Top 10 Pentest Findings & Recommendations

1. Multicast DNS (mDNS) Spoofing

mDNS is used in small networks for DNS name resolution without a local DNS server. It can be exploited by attackers who respond with their IP address.

Recommendations:

• Disable mDNS if not in use. This can be done by disabling the Apple Bonjour or avahi-daemon service.

2. NetBIOS Name Service (NBNS) Spoofing

NBNS resolves DNS names when a DNS server is unavailable by broadcasting queries across the network. Attackers can exploit this by responding with their IP address.

Recommendations:

• Configure the UseDnsOnlyForNameResolutions registry key.
• Disable the NetBIOS service via DHCP options, network adapter settings, or a registry key.

3. Link-local Multicast Name Resolution (LLMNR) Spoofing

LLMNR is used in internal networks to resolve DNS names without a DNS server. It can be exploited by attackers who respond with their IP address.

Recommendations:

• Configure the Multicast Name Resolution registry key to prevent LLMNR queries.
• Use Group Policy or the Windows registry to turn off Multicast Name Resolution.

4. IPV6 DNS Spoofing

IPv6 DNS spoofing involves a rogue DHCPv6 server assigning IPv6 DNS servers to clients, allowing attackers to intercept DNS requests.

Recommendations:

• Disable IPv6 if not required, ensuring to test before deployment.
• Implement DHCPv6 guard on network switches to allow only authorized DHCP servers.

5. Outdated Microsoft Windows Systems

Outdated systems are vulnerable as they no longer receive security updates, making them easy targets for attackers.

Recommendations:

• Replace outdated Windows versions with up-to-date, supported operating systems.

6. IPMI Authentication Bypass

IPMI allows remote server management, but vulnerabilities can allow attackers to bypass authentication and gain access.

Recommendations:

• Restrict IPMI access to necessary systems.
• Disable IPMI if not needed.
• Change default administrator passwords to strong, complex ones.
• Use secure protocols like HTTPS and SSH.

7. Microsoft Windows RCE (BlueKeep)

Systems vulnerable to CVE-2019-0708 (BlueKeep) can be exploited by attackers to gain full control.

Recommendations:

• Apply security updates immediately.
• Review and enhance the patch management program to prevent future vulnerabilities.

8. Local Administrator Password Reuse

Reusing local administrator passwords across multiple systems increases the risk of widespread compromise.

Recommendations:

• Use solutions like Microsoft Local Administrator Password Solution (LAPS) to ensure unique local administrator passwords across systems.

9. Microsoft Windows RCE (EternalBlue)

Systems vulnerable to MS17-010 (EternalBlue) are highly exploitable and can be fully controlled by attackers.

Recommendations:

• Apply security updates immediately.
• Evaluate the patch management program for gaps and improvements.

10. Dell EMC iDRAC 7/8 CGI Injection (CVE-2018-1207)

Vulnerable Dell EMC iDRAC versions allow unauthenticated attackers to execute commands with root privileges.

Recommendations:

• Upgrade firmware to the latest version.

Common Causes of Critical Pentest Findings

Configuration Weaknesses: Often due to improperly hardened services, weak/default credentials, unnecessarily exposed services, or excessive user permissions.

Patching Deficiencies: Frequently result from compatibility issues or misconfigurations within the patch management solution.

By addressing these findings and recommendations, organisations can significantly enhance their security posture and reduce vulnerabilities.

?