I would like to share an incident that I encountered years ago, in a penetration testing project which can give a very good idea about how inconsistent the security maturity and self-confidence of institutions can be. I would also like to remind you that dozens of such events encountered every year.
Target: International Organization
Access Point: External
Test Profile: Anonymous
Before Test:
The customer claimed that all security analyses were completed, all vulnerabilities are fixed, security hardenings have been applied, and that they have “great” cyber security maturity. They also added “if” we can, we are allowed to dive deeper.
Day 1:
OSINT studies were initiated to detect the assets related to the organization.
I used the tool “Sia” to give me an idea about the target. Also, I realized that the target organization using the same phone number and tax id number on the different web pages, searching these key numbers on Google helped me to find a lot of web site that belong to the target.
After that, I used the sources like ARIN, RIPE, APNIC, LACNIC and AFRINIC to detect the IP ranges that belong to the target.
Project Sonar helped me to detect the domain names that belonging to the IP addresses, search for specific headers and find other websites with similar SSL certificates.
Day 2:
An HTTP service was detected on the custom (16384) port during the port scanning on the detected assets.
“Nexus Repository Manager” application was determined in the detected web service.
Nexus
Nexus is a repository manager. It allows you to the proxy, collect, and manage your dependencies so that you are not constantly juggling a collection of JARs. It makes it easy to distribute your software. Internally, you configure your build to publish artefacts to Nexus and they then become available to other developers.
For Nexus Repository Manager:
Default username: “admin”
Default password: “admin123”
Failed to log in with the default username and password.
However, I also wanted to try the classic “admin: 12345” pair and bingo, I was in! (I think they wanted to shorten the “admin123” password because it was too complex.)
After successfully logging into Nexus Repository Manager, I came across the software codes of hundreds of different versions of hundreds of different applications.
After understanding the working logic of the application, I started downloading all the codes with a simple script I wrote. While I was filtering the codes to see the lines containing the keywords such as “password”, “username”, “pswd” and so on, I came across a few lines with a username and a password. It was something I was expecting. The real question was what can be done with this information.
I noticed that a VPN login panel was detected among the thousands of IP addresses that emerged during the OSINT studies and I decided to try it directly.
Voila! I was able to access some machine in internal network with RDP connection via web interface.
Then I simply opened the command prompt and checked the privileges of the domain user, and I realized that I got a domain admin authority!
Summary:
Port scans are not prevented.
It is recommended that enumeration techniques can be detected and should be prevented.
The accessible administration panel over the external network.
Admin panels should not be accessible over the internet, and access should be controlled by methods such as IP filtering or VPN.
Using simple or predictable usernames and passwords.
Password policies need to be implemented throughout the organization.
Disclosure of sensitive information in the application source code.
It is recommended not to contain sensitive information in the source code.
Using overly authorized user accounts.
It is recommended that the account privileges should be limited only to the necessary access privileges.
Not using Multi-Factor Authentication on login pages.
It is recommended that MFA integrations should be mandatory on login pages.
Plus:
Also, all connections should be monitored and all suspicious login attempts should generate logs.