TCMS - Demo Corp - Findings Report - Example 2

DEMO CORP
Security Assessment Findings Report
Business Confidential
Date: March 9th, 2021

Project: DC-001
Version 1.0
DEMO CORP
BUSINESS Page 1 of 38
CONFIDENTIAL
Copyright © TCM Security (tcm-
Table of Contents
Table of Contents......................................................................................................................................................2
Confidentiality Statement..........................................................................................................................................4
Disclaimer................................................................................................................................................................ 4
Contact Information..................................................................................................................................................4
Assessment Overview...............................................................................................................................................5
Assessment Components...........................................................................................................................................5
Internal Penetration Test...........................................................................................................................5
Finding Severity Ratings..........................................................................................................................................6
Risk Factors..............................................................................................................................................................6
Likelihood.................................................................................................................................................6
Impact.......................................................................................................................................................6
Scope........................................................................................................................................................................ 7
Scope Exclusions......................................................................................................................................7
Client Allowances......................................................................................................................................7
Executive Summary..................................................................................................................................................8
Scoping and Time Limitations..................................................................................................................8
Testing Summary......................................................................................................................................8
Tester Notes and Recommendations.........................................................................................................9
Key Strengths and Weaknesses...............................................................................................................10
Vulnerability Summary & Report Card..................................................................................................................11
Internal Penetration Test Findings..........................................................................................................11
Technical Findings..................................................................................................................................................13
Internal Penetration Test Findings..........................................................................................................13
Finding IPT-001: Insufficient LLMNR Configuration (Critical)......................................................................13
Finding IPT-002: Security Misconfiguration – Local Admin Password Reuse (Critical)................................14
Finding IPT-003: Security Misconfiguration – WDigest (Critical)..................................................................15
Finding IPT-004: Insufficient Hardening – Token Impersonation (Critical)...................................................16
Finding IPT-005: Insufficient Password Complexity (Critical).......................................................................17
Finding IPT-006: Security Misconfiguration – IPv6 (Critical)........................................................................18
Finding IPT-007: Insufficient Hardening – SMB Signing Disabled (Critical).................................................19
Finding IPT-008: Insufficient Patch Management – Software (Critical).........................................................20
Finding IPT-009: Insufficient Patch Management – Operating Systems (Critical)..........................................21
Finding IPT-010: Insufficient Patching – MS08-067 - ECLIPSEDWING/NETAPI (Critical)........................22
Finding IPT-011: Insufficient Patching – MS12-020 – Remote Desktop RCE (Critical)................................23
Finding IPT-012: Insufficient Patching – MS17-010 - EternalBlue (Critical).................................................24
Finding IPT-013: Insufficient Patching – CVE-2019-0708 - BlueKeep (Critical)...........................................25
Finding IPT-014: Insufficient Privileged Account Management – Kerberoasting (High)...............................26
Finding IPT-015: Security Misconfiguration – GPP Credentials (High).........................................................27

Finding IPT-016: Insufficient Authentication - VNC (High)...........................................................................28
Finding IPT-017: Default Credentials on Web Services (High)......................................................................29
Finding IPT-018: Insufficient Hardening – Listable Directories (High)..........................................................30
Finding IPT-019: Unauthenticated SMB Share Access (Moderate)................................................................31
Finding IPT-020: Insufficient Patch Management – SMBv1 (Moderate)........................................................32
Finding IPT-021: IPMI Hash Disclosure (Moderate)......................................................................................33
Finding IPT-022: Insufficient SNMP Community String Complexity (Moderate)..........................................34
Finding IPT-023: Insufficient Data in Transit Encryption - Telnet (Moderate)...............................................35
Finding IPT-024: Insufficient Terminal Services Configuration (Moderate)...................................................36
Finding IPT-025: Steps to Domain Admin (Informational).............................................................................37
Additional Scans and Reports.................................................................................................................37
Confidentiality Statement
This document is the exclusive property of Demo Corp and TCM Security (TCMS). This document
contains proprietary and confidential information. Duplication, redistribution, or use, in whole or in part,
in any form, requires consent of both Demo Corp and TCMS.
Demo Corp may share this document with auditors under non-disclosure agreements to demonstrate
penetration test requirement compliance.
Disclaimer
A penetration test is considered a snapshot in time. The findings and recommendations reflect the
information gathered during the assessment and not any changes or modifications made outside of that
period.
Time-limited engagements do not allow for a full evaluation of all security controls. TCMS prioritized
the assessment to identify the weakest security controls an attacker would exploit. TCMS recommends
conducting similar assessments on an annual basis by internal or third-party assessors to ensure the
continued success of the controls.
Contact Information
Name Title Contact Information
Demo Corp
Global Information Security
John Smith Email: jsmith@democorp.com
Manager
TCM Security
Heath Adams Lead Penetration Tester Email: heath@tcm-sec.com
Demo Corp
CONFIDENTIAL
Assessment Overview
From February 22nd, 2021 to March 5th, 2021, Demo Corp engaged TCMS to evaluate the security
posture of its infrastructure compared to current industry best practices that included an internal network
penetration test. All testing performed is based on the NIST SP 800-115 Technical Guide to Information
Security Testing and Assessment, OWASP Testing Guide (v4), and customized testing frameworks.
Phases of penetration testing activities include the following:
 Planning – Customer goals are gathered and rules of engagement obtained.
 Discovery – Perform scanning and enumeration to identify potential vulnerabilities, weak
areas, and exploits.
 Attack – Confirm potential vulnerabilities through exploitation and perform additional
discovery upon new access.
 Reporting – Document all found vulnerabilities and exploits, failed attempts, and company
strengths and weaknesses.
Assessment Components
Internal Penetration Test
An internal penetration test emulates the role of an attacker from inside the network. An engineer will
scan the network to identify potential host vulnerabilities and perform common and advanced internal
network attacks, such as: LLMNR/NBT-NS poisoning and other man- in-the-middle attacks, token
impersonation, kerberoasting, pass-the-hash, golden ticket, and more. The engineer will seek to gain
access to hosts through lateral movement, compromise domain user and admin accounts, and exfiltrate
sensitive data.
Demo Corp
CONFIDENTIAL
Finding Severity Ratings
The following table defines levels of severity and corresponding CVSS score range that are used
throughout the document to assess vulnerability and risk impact.
CVSS V3
Severity Definition
Score Range
Exploitation is straightforward and usually results in system-level
Critical 9.0-10.0 compromise. It is advised to form a plan of action and patch immediately.
Exploitation is more difficult but could cause elevated privileges and

