5. You’re still using Telnet, FTP, HTTP, [insert clear text protocol here]
Clear text protocols are all but eliminated on Internet-facing systems, but a substantial amount of them still remain on internal networks. With prevalent password reuse and single sign-on environments deployed on corporate networks, gaining access to one set of credentials could give an attacker access to multiple systems and applications.
How the attack works:
- Setup ARP cache poisoning to man-in-the-middle network traffic, or compromise the legitimate security monitoring systems to access their SPAN ports. Wait for clear text passwords to fly over the wire on the local area network.
- When one or more sets of credentials are identified, connect to the servers and identify sensitive information. Attempt to use those credentials to further propagate access throughout the network.
Sample of open source tools used:
Cain & Abel, Wireshark
How to mitigate it:
Begin identifying and eliminating clear text protocols on the internal network in favor for encrypted protocols. Examples include:
- Telnet > SSHv3
- HTTP > HTTPS (SSL)
- FTP > SFTP/SCP
- IMAP/POP3 > IMAPS/POP3S
Configure IDS/IPS solutions to monitor the network for network cards listening in “promiscuous mode” which is required for this type of attack. Also monitor and prevent ARP cache poisoning attacks at your switches or with a tool like XArp.
Chris leads SRA’s 24x7 CyberSOC services. His background is in cybersecurity strategy based on NIST CSF, red and purple teams, improving network defenses, technical penetration testing and web applications.
Prior to shifting his focus to defense and secops, he led hundreds of penetration tests and security assessments and brings that deep expertise to the blue team.
Chris has been a distinguished speaker at BlackHat Arsenal, RSA, B-Sides and SecureWorld.
Prior to Security Risk Advisors, Chris was the lead penetration tester for a Big4 security practice.