2. When one or more sets of credentials are identified, connect to the servers and identify sensitive information.  Attempt to use those credentials to further propagate access throughout the network.

Sample of open source tools used:

Cain & Abel, Wireshark

How to mitigate it:

Begin identifying and eliminating clear text protocols on the internal network in favor for encrypted protocols.  Examples include:

  1. Telnet > SSHv3
  2. HTTP > HTTPS (SSL)
  3. FTP > SFTP/SCP
  4. IMAP/POP3 > IMAPS/POP3S

Configure IDS/IPS solutions to monitor the network for network cards listening in “promiscuous mode” which is required for this type of attack.  Also monitor and prevent ARP cache poisoning attacks at your switches or with a tool like XArp.