High 7.0-8.9 potentially a loss of data or downtime. It is advised to form a plan of
action and patch as soon as possible.
Vulnerabilities exist but are not exploitable or require extra steps such as
Moderate 4.0-6.9 social engineering. It is advised to form a plan of action and patch after
high-priority issues have been resolved.
Vulnerabilities are non-exploitable but would reduce an organization’s

Low 0.1-3.9 attack surface. It is advised to form a plan of action and patch during the
next maintenance window.
No vulnerability exists. Additional information is provided regarding

Informational N/A items noticed during testing, strong controls, and additional documentation.
Risk Factors
Risk is measured by two factors: Likelihood and Impact:
Likelihood
Likelihood measures the potential of a vulnerability being exploited. Ratings are given based on the
difficulty of the attack, the available tools, attacker skill level, and client environment.
Impact
Impact measures the potential vulnerability’s effect on operations, including confidentiality, integrity, and
availability of client systems and/or data, reputational harm, and financial loss.
Demo Corp
CONFIDENTIAL
Scope
Assessment Details
Internal Penetration Test 10.x.x.x/8
Scope Exclusions
Per client request, TCMS did not perform any of the following attacks during testing:
 Denial of Service (DoS)
 Phishing/Social Engineering
All other attacks not specified above were permitted by Demo Corp.
Client Allowances
Demo Corp provided TCMS the following allowances:
 Internal access to network via dropbox and port allowances
Demo Corp
CONFIDENTIAL
Executive Summary
TCMS evaluated Demo Corp’s internal security posture through penetration testing from February 22nd,
2021 to March 5th, 2021. The following sections provide a high-level overview of vulnerabilities
discovered, successful and unsuccessful attempts, and strengths and weaknesses.
Scoping and Time Limitations
Scoping during the engagement did not permit denial of service or social engineering across all testing
components.
Time limitations were in place for testing. Internal network penetration testing was permitted for ten
(10) business days.
Testing Summary
The network assessment evaluated Demo Corp’s internal network security posture. From an internal
perspective, the TCMS team performed vulnerability scanning against all IPs provided by Demo Corp to
evaluate the overall patching health of the network. The team also performed common Active Directory
based attacks, such as Link-Local Multicast Name Resolution (LLMNR) Poisoning, SMB relaying, IPv6
man-in-the-middle relaying, and Kerberoasting. Beyond vulnerability scanning and Active Directory
attacks, the TCMS evaluated other potential risks, such as open file shares, default credentials on
servers/devices, and sensitive information disclosure to gain a complete picture of the network’s security
posture.
The TCMS team discovered that LLMNR was enabled in the network (Finding IPT-001), which
permitted the interception of user hashes via LLMNR poisoning. These hashes were taken offline and
cracked via dictionary attacks, which signals a weak password policy (Finding IPT-005). Utilizing the
cracked passwords, the TCMS team gained access to several machines within the network, which
indicates overly permissive user accounts.
With machine access, and the use of older operating systems in the network (Finding IPT-009), the team
was able to leverage WDigest (Finding IPT-003) to recover cleartext credentials to accounts. The team
was also able to dump local account hashes on each machine accessed. The TCMS team discovered that
the local account hashes were being re-used across devices (Finding IPT-002), which lead to additional
machine access through pass-the-hash attacks.
Ultimately, the TCMS team was able to leverage accounts captured through WDigest and hash dumps to
move laterally throughout the network until landing on a machine that had a Domain Administrator
credential in cleartext via WDigest. The testing team was able to use this credential to log into the
domain controller and compromise the entire domain. For a full walkthrough of the path to Domain
Admin, please see Finding IPT-025.
Demo Corp
CONFIDENTIAL
In addition to the compromise listed above, the TCMS team found that users could be impersonated
through delegation attacks (Finding IPT-004), SMB relay attacks were possible due to SMB signing
being disabled (Finding IPT-007), and IPv6 traffic was not restricted, which could lead to LDAPS
relaying and domain compromise (Finding IPT-006).
The remainder of critical findings relate to patch management as devices with critical out-of-date
software (Finding IPT-008), operating systems (Finding IPT-009), and Microsoft RCE vulnerabilities
(Findings IPT-010, IPT-011, IPT-012, IPT-013), were found to be present within the network.
The remainder of the findings were high, moderate, low, or informational. For further information on
findings, please review the Technical Findings section.
Tester Notes and Recommendations

