8 Vulnerabilities That Keep Showing Up in Our Pentests

Sometimes, the biggest threats to our networks don’t require discovering zero-days or months of deep-dive security research. In our penetration testing engagements, we regularly come across common misconfigurations and vulnerabilities that let us demonstrate critical impact on systems during internal network penetration tests (pentests).

In this article, we outline eight common vulnerabilities and misconfigurations that an attacker could exploit once inside your network. We’ve also included a helpful checklist with the technical details and recommendations for each area.

1. Open Network Shares

Network shares (i.e. file storage accessible on the network) are a common way for organisations to allow files to be stored and shared within their networks. From HR folders, finance data, IT configurations, and even user-specific data, network shares provide a centralised way for teams to create and share files.

However, sometimes network shares are too permissive, especially when they are accessible without authentication (e.g. not needing an appropriate username and password) or have inappropriate authorisation (e.g. a normal user being able to access sensitive HR or IT data they shouldn’t).

This matters because with poorly configured network shares, a threat actor could potentially gain access to files such as:

• HR files such as resumes, payslips and employee records;

• Accounting information such as MYOB files;

• Strategic presentations, financial spreadsheets, or budgets;

• A shared password spreadsheet, API keys stored in user profiles, or passwords stored in plaintext; and

• IT configurations that contain information about the network, and sometimes even passwords to backup or database systems.

Accessing and then exfiltrating sensitive data may already be enough to critically impact an organisation. But going a step further and getting access to account credentials may help a threat actor go from a standard user to an administrative user!

2. Installation/Deployment Scripts with Hardcoded Credentials

Many organisations rely on scripts to automate repetitive tasks (condolences to those who don’t!). IT teams often deploy scripts that standardise or perform repeated actions on laptops, servers, and cloud environments.

Unfortunately, sometimes teams either get lazy or fail to understand the risks of hardcoding sensitive credentials, resulting in these credentials being exposed. Some ways we have picked up these credentials include scanning logs or looking for IT scripts and backups left behind!

In our pentests, examples of sensitive credentials we often find include API keys, database passwords, service accounts, domain accounts, and local admin access.

This matters because hardcoded credentials often provide a threat actor more impactful access into an environment – potentially escalating from a “Joe in Accounting’s account” to “IT administrator with excessive privileges”, causing serious damage!

3. Outdated and Unpatched Operating Systems and Application Servers

We all know that patching and upgrading systems is one of the most important things to do from a security perspective. Yet time and time again we see organisations running systems and applications that are outdated.

Outdated systems (e.g. those at their End of Support stage) may save costs, but no longer receive security patches, making them vulnerable to known exploits and an easy target.

We also know that patching outdated operating systems isn’t always easy. Third-party software and hardware sometimes follow a different patching cycle (especially in healthcare and OT networks), resulting in systems being vulnerable to multiple exploits. Examples we often see include:

• Windows Server 2008 and 2012 deployments with no extended security updates, still vulnerable to EternalBlue;

• Unpatched Apache Tomcat and Jenkins servers vulnerable to critical remote code execution;

• Outdated WordPress core and plugins resulting in remote code execution.

Unfortunately, threat actors won’t care about your difficulties, they’ll exploit any opportunity available.

This matters because without fully patched and supported operating systems and applications, your systems become exposed to more and more vulnerabilities as the time they go unpatched becomes longer. The impact relates directly to the severity of the vulnerabilities identified.

4. Systems with Default Passwords or Easily Guessable Passwords

What sounds incredibly obvious still manages to catch organisations out in our pentests!

When you purchase and deploy new software or hardware, such systems come with default credentials.

Unless your vendor is exceptional, these are not unique or complex. A quick Google search can reveal default credentials and provide easy access to a threat actor. There are even Github pages where people have accumulated databases for this information!

Additionally, using overly simple passwords for convenience (e.g. “password”, “password123!”) makes it trivial for an attacker to gain access.

This matters because all the security controls in the world won’t help if a threat actor can log in with a default or simple password.

5. Password Reuse

“Why do we need to use unique passwords? Can’t we just use one long, complex one for all our service accounts? It’s hard to manage unique passwords across our infrastructure.”

