Top 5 Simple Ways I Became Domain Administrator on your Internal Network and How to Prevent them from Happening (Part 3 of 5)

by | May 16, 2011

How to Become a Domain Administator on an Internal Network
3. Your remote access technology uses a blank or easily guessable password

You may be noticing a pattern by now; blank or weak passwords that lead directly to system administration.  Remote administration technologies make life easier for administrators, but usually we don’t find just one, well-secured solution.  Instead, we find multiple, sometimes insecure solutions including Remote Desktop, PCAnywhere, Dameware, X11, and VNC.

How the attack works:

  1. Find the remote administration protocols on the network by port scanning the network for specific ports that host these services.
  2. Once a list of remote administration services are identified, use tools to test for blank or weak passwords.
  3. When one or more are identified, connect to the server and either passively observe the user to identify sensitive information or take administrative control and extract password hashes to further propagate access throughout the network.

Sample of open source tools used:

Nmap, PuTTy (for telnet, SSH), TightVNC

How to mitigate it:

  1. Use a port scanner or your existing vulnerability scan process to proactively scan for unapproved remote access technologies on your network.  Once identified, notify the business owner and work with them to use the corporate standard remote access technology with a strong password.
  2. Use your software inventory system (SMS, BigFix) to identify rouge remote access technologies installed on workstations and servers.
Chris Salerno
Managing Director | Archive

Chris leads SRA’s 24x7 CyberSOC services. His background is in cybersecurity strategy based on NIST CSF, red and purple teams, improving network defenses, technical penetration testing and web applications.

Prior to shifting his focus to defense and secops, he led hundreds of penetration tests and security assessments and brings that deep expertise to the blue team.

Chris has been a distinguished speaker at BlackHat Arsenal, RSA, B-Sides and SecureWorld.

Prior to Security Risk Advisors, Chris was the lead penetration tester for a Big4 security practice.