Testing results of the Demo Corp network are indicative of an organization undergoing its first
penetration test, which is the case here. Many of the findings discovered are vulnerabilities within
Active Directory that come enabled by default, such as LLMNR, IPv6, and Kerberoasting.
During testing, two constants stood out: a weak password policy and weak patching. The weak password
policy led to the initial compromise of accounts and is usually one of the first footholds an attacker
attempts to use in a network. The presence of a weak password policy is backed up by the evidence of
our testing team cracking over 2,200 user account passwords, including a majority of the Domain
Administrator accounts, through basic dictionary attacks.
We recommended that Demo Corp re-evaluates their current password policy and considers a policy of
15 characters or more for their regular user accounts and 30 characters or more for their Domain
Administrator accounts. We also recommend that Demo Corp explore password blacklisting and will be
supplying a list of cracked user passwords for the team to evaluate. Finally, a Privilege Access
Management solution should be considered.
Weak patching and dated operating systems led to the compromise of dozens of machines within the
network. We believe the number of compromised machines would have been significantly larger,
however the TCMS and Demo Corp teams agreed it was not necessary to attempt to exploit any remote
code execution (RCE) based vulnerabilities, such as MS17-010 (Finding IPT-012), as the domain
controller had already been compromised and the teams did not want to risk any denial of service
through failed attacks.
We recommend that the Demo Corp team review the patching recommendations made in the Technical
Findings section of the report along with reviewing the provided Nessus scans for a full overview of
items to be patched. We also recommend that Demo Corp improve their patch management policies and
procedures to help prevent potential attacks within their network.
Demo Corp
CONFIDENTIAL
On a positive note, our testing team triggered several alerts during the engagement. The Demo Corp
Security Operations team discovered our vulnerability scanning and was alerted when we attempted to
use noisy attacks on a compromised machine. While not all attacks were discovered during testing, these
alerts are a positive start. Additional guidance on alerting and detection has been provided for findings,
when necessary, in the Technical Findings section.
Overall, the Demo Corp network performed as expected for a first-time penetration test. We recommend
that the Demo Corp team thoroughly review the recommendations made in this report, patch the
findings, and re-test annually to improve their overall internal security posture.
Key Strengths and Weaknesses

The following identifies the key strengths identified during the assessment:
1. Observed some scanning of common enumeration tools (Nessus)

2. Mimikatz detected on some machines
3. Service accounts were not running as domain administrators
4. Demo Corp local administrator account password was unique to each device
The following identifies the key weaknesses identified during the assessment:
1. Password policy found to be insufficient

2. Critically out-of-date operating systems and weak patching exist within the network
3. Passwords were observed in cleartext due to WDigest
4. LLMNR is enabled within the network
5. SMB signing is disabled on all non-server devices in the work
6. IPv6 is improperly managed within the network
7. User accounts can be impersonated through token delegation
8. Local admin accounts had password re-use and were overly permissive
9. Default credentials were discovered on critical infrastructure, such as iDRACs
10. Unauthenticated share access was permitted
11. User accounts were found to be running as service accounts
12. Service accounts utilized weak passwords
13. Domain administrator utilized weak passwords
Demo Corp
CONFIDENTIAL
Vulnerability Summary & Report Card
The following tables illustrate the vulnerabilities found by impact and recommended remediations:
Internal Penetration Test Findings
13 5 6 0 1
Critical High Moderate Low Informational
Finding Severity Recommendation

Internal Penetration Test
IPT-001: Insufficient LLMNR Critical Disable multicast name resolution via
Configuration GPO.
IPT-002: Security Misconfiguration – Critical Utilize unique local admin passwords
Local Admin Password Reuse and limit local admin users via least
privilege.
IPT-003: Security Misconfiguration – Critical Disable WDigest via GPO.
Wdigest
IPT-004: Insufficient Hardening – Critical Restrict token delegation.
Token Impersonation
IPT-005: Insufficient Password Critical Implement CIS Benchmark password
Complexity requirements / PAM solution.
IPT-006: Security Misconfiguration – Critical Restrict DHCPv6 traffic and incoming
IPv6 router advertisements in Windows
Firewall via GPO.
IPT-007: Insufficient Hardening – Critical Enable SMB signing on all Demo Corp
SMB Signing Disabled domain computers.
IPT-008: Insufficient Patch Critical Update to the latest software version.
Management – Software
IPT-009: Insufficient Patch Critical Update Operating Systems to the latest
Management – Operating Systems version.
IPT-010: Insufficient Patching – Critical Apply the appropriate Microsoft patches
MS08-067 - to remediate the issue.
ECLIPSEDWING/NETAPI
IPT-011: Insufficient Patching – Critical Apply the appropriate Microsoft
MS12-020 – Remote Desktop RCE patches to remediate the issue.
MS17-010 - EternalBlue to remediate the issue.
Demo Corp
CONFIDENTIAL
CVE- 2019-0708 - BlueKeep to remediate the issue.
Finding Severity Recommendation
IPT-014: Insufficient Privileged High Use Group Managed Service Accounts
Account Management – (GMSA) for privileged
Kerberoasting services.
IPT-015: Security Misconfiguration – High Apply vendor patching. Do not use
GPP Credentials GPP cpasswords.
IPT-016: Insufficient Authentication - High Enable authentication on the VNC
VNC Server.
IPT-017: Default Credentials on Web High Change default credentials or disable
Services unused accounts.
IPT-018: Insufficient Hardening – High Restrict access and conduct web app
Listable Directories assessment.
IPT-019: Unauthenticated SMB Share Moderate Disable SMB share or require
Access authentication.
IPT-020: Insufficient Patch Moderate Upgrade to SMBv3 and apply latest
Management – SMBv1 patching.
IPT-021: IPMI Hash Disclosure Moderate Disable IPMI over LAN if it is not
needed.
IPT-022: Insufficient SNMP Moderate Disabled SNMP if not required.
Community String Complexity
IPT-023: Insufficient Data in Transit Moderate Migrate to TLS protected protocols.
Encryption - Telnet
IPT-024: Insufficient Terminal Moderate Enable Network Level Authentication
Services Configuration (NLA) on the remote RDP server.
IPT-025: Steps to Domain Admin Informational Review action and remediation steps.
Demo Corp
CONFIDENTIAL
Technical Findings
Internal Penetration Test Findings
Finding IPT-001: Insufficient LLMNR Configuration (Critical)
Description: Demo Corp allows multicast name resolution on their end-user networks. TCMS
captured 20 user account hashes by poisoning LLMNR traffic and cracked 2 with
commodity cracking software.
The cracked accounts were used to leverage further access that led to the
compromise of the Domain Controller.
Risk: Likelihood: High – This attack is effective in environments allowing multicast
name resolution.
Impact: Very High – LLMNR poisoning permits attackers to capture password

