A Real-World Example of Vulnerability Assessments vs Penetration Testing
Guest Post by Steven Peterson

A Real-World Example of Vulnerability Assessments vs Penetration Testing


A lot has been written about vulnerability assessment vs penetration tests. Both have their place in a good security program. However, these terms get blended together quite a bit. I recently had a real-world experience that really highlights the differences between them.

To prep for the upcoming penetration test, the client had an internal and external vulnerability scan done by a 3rd party. Their external footprint was small, with a handful of active IP addresses. The results of the scan were focused on SSL/TLS vulnerabilities. Things like self-signed certificates or weak cipher suites. The vulnerabilities needed to be addressed, but the likelihood of exploitation was low.?

We start the external penetration test and find a firewall VPN login portal. The vulnerability scan found the same portal but only flagged it for offering weak cipher suites. We saw another potential vulnerability that a vulnerability scan would not test for, a brute force attack.?

We gathered a bunch of user names via open-source methods. Next, we compiled a list of passwords. The list included passwords from previous breaches and common passwords like 'Winter2024', 'Password1!', and 'Welcome1.'

Then, we brute-force the VPN portal with the usernames and passwords. The VPN portal had a lock-out mechanism that prevented 2 wrong attempts in 1 minute. We kept the attack long and slow to bypass their brute-force restrictions, 1 guess every 90 seconds. After many hours, we got a successful login for a user. Surprisingly, the portal didn't have multi-factor authentication (MFA). After logging into the VPN portal, we downloaded the VPN client and pivoted to the internal network.

We quickly notified the client of our finding. The client was surprised to learn of the account we used to connect to the VPN. That account was not in the VPN user group and should not have been able to use the VPN. There was an issue with the LDAP filter on the firewall where the VPN group was not filtered properly. The misconfiguration allowed anyone with domain credentials to connect to the VPN. The client was unaware that the misconfiguration existed and rapidly shut down the VPN until they could resolve the LDAP issue.?

Instead of a moderate risk finding, the client was able to correct multiple critical issues before they even received a report. These critical vulnerabilities could have led to a direct compromise of their network.?

Vulnerability scans are designed to test for quick and easy-to-find vulnerabilities. Scanning your network is essential for a good security program, but it will not detect all your vulnerabilities. Regular testing is the crucial next step for verifying that your security controls are working as intended.?


Guest Post by Steven Peterson, Chief Hacking Officer, White Box Security.

You can reach Steven at [email protected].

Rob Ferrill

CISO @ UAB / Board Member / Keynote Speaker / Veteran

1 年

Will never forget the first unannounced pentest I went through as the leader of a security team where the testers got into the VPN with one of those passwords you mentioned, seems like Winter2010 or something similar did the trick. That was a humbling moment when they presented their findings to a large group of us and our dCIO and CIO were in the room. It felt like my team was blindsided and being drug under the bus which turned into an adversarial tense conversation, especially since they had pivoted their way to our domain controllers. The only way we knew they were in the house was after they accidentally blue screened one of the DC's. So that was a lesson learned for me. If memory serves, I was able to persuade the boss that "surprise" pentests may not be advisable if we wanna keep stress levels down on the team. It works much better if they are coordinated with the SOC. In that scenario, we would then allow the test unimpeded, but this way the SOC is able to watch and learn as they progress through their test. This is a much lower anxiety type of engagement for the SOC and still allows for truly testing the network.

Thanks Daniel! I appreciate the kind words.

要查看或添加评论,请登录

Daniel Beckworth的更多文章

  • May 2024 Reading Roundup

    May 2024 Reading Roundup

    VMware Changes Webinar Looking for practical content that helps you navigate the new VMware pricing changes? Curious…

  • April 2024 Reading Roundup

    April 2024 Reading Roundup

    MSFT Teams Pricing Recent legislation from the European Union will disrupt the nature of Teams pricing. Teams licensing…

  • February 2024 Reading Roundup

    February 2024 Reading Roundup

    FCC Makes AI-Generated Voices in Robocalls Illegal This is a tremendous advancement in legislation that seeks to halt…

    2 条评论
  • Shooting Cans & Cybersecurity

    Shooting Cans & Cybersecurity

    Growing up in the south, being around firearms is just a part of a culture. While I suspect we don’t have a monopoly on…

  • Mitigating Risk When Selecting a MSP or MSSP

    Mitigating Risk When Selecting a MSP or MSSP

    mud on the tires Approximately 70-75% of our projects are built around managed services. This has been our focus for…

    3 条评论
  • Oct 2023 Reading Roundup

    Oct 2023 Reading Roundup

    Regional Outages with Hyperscalers GPC, Azure and AWS suffered outages over the course of the year, which should be…

  • Reading Roundup September 2023

    Reading Roundup September 2023

    MSFT Identifies Root Cause of Gov Breach Senior Officials at the US State and Commerce departments were the victims of…

    1 条评论
  • How We Design Solutions

    How We Design Solutions

    1 条评论
  • Selecting the Right Security Framework

    Selecting the Right Security Framework

    There are a number of frameworks worth your consideration, but which model is best for you? Let’s discuss practical…

  • Roadmap: From MPLS to SD-WAN

    Roadmap: From MPLS to SD-WAN

    Moving away from traditional MPLS (Multiprotocol Label Switching) to a modern SD-WAN (Software-Defined Wide Area…

社区洞察

其他会员也浏览了