Hosts on 10.168.27.10 and 10.168.27.15 both have Windows Server OS (2012/R2 and 2008 respectively) and open RPC ports.

These conditions fall within the scope of a common vulnerability and exposure CVE-2020-1113. Task Schedulers on the respective host can fail to authenticate client connections correctly when pinning certificates. Opportunities for attackers to utilize this vulnerability include when certificates are revoked, or when new hosts are added. Using the network within an enterprise mobility management (EMM) system could expose the network to multiple Bring Your Own Device (BYOD) or Company Owned Business Only/Personal Enabled (COBO/COPE) devices providing a larger attack surface for man in the middle (MITM) attack implementation of this vulnerability. Successful implementation of this vulnerability allows the attacker to run arbitrary code as an administrator, installing programs, view/effect data, and create new user accounts with full privileges. Another related attack vector would be CVE-2017-11780 on SMBv1/2 ports on the Windows Server Hosts. Nmap output revealed SMBv1 enabled with message signing disabled on both Windows hosts.

This makes the hosts susceptible to a MITM attack that may be trying to implement CVE-2020-1113 or any other SMBv1 related vulnerabilities. Host 10.168.27.15 has numerous ports that should be closed or filtered if the services are not needed. Port 7,9,13,17, and 19 use services that are seldom used or for testing purposes only and are open to numerous exploits such as denial of service (DOS) attacks with Metasploit Chargen Probe Utility.

Port 21 uses FTP which uses cleartext transmissions only. Attackers can easily intercept any communications without encryptions, such as passwords. The same concept applies to port 80, as http is cleartext only and open to similar vulnerabilities.

Two attempts with passwords “@” and “200” are shown, with many others in subsequent attempts.

FTP was not designed to be encrypted, so confidential information can easily be observed by a potential threat sniffing the network for username and password combinations demonstrated in Wireshark. Websites with inadequate input validation are vulnerable to brute force or dictionary password attacks. Without any input controls attackers are free to attempt these exploits until direct intervention is taken.

Ensure both Windows servers are properly patched against CVE-2020-1113 while accounting for compatibility issues. Filtering RPC ports by using IPSEC protocol would reduce the foot printing efforts of attackers looking to implement CVE-2020-1113. IPSEC policies will provide encryption security of network traffic to and from the network. Disable SMBv1 on the Windows Server hosts if legacy compatibility is not an issue. Port 139 for NetBIOS SSN should be closed if it is only used for SMBv1 traffic. Otherwise, message_signing should be enabled and required for both SMBv1 and 2 to mitigate this attack vector. For the host on 10.168.27.15, unless ports 7,9,13,17, and 19 are needed for the network, these ports should be closed as part of device hardening good practice. Port 21 should be closed and secure alternatives such as FTPS, SFTP, or FTP over SSH should be used with their respective ports depending on the needs of the network. Port 443 for HTTPS should be opened to provide a secure alternative to port 80 HTTP. Websites that require login credentials should have more robust input validation, such as utilizing CAPTCHA or multiple factor authentication (MFA) to mitigate password exploit attempts.