hashes to either crack offline or relay in real-time and pivot laterally in the
environment.
System: All
Tools Used: Responder, Hashcat
References: Stern Security - Local Network Attacks: LLMNR and NBT-NS
Poisoning NIST SP800-53 r4 IA-3 - Device Identification and
Authentication NIST SP800-53 r4 CM-6(1) - Configuration Settings
Evidence
Figure 1: Captured hash of “production”
Figure 2: Cracked hash of “production”
Remediation
Disable multicast name resolution via GPO. For full mitigation and detection guidance, please
reference the MITRE guidance here.
The cracked hashes demonstrate a deficient password complexity policy. If multicast name resolution
is required, Network Access Control (NAC) combined with application whitelisting can limit these
attacks.
Demo Corp
CONFIDENTIAL
Finding IPT-002: Security Misconfiguration – Local Admin Password Reuse (Critical)
Description: TCMS utilized local administrator hashes to gain access to other machines in the
network via a ‘pass-the-hash’ attack. The local administrator hashes were
obtained via machine access provided by the cracked account in IPT-001.
Pass-the-hash attacks do not require knowing the account password to successfully

log into a machine. Thus, reusing the same local admin password (and therefore the
same hash) on multiple machines will permit system access to those computers.
TCMS leveraged this attack to gain access to ~50 machines within the main
office. This led to further account access and the eventual compromise of the
domain controller.
Risk: Likelihood: High – This attack is effective in large networks with local admin
password reuse.
Impact: Very High – Pass-the-hash permits an attacker to move laterally and

vertically throughout the network.
System: All
Tools Used: Impacket, Crackmapexec
References: https://capec.mitre.org/data/definitions/644.html
https://tcm-sec.com/pentest-tales-001-you-spent-how-much-on-security/
Evidence
Figure 3: Local admin hash used to gain access to machine
Remediation
Utilize unique local admin passwords. Limit local admin users via least privilege. Consider
implementing a PAM solution. For full mitigation and detection guidance, please reference the
MITRE guidance here.
Demo Corp
CONFIDENTIAL
Finding IPT-003: Security Misconfiguration – WDigest (Critical)
Description: Demo Corp permitted out-of-date operating systems within their network, including
Windows 7, 8, Server 2008, and Server 2012.
These operating systems, by default, permit WDigest, which stores all current
logged-in user’s passwords in clear-text.
TCMS leveraged machine access gained in IPT-001 and IPT-002 to move laterally
throughout the network until uncovering a machine with Domain Admin
credentials stored in WDigest.
Risk: Likelihood: Moderate – This attack is effective in networks with older operating
systems.
Impact: Very High – WDigests credentials are stored in clear text, which can permit
the theft of sensitive accounts, such as Domain Administrators.
System: All systems older than Windows 10 and Server 2016
Tools Used: Metasploit, Kiwi
References: https://stealthbits.com/blog/wdigest-clear-text-passwords-stealing-more-than- a-
hash/
Evidence
Figure 4: Cleartext passwords of Domain Administrators
Remediation
Disable WDigest via GPO. For full mitigation and detection guidance, please reference the guidance
here.
Demo Corp
CONFIDENTIAL
Finding IPT-004: Insufficient Hardening – Token Impersonation (Critical)
Description: TCMS impersonated the token of “supcb” to obtain Domain Administrator
privileges.
Risk: Likelihood: High – The penetration tester viewed and impersonated tokens with the
use of open-source tools.
Impact: Very High - If exploited, an attacker gains domain administrator access.