We’re sure this very thought has crossed the minds of those who have ever been responsible for managing IT infrastructure. While reusing the same password is convenient, the ugly truth is that there are a number of ways for a threat actor to extract or uncover credentials from a compromised system. This issue becomes a real problem when the same credentials can be used to access other key systems (e.g. your domain controllers, backup servers), simply by re-using the same username and password. Surprisingly, this happens quite often.

During our pentests, when we manage to discover and extract sensitive credentials for a particular user or service account, one of our first thoughts is, “What else would these credentials work for?”. People are inherently lazy when it comes to passwords, so we take advantage of this to see what other accounts and systems the same password would work on!

This matters because password reuse allows a threat actor to move easily across your network with low effort. Once they’ve managed to find a single workable username and password, they can often access multiple systems without needing any fancy hacking tools to log in — making it hard to detect for unprepared organisations.

6. Over-permissive Active Directory (AD) groups and access

Active Directory (AD) is a key identity backbone for most organisations’ IT environments. It allows the management of users, groups and devices across an organisation’s IT environment, facilitating access to their key systems and applications.

As an organisation evolves, so does the sprawl of their AD infrastructure. AD users, groups and objects are suddenly not-so-simple to manage or understand especially if an organisation undergoes a merger resulting in multiple IT environments being merged together. Unfortunately, the result of AD sprawl often means that standard AD users and groups are given excessive permissions from a security standpoint.

When we examine an organisation’s AD environment during our pentests, we often see overly generous permissions granted even for well-known AD groups such as ‘Authenticated Users’ and ‘Domain Users’, which all users are part of. Combined with tooling like Bloodhound, a threat actor or pentester can easily see a path to compromising multiple accounts and devices — potentially the entire organisation’s domain.

This matters because if a threat actor is able to map out the misconfigurations in an organisation’s AD environment (and believe us, they love AD), they could escalate from a standard user to a highly privileged domain administrator account, giving themselves “keys-to-the-kingdom” access.

7. Insecure Active Directory Certificate Services (AD CS) Deployments

We mentioned AD permissions above, but we feel this deserves special mention given how prevalent we’ve seen it on our network penetration tests.

Active Directory Certificate Services (AD CS) allows organisations to manage digital certificates used to secure the communications and identities of systems in their environment. Somewhat ironically, AD CS servers are often misconfigured when it comes to certificate templates and settings.

There are a series of AD CS Enterprise Security Certificate Attacks (ESC), but the ones we most commonly see in our pentests are ESC1, ESC 6 and ESC8.

This matters because similar to the over-permissive AD misconfigurations, a threat actor could potentially leverage AD CS vulnerabilities to escalate their access from a standard user to impersonating a highly privileged domain administrator account.

8. Lack of EDR Coverage

Not usually an area we call out specifically (unless part of our scope), but we’d like to highlight it nevertheless. We’ve run into our surprisingly fair share of “Oh wow how did we not detect or block your x activity” commentary during our penetration tests. The answer usually was the lack of modern Endpoint Detection and Response (EDR) tooling – or sometimes the overconfidence in outdated antivirus solutions.

Deploying a modern EDR is the equivalent of forcing a threat actor (or pentester) to stop playing in the little league and battle in the major league. Suddenly they need to be conscious of every single action on a system they gained access to – one wrong move and it can quickly result in an alert being generated, followed by the curious eyes of a SOC analyst.

This matters because, while we may not always be able to mitigate every vulnerability, modern EDR allows defenders to reduce blind spots, and improve their ability to detect and respond to a potential incident before it becomes a critical incident.

Final Thoughts

If these vulnerabilities and misconfigurations sound familiar, you’re not alone — they are widespread and regularly exploited in real-world incidents. Internal pentests repeatedly show that attackers don’t need zero-days, when poor configurations and weak security hygiene give them a free pass!

Take Action Now: Test your internal security posture with an assumed breach assessment and find out where attackers can go — before they get there. Download our Internal Pentest Vulnerability Checklist for step-by-step insights into eight common vulnerabilities and recommendations.

Ready to be supported by an experienced cybersecurity team? Let’s start the conversation - book a meeting with us today.