Must Know Pentest Findings June 2024

Team Evolve Security

The Offensive Security team at Evolve Security wanted to share some of the key pentest tactics that are relating to successful findings and improved risk postures. Let's dive into the findings, and fixes that could improve your attack surface.

NetBIOS Name Service (NBNS) Spoofing

NetBIOS Name Service (NBNS) is a protocol used within internal networks when a DNS server isn't available. It broadcasts queries across the network, and any system can answer with the requested IP address. Attackers can exploit this by responding with their own system's IP address.

Fixes: To prevent NBNS usage or mitigate its impact, try these strategies:

  • Configure the UseDnsOnlyForNameResolutions registry key to prevent systems from using NBNS queries (NetBIOS over TCP/IP Configuration Parameters).
  • Disable the NetBIOS service for all Windows hosts in the internal network via DHCP options, network adapter settings, or a registry key.

PHP Vulnerability Exposes RCE

A critical security flaw affecting PHP has surfaced, allowing remote code execution under specific conditions. Tracked as CVE-2024-4577, this CGI argument injection vulnerability impacts all PHP versions on Windows. It bypasses protections for CVE-2012-1823, enabling arbitrary code execution on remote PHP servers.

Fixes: Administrators should abandon the outdated PHP CGI and switch to more secure solutions like Mod-PHP, FastCGI, or PHP-FPM. Ensure updates to PHP have been applied as per recent security advisories.

Microsoft Windows RCE (EternalBlue)

Systems vulnerable to MS17-010 (EternalBlue) were identified during our tests. This Windows vulnerability is highly exploitable, allowing attackers full control over affected systems.

Fixes: Apply security updates to mitigate this vulnerability. Additionally, review and strengthen your patch management strategy to prevent similar issues.

Link-local Multicast Name Resolution (LLMNR) Spoofing

Link-Local Multicast Name Resolution (LLMNR) is another protocol used when a DNS server is unavailable, broadcasting queries network-wide and allowing any system to reply. Attackers exploit this by inserting their system's IP address.

Fixes: The best method to prevent exploitation involves configuring the Multicast Name Resolution registry key to stop systems from using LLMNR queries.

  • Using Group Policy: Computer Configuration\Administrative Templates\Network\DNS Client\Turn off Multicast Name Resolution = Enabled
  • Using the Registry for Windows Vista/7/10 Home Edition only: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\ Windows NT\DNSClient\EnableMulticast

Improving Speed to Pentest Findings  

Despite the varied nature of these findings, many stem from common issues such as configuration weaknesses and patching deficiencies. Increasing the frequency of penetration testing is the clearest path to identifying vulnerabilities daily and reducing your attack surface. In our recent webinar we highlighted making the jump from compliance based pentesting to  Continuous Pentesting in 2024.

Ready to find more vulnerabilities than your last pentest?

Unlock your organization's full security potential and uncover even more vulnerabilities than before by choosing our advanced penetration testing services.