System: All
Tools Used: Metasploit, Incognito
References: NIST SP800-53 r4 CM-7 - Least Functionality
NIST SP800-53 r4 AC-6 - Least Privilege
https://docs.microsoft.com/en-us/windows-server/identity/ad-
ds/manage/how-to-configure- protected-accounts
Evidence
Figure 5: Impersonation of “sup”
Figure 6: Shell access as Domain Admin “sup”
Remediation
Restrict token delegation. For full mitigation and detection guidance, please reference the MITRE
guidance here.
Demo Corp
CONFIDENTIAL
Finding IPT-005: Insufficient Password Complexity (Critical)
Description: TCMS dumped hashes from the domain controller and proceeded to attempt
common password guessing attacks against all users.
TCMS cracked 2,226 passwords using basic password list guessing attacks and low
effort brute forcing attacks. 17 cracked accounts had domain administrator rights.
Risk: Likelihood: High - Simple passwords are susceptible to password cracking attacks.
Encryption provides some protection, but dictionary attacks base on common word
lists often crack weak passwords.
Impact: Very High - Domain admin accounts with weak passwords could lead to an
adversary critically impacting Demo Corp ability to operate.
System: All
Tools Used: Manual Review
References: NIST SP800-53 IA-5(1) - Authenticator Management
https://www.cisecurity.org/white-papers/cis-password-policy-guide/
Evidence
Figure 7: Excerpt of cracked domain hashes
Remediation
Implement CIS Benchmark password requirements / PAM solution. TCMS recommends that Demo
Corp enforce industry best practices around password complexity and management. A password filter to
prevent users from using common and easily guessable passwords is also recommended. Additionally,
TCMS recommends that Demo Corp enforce stricter password requirements for Domain Administrator
and other sensitive accounts.
Demo Corp
CONFIDENTIAL
Finding IPT-006: Security Misconfiguration – IPv6 (Critical)
Description: Through IPv6 DNS poisoning, the TCMS team was able to successfully relay
credentials to the Demo Corp domain controller.
Risk: Likelihood: High – IPv6 is enabled by default on Windows networks. The tools and
techniques required to perform this task are trivial.
Impact: Very High - If exploited, an attacker can gain domain administrator access.
System: All
Tools Used: Mitm6, Impacket
References: https://blog.fox-it.com/2018/01/11/mitm6-compromising-ipv4-networks-via- ipv6/
Evidence
Figure 8: Successfully relayed LDAP credentials via mitm6
Remediation
1. IPv6 poisoning abuses the fact that Windows queries for an IPv6 address even in IPv4-only
environments. If you do not use IPv6 internally, the safest way to prevent mitm6 is to block
DHCPv6 traffic and incoming router advertisements in Windows Firewall via Group Policy.
Disabling IPv6 entirely may have unwanted side effects. Setting the following predefined rules to
Block instead of Allow prevents the attack from working:
a. (Inbound) Core Networking - Dynamic Host Configuration Protocol for IPv6(DHCPV6-In)
b. (Inbound) Core Networking - Router Advertisement (ICMPv6-In)
c. (Outbound) Core Networking - Dynamic Host Configuration Protocol for
IPv6(DHCPV6- Out)
2. If WPAD is not in use internally, disable it via Group Policy and by disabling the
WinHttpAutoProxySvc service.
3. Relaying to LDAP and LDAPS can only be mitigated by enabling both LDAP signing and
LDAP channel binding.
Consider Administrative users to the Protected Users group or marking them as Account is sensitive and
cannot be delegated, which will prevent any impersonation of that user via delegation.
Demo Corp
CONFIDENTIAL
Finding IPT-007: Insufficient Hardening – SMB Signing Disabled (Critical)
Description: Demo Corp failed to implement SMB signing on multiple devices. The absence of
SMB signing could lead to SMB relay attacks, yielding system-level shells without
requiring a user password.
Risk: Likelihood: High – Relaying password hashes is a basic technique not requiring
offline cracking.
Impact: High – If exploited, an adversary gains code execution, leading to lateral

movement across the network.
System: Identified 709 machines, please see the below file for listing.
[file removed]
Tools Used: Nessus, Nmap, MultiRelay, Responder
References: CIS Microsoft Windows Server 2012 R2 v2.2.0 (Page 180)
https://github.com/lgandx/Responder/blob/master/tools/MultiRelay.py
Evidence
Figure 9: Successful SMB relay
Remediation
Enable SMB signing on all Demo Corp domain computers. Alternatively, as SMB signing can cause
performance issues, disabling NTLM authentication, enforcing account tiering, and limiting local admin
users can effectively help mitigate attacks. For full mitigation and detection guidance, please reference
the MITRE guidance here.
Demo Corp
CONFIDENTIAL
Finding IPT-008: Insufficient Patch Management – Software (Critical)
Description: Demo Corp permitted various deprecated software in their network. This includes:
 Apache version < 2.4.46

 Apache Tomcat version < 7.0.100, 8.5.51, 9.0.31
 Cisoco AireOS version 8.5.151.10
 CodeMeter version 3.05 (5.21.1478.500)
 Dropbear SSH Server version 2015.68
 Dell iDRAC7 version 2.63.60.62.01
 ESXi version 5.5
 ESXi version 6.5 build 15256549
 Flexera FlexNet Publisher version 11.16.0
 IIS version 7.5
 ISC BIND version 9.6.2-P2
 Microsoft DNS Server version 6.1.7601.24261
 Microsoft SQL Server version 11.0.6594.0
 Netatalk OpenSession version < 3.1.12
 PHP version < 7.3.11
 Rockwell Automation RSLinx Classic
Above lists all critical and high-rated deprecated software, the majority of which
permit serious vulnerabilities, such as remote code execution. For a full
patching list, please review the provided Nessus scan documentation.
Risk: Likelihood: High – An attacker can discover these vulnerabilities with basic
tools.
Impact: Very High – If exploited, an attacker could possibly gain full remote
code execution on or deny service to a system.
Tools Used: Nessus
References: NIST SP800-53 r4 MA-6 – Timely Maintenance
NIST SP800-53 r4 SI-2 – Flaw Remediation
Remediation
Update to the latest software version. For a full list of vulnerable systems, versions, and patching
requirements, please see the below document.
[file removed]
Demo Corp
CONFIDENTIAL
Finding IPT-009: Insufficient Patch Management – Operating Systems (Critical)
Description: Demo Corp permitted various deprecated software in their network. This includes:
 Windows Server 2003 (end of life on July 14, 2015)

 Windows Server 2008 R2 (end of life on January 14, 2020)
 Windows XP (end of life on April 8, 2014)
 Windows 7 (end of life on January 14, 2020)
 Ubuntu 11 (end of life on May 9, 2013)
 FreeBSD 11.0 (end of life on October, 2016)
End of life systems are susceptible to a multitude of vulnerabilities. TCMS did

