Admin Accounts Have All the Power

By Mitchell Bearry, Information Security Analyst

Introduction

In this pentest diary, I will discuss the importance of passwords for network devices, why it is critical to ensure that all devices utilize complex passwords, and show the potential impact of using default passwords.

Overview of Attack Vector

For our example today, instead of a typical penetration test, the service being performed was our Enhanced Vulnerability Assessment. In this service, an automated vulnerability scan is run using our TraceCSO scanning platform to discover the commonly known vulnerabilities present on the target devices. Next, false positive testing is performed to verify these vulnerabilities. Finally, manual testing is performed to look for low-hanging fruit, which are common high-level vulnerabilities that can be easily exploited during penetration testing. While we do not attempt to exploit these vulnerabilities as we would during a penetration test, this aspect of the service allows us to search the target systems for the obvious configuration flaws which could result in a potential attack being successful.

Storyboard of Attack Path Discovery

For the issue of poor password utilization outlined today, I began my search for low-hanging fruit by identifying all hosts currently running unencrypted HTTP protocols with the tool Nmap. From here, I opened each of these in a different tab in Mozilla Firefox to examine the web interfaces for these devices more closely.

Storyboard of Attack Path Verification & Impacts

Upon taking a detailed look at each of these devices, I discovered over a hundred security cameras. Due to the obvious sensitive nature of these images, we are unable to provide any screenshots of what was found here for context. However, each of these interfaces provided not only access to the feed of each security camera, but gave me administrative access to them, allowing me to reposition the camera angles, toggle thermal imaging, and all other associated controls. I was able to observe as the company’s employees went about their day performing their job functions. The external cameras allowed me to watch employees on their smoke breaks, observe the parking lot, capture license plates, and monitor who entered or left the facility. I was also able to access to the DVR console recording the feeds, allowing me to alter or delete them at will.

In addition to the security cameras, I also found the interfaces for the organization’s databases, which houses all information critical to the function of the organization’s processes. Without going into explicit detail, I found enough data to discern how the business processes functioned. While potentially damaging, this was not the reason why this database was deemed highly impactful. What made this particularly dangerous was the access to the admin functionality such as the ability to delete the entire database. This capability provided me with the opportunity to destroy all data. One click of a button, and all of it would have been gone instantly. While backups may be in place, the business would have become unavailable for a few hours, or longer depending on the time it takes them to restore the systems. Due to the role this specific client serves, a key part of U.S. infrastructure would have been rendered inoperable. If even for a few minutes, this could lead to disastrous and costly results.

Both items were vulnerable due to the lack of passwords. Admin access to these interfaces was not even locked behind default credentials; no passwords at all were set. The unencrypted nature of HTTP can also allow for sniffing network traffic to intercept information.

Remediation

TraceSecurity recommends removing default credentials for network systems and configuring unique passwords for all devices to require a minimum of 10 characters with complexity, or a passphrase of 24 characters without complexity. TraceSecurity also recommends converting all unencrypted connections such as HTTP to HTTPS or other secure methods of communication.

Final Words

This company was able to avoid a potentially devastating attack resulting in millions of dollars in damage and downed infrastructure through assessments designed to test their current security. These assessments, penetration tests, password audits, and other services may cost you a few thousand upfront, but can end up saving you millions in the long run.