not attempt any attacks against these servers due to the risk of a denial of service,
which is out of scope.
Risk: Likelihood: High – An attacker can discover these vulnerabilities with basic
tools.
Impact: High – If exploited, an attacker could possibly gain full remote code
execution on or deny service to a system.
[file removed]
Tools Used: Nessus
Remediation
Update Operating Systems to the latest version.
Demo Corp
CONFIDENTIAL
Finding IPT-010: Insufficient Patching – MS08-067 - ECLIPSEDWING/NETAPI (Critical)
Description: Demo Corp permitted an unpatched system on the internal network that is
vulnerable to MS08-067. TCM Security confirmed that the vulnerability likely
exists but did not attempt the exploit to prevent any denial of service.
Risk: Likelihood: High – Considered one of the most exploited vulnerabilities in
Microsoft Windows as it ships natively with Windows XP.
Impact: Very High – If exploited, an attacker gains code execution as the system
user. An adversary will require additional techniques to obtain domain
administrator access.
System: 10.x.x.x
Tools Used: Nessus, Nmap
Evidence
Figure 10: Unpatched MS08-067
Remediation
Apply the appropriate Microsoft patches to remediate the issue. More information on patching
MS08-067 can be found here: https://docs.microsoft.com/en-us/security-
updates/SecurityBulletins/2008/ms08-067
Demo Corp
CONFIDENTIAL
Finding IPT-011: Insufficient Patching – MS12-020 – Remote Desktop RCE (Critical)
Description: Demo Corp permitted an unpatched system on the internal network that is
vulnerable to MS12-020. TCM Security confirmed that the vulnerability likely
exists but did not attempt the exploit to prevent any denial of service.
Risk: Likelihood: High – The vulnerability is easily discoverable and exploitable with
open-source tools.
System: 10.x.x.x
Evidence
Remediation
updates/securitybulletins/2012/ms12-020
Demo Corp
CONFIDENTIAL
Finding IPT-012: Insufficient Patching – MS17-010 - EternalBlue (Critical)
Description: Demo Corp permitted several unpatched systems on the internal network that are
vulnerable to MS17-010 (EternalBlue). TCM Security confirmed that the
vulnerability likely exists but did not attempt the exploit to prevent any denial of
service.
Risk: Likelihood: High – Malicious actors have used SMB exploitations like
EternalBlue in recent breaches.
System: 10.x.x.x
Tools Used: Nessus, Metasploit, AutoBlue

Evidence
Remediation
updates/securitybulletins/2017/ms17-010
Demo Corp
CONFIDENTIAL
Finding IPT-013: Insufficient Patching – CVE-2019-0708 - BlueKeep (Critical)
Description: Demo Corp permitted several unpatched systems on the internal network that are
vulnerable to CVE-2019-0708 (BlueKeep). TCM Security confirmed that the
service.
Risk: Likelihood: High – The vulnerability is easily discoverable and exploitable with
open-source tools.
System: 10.x.x.x
Evidence
Figure 13: Unpatched CVE-2019-0708
Remediation
Apply the appropriate Microsoft patches to remediate the issue. More information on patching CVE-
2019-0708 can be found here: https://support.microsoft.com/en-us/topic/customer-guidance-for- cve-
2019-0708-remote-desktop-services-remote-code-execution-vulnerability-may-14-2019- 0624e35b-5f5d-
6da7-632c-27066a79262e
Demo Corp
CONFIDENTIAL
Finding IPT-014: Insufficient Privileged Account Management – Kerberoasting (High)
Description: TCMS retrieved all user service principal names (SPNs) from the Demo Corp
domain controller using a domain user-level account (IPT-001) in a Kerberoasting
attack. Retrieving these user SPNs permitted TCMS to crack 4 account passwords.
No service accounts were observed running as domain administrators. User

accounts were observed running as a service, which is not best practice.
Risk: Likelihood: High – Any account joined to the domain can request user SPNs.
Impact: High – Using SPNs, it is possible to retrieve sensitive account password

hashes and crack them offline.
Tools Used: Impacket, Hashcat
References: Kerberoasting details: https://adsecurity.org/?p=2293 Group
Managed Service Accounts Overview
Evidence
Figure 14: Cracked service accounts
Remediation
Use Group Managed Service Accounts (GMSA) for privileged services. GMSA accounts can be used to
ensure passwords are long, complex, and change frequently. Where GMSA is not applicable, protect
accounts by utilizing a password vaulting solution.
TCMS recommends configuring alert logging on domain controllers for Windows event ID 4769
whenever requesting a Kerberos service ticket. These alerts are prone to high false-positive rates but are
a supplementary detective control. Tailor a security information and event management tool (SIEM) to
alert on excessive user SPN requests.
Demo Corp
CONFIDENTIAL
Finding IPT-015: Security Misconfiguration – GPP Credentials (High)
Description: Demo Corp utilized “cpasswords” in Group Policy Preference (GPP) which any
domain user can query from a domain controller’s SYSVOL folder. Microsoft
published the key to decrypt these passwords.
Risk: Likelihood: High – Any authenticated user can obtain this information and decrypt
the password with open source tools.
Impact: High – An adversary can use these credentials to move laterally within the
network.
Tools Used: Metasploit
Evidence
Figure 15: Dumped GPP credentials
Remediation
Apply vendor patching. Do not use GPP cpasswords. Additionally, enabling authentication on the NFS
share will protect the confidentiality of the stored information. Exporting authentication logs to a SIEM
solution will give incident response teams insights to brute force login attempts.
Demo Corp
CONFIDENTIAL
Finding IPT-016: Insufficient Authentication - VNC (High)
Description: Demo Corp deployed 3 servers that permitted unauthenticated access via VNC
Server.
Risk: Likelihood: High – Discovering unauthenticated VNC servers is trivial and can
be done with open-source tools.
Impact: High – Attackers can control industrial devices, destroy data, or shut down
systems.
System: 10.x.x.x, 10.x.x.x, 10.x.x.x
Tools Used: Nessus, VNC Viewer
Evidence
[image redacted]
Figure 16: Access to system via VNC
Remediation
Enable authentication on the VNC Server.
Demo Corp
CONFIDENTIAL
Finding IPT-017: Default Credentials on Web Services (High)
Description: TCMS validated default credentials worked on multiple web applications within the
Demo Corp environment.
Risk: Likelihood: High – Credentials are published for these devices and an attackers first
authentication attempt.
Impact: High – Attackers can control devices, destroy data, or shut down systems.
System: Default credentials were tested on a sample set of web applications, but suggests
checking the following addresses at a minimum:
[file removed]
Evidence
Figure 17: Dell iDRAC access via default credentials
Remediation
Change default credentials or disable unused accounts.
Demo Corp
CONFIDENTIAL
Finding IPT-018: Insufficient Hardening – Listable Directories (High)
Description: Demo Corp disclosed information by allowing listable directories and storing
potentially critical items on web server. It is strongly recommended that Demo
Corp perform a thorough web app assessment on this resource.
Risk: Likelihood: Moderate – Adversaries will discovery content with open source
tools.
Impact: High – Attackers use this information in conjunction with other attacks for
enumeration and cataloging for rapid attacks when vulnerabilities arise.
System: Full list of discovered listable directories:
[file removed]
References: NIST SP800-53r4 CM-7 - Least Functionality
NIST SP800-53r4 AC-6(3) - Least Privilege
Evidence
Figure 18: Listable directory
Remediation
Restrict access and conduct web app assessment.
Demo Corp
CONFIDENTIAL
Finding IPT-019: Unauthenticated SMB Share Access (Moderate)
Description: Demo Corp exposed multiple servers with unauthenticated file server access.
Risk: Likelihood: Moderate – Adversaries will discover these shares with low-noise,
basic reconnaissance techniques.
Impact: Moderate – Attackers learn about the environment through information

leaks.
System: 10.x.x.x
Tools Used: Nessus, smbclient

References: NIST SP800-53r4 AC-6(3) - Least Privilege
NIST SP800-53 r4 SC-4 - Information in Shared Resources
Evidence
Figure 19: Unauthenticated Share access
Remediation
Disable SMB share or require authentication. Enabling authentication on the share will protect the
confidentiality of the stored information. Exporting authentication logs to a SIEM solution will give
incident response teams insights to brute force login attempts.
Demo Corp
CONFIDENTIAL
Finding IPT-020: Insufficient Patch Management – SMBv1 (Moderate)
Description: Demo Corp failed to patch SMBv1. This version is vulnerable to multiple denial of
service and remote code execution attacks. TCM Security confirmed that the
service.
Risk: Likelihood: Moderate – Basic scans would identify the SMB version but would
require an adversary to be on the internal network and identify an exploit.
Impact: Moderate – If exploited, an attacker gains denial of service and code

execution capability.
System: 10.x.x.x

References: https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using- smb1/
NIST SP800-53 r4 SI-2 - Flaw Remediation
Evidence
Figure 20: Unauthenticated Share access
Remediation
Upgrade to SMBv3 and apply latest patching.
Demo Corp
CONFIDENTIAL
Finding IPT-021: IPMI Hash Disclosure (Moderate)
Description: Demo Corp deployed remote host supporting IPMI v2.0. The (IPMI) protocol is
affected by an information disclosure vulnerability due to the support of RMCP+
Authenticated Key-Exchange Protocol (RAKP) authentication. A remote attacker
can obtain password hash information for valid user accounts via the HMAC
from a RAKP message 2 response from a BMC.
Risk: Likelihood: High – Basic network scans will identify this vulnerability.
Impact: Moderate – If exploited, an attacker can gain access to sensitive

management devices. TCMS was unable to crack any hashes during the
assessment.
[file removed]
Tools Used: Metasploit
References: https://blog.rapid7.com/2013/07/02/a-penetration-testers-guide-to-ipmi/
Evidence
Figure 21: IPMI Hash Disclosure
Remediation
There is no patch for this vulnerability; it is an inherent problem with the specification for IPMI v2.0.
Suggested mitigations include:
 Disabling IPMI over LAN if it is not needed.

 Using strong passwords to limit the successfulness of off-line dictionary attacks.
 Using Access Control Lists (ACLs) or isolated networks to limit access to your IPMI
management interfaces.
Demo Corp
CONFIDENTIAL
Finding IPT-022: Insufficient SNMP Community String Complexity (Moderate)
Description: Demo Corp deployed SNMP with default “public” community strings. This
configuration exposed read-only access to the system’s management information
base (MIB), including the network configurations.
Risk: Likelihood: High – Basic network scans will identify this vulnerability.
Impact: Moderate – If exploited, an attacker can profile the device and focus
attacks.
[file removed]
Tools Used: Nessus, SNMP-Check, Ettercap
References: NIST SP800-53 r4 AC-17(2) - Remote Access Protection of
Confidentiality/Integrity using Encryption
Evidence
Figure 22: Information disclosure via public SNMP community strings
Figure 23: Non-public SNMP string captured via Ettercap
Remediation
TCM Security recommends Demo Corp consider the following corrective actions:
 Disabled SNMP if not required
 Filter UDP packets going to port UDP – 161
 Evaluate migration to SNMPv3
 Use password complexity guidelines for community strings
Demo Corp
CONFIDENTIAL
Finding IPT-023: Insufficient Data in Transit Encryption - Telnet (Moderate)
Description: Demo Corp permitted Telnet which does not encrypt data in transit. Telnet uses
plain text authentication and passes all data (including passwords) in clear text and
can be intercepted by an attacker.
Risk: Likelihood: Low – An adversary requires a Man-in-the-Middle position between
the client and server.
Impact: High – If exploited an adversary may intercept administrative

credentials that can be used in other attacks.
[file removed]
Tools Used: Telnet
References: NIST SP800-53 r4 AC-17(2) - Remote Access |Protection of Confidentiality /
Integrity Using Encryption
Evidence
Figure 24: Telnet login prompt
Remediation
Migrate to TLS protected protocols.
Demo Corp
CONFIDENTIAL
Finding IPT-024: Insufficient Terminal Services Configuration (Moderate)
Description: The remote Terminal Services is not configured to use Network Level
Authentication (NLA) only. NLA uses the Credential Security Support Provider
(CredSSP) protocol to perform strong server authentication either through TLS/SSL
or Kerberos mechanisms, which protect against man-in-the-middle attacks. In
addition to improving authentication, NLA also helps protect the
remote computer from malicious users and software by completing user
authentication before a full RDP connection is established.
Risk: Likelihood: Low – An attacker can discover these vulnerabilities with basic tools.
Impact: High – If exploited, an adversary gains code execution, leading to lateral

movement across the network.
[file removed]
Tools Used: Nessus
References: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-
2008-R2-and-2008/cc732713(v=ws.11)
Remediation
Enable Network Level Authentication (NLA) on the remote RDP server. This is generally done on the
'Remote' tab of the 'System' settings on Windows.
Demo Corp
CONFIDENTIAL
Finding IPT-025: Steps to Domain Admin (Informational)
The steps below describe how the penetration tester obtained domain administrator access. Each step
also provides remediation recommendations to help mitigate risk.
Step Action Remediation

1 Poisoned LLMNR responses to obtain NetNTLMv2 Disable multicast name resolution
hash of regular network user via GPO.
2 Cracked NTLM hash offline of domain administrator Increase password complexity.
users ‘production’ and ‘[name removed]’ Utilize multi-
factor. Implement a Privileged
Account Management solution.
Utilize a password filter.
3 Leveraged password of ‘production’ account to gain Limit local administrator privileges
access to several machines within the network and enforce least privilege.
4 Dumped hashes on accessed machines to find Disable WDigest via GPO.
cleartext password of ‘Bartender’ account via
wdigest
5 Overly-permissive ‘Bartender’ account permitted Limit local administrator privileges
access to a large amount of machines within the and enforce least privilege.
network
6 Dumped hashes on accessed machines to find cleartext Disable WDigest via GPO.
password of Domain Administrator account
7 Utilized discovered credentials to log into the
domain controller.
Remediation
Review action and remediation steps.
Additional Scans and Reports

TCMS provides all clients with all report information gathered during testing. This includes Nessus
files and full vulnerability scans in detailed formats. These reports contain raw vulnerability scans and
additional vulnerabilities not exploited by TCM Security.
The reports identify hygiene issues needing attention but are less likely to lead to a breach, i.e.
defense-in-depth opportunities. For more information, please see the documents in your shared
drive folder labeled “Additional Scans and Reports”.
Demo Corp
CONFIDENTIAL
Last Page
Demo Corp
CONFIDENTIAL

TCMS - Demo Corp - Findings Report - Example 2

Uploaded by

Copyright:

Available Formats

TCMS - Demo Corp - Findings Report - Example 2

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

TCMS - Demo Corp - Findings Report - Example 2

Uploaded by

Copyright:

Available Formats

DEMO CORP

Security Assessment Findings Report

Date: March 9th, 2021

Finding IPT-015: Security Misconfiguration – GPP Credentials (High).........................................................27

Exploitation is more difficult but could cause elevated privileges and

Vulnerabilities are non-exploitable but would reduce an organization’s

No vulnerability exists. Additional information is provided regarding

Internal Penetration Test 10.x.x.x/8

 Internal access to network via dropbox and port allowances

Tester Notes and Recommendations

Key Strengths and Weaknesses

1. Observed some scanning of common enumeration tools (Nessus)

1. Password policy found to be insufficient

Critical High Moderate Low Informational

Finding Severity Recommendation

Impact: Very High – LLMNR poisoning permits attackers to capture password

Figure 1: Captured hash of “production”

Figure 2: Cracked hash of “production”

Pass-the-hash attacks do not require knowing the account password to successfully

Impact: Very High – Pass-the-hash permits an attacker to move laterally and

Figure 3: Local admin hash used to gain access to machine

Figure 4: Cleartext passwords of Domain Administrators

Impact: Very High - If exploited, an attacker gains domain administrator access.

Figure 5: Impersonation of “sup”

Figure 6: Shell access as Domain Admin “sup”

Figure 7: Excerpt of cracked domain hashes

Figure 8: Successfully relayed LDAP credentials via mitm6

Impact: High – If exploited, an adversary gains code execution, leading to lateral

Figure 9: Successful SMB relay

 Apache version < 2.4.46

 Windows Server 2003 (end of life on July 14, 2015)

End of life systems are susceptible to a multitude of vulnerabilities. TCMS did

Figure 10: Unpatched MS08-067

Figure 11: Unpatched MS12-020

Tools Used: Nessus, Metasploit, AutoBlue

Figure 12: Unpatched MS17-010

Figure 13: Unpatched CVE-2019-0708

No service accounts were observed running as domain administrators. User

Impact: High – Using SPNs, it is possible to retrieve sensitive account password

Figure 14: Cracked service accounts

Figure 15: Dumped GPP credentials

Figure 17: Dell iDRAC access via default credentials

Figure 18: Listable directory

Impact: Moderate – Attackers learn about the environment through information

Tools Used: Nessus, smbclient

Figure 19: Unauthenticated Share access

Impact: Moderate – If exploited, an attacker gains denial of service and code

Tools Used: Nessus, Nmap

Figure 20: Unauthenticated Share access

Impact: Moderate – If exploited, an attacker can gain access to sensitive

Figure 21: IPMI Hash Disclosure

 Disabling IPMI over LAN if it is not needed.

Figure 22: Information disclosure via public SNMP community strings

Figure 23: Non-public SNMP string captured via Ettercap

Impact: High – If exploited an adversary may intercept administrative

Figure 24: Telnet login prompt

Impact: High – If exploited, an adversary gains code execution, leading to lateral

Step Action Remediation

Additional Scans and Reports

You might also like