[jabroni_salad]

Kinda wish legacy protocols made an appearance. plaintext ldap, unsigned SMB, SMBv1 still being enabled somehow, DHCPv6 poisoning, llmnr, netbios, kerberoast.

These are the responsible party for like 90% of pentest reports that I have personally seen.

Also while I am soapboxing I just wanna say that nearly all corporate security issues are actually just operations issues, like patch management and config management. Everything I listed above can be solved by a single sysadmin with group policy and 30 minutes to kill, and they wont reoccur.

In the sysadmin sphere there is a tendancy to treat security concerns as their own industry. You don't need your kitchen staff to be microbiologists to know that they should wash their hands and you don't need your sysadmin to be a CISSP to know to disable protocols that you arent using. Just IMO as a consultant who straddles the fence.

[rejectfinite]

It's not that disabling any of that on Windows is hard.

It is what MIGHT happen after.

That critical ERP/Invoice/Fileshare Server 2003 and the business critical printer from 2001 might still need SMBv1.

NETBIOS is still used in modern stuff, no?

We can't really just disable it willy-nilly.

>Everything I listed above can be solved by a single sysadmin with group policy and 30 minutes to kill, and they wont reoccur.

Yes, every L2 IT helpdesk can push a GPO out. It's what the GPO does that is the issue.

[britneybitch]

> NETBIOS is still used in modern stuff, no?

Even as a Linux guy I like to have netbios enabled since it gives you automatic DNS entries for all the hostnames on your network. I love being able to `ssh me@my-nas` without having to deal with hosts files and static IPs.

[DiabloD3]

Netbios is off by default in Windows; technically it is auto, but auto only turns it on if it sees a request from another machine on the LAN, or the network's DHCP passes a special field (no Linux dhcpd impl does this by default, or even has that functionality other than a manual custom field; you only see this if Windows Server is fulfilling the AD role and your AD is also your dhcpd, which is rare nowadays).

Windows, since Vista, prefers to use LLMNR/RFC 4795 (as Vista was designed to be an IPv6-first OS; Netbios and SMB for the purposes of legacy interop is purely a IPv4 concept), and as of Windows 10, also supports mDNS/RFC 6763.

LLMNR + WS-Discovery is the Vista and up solution for the entire Zeroconf stack, mDNS + DNS-SD over mDNS is Apple's solution for Zeroconf (and is also implemented via Avahi; Apple's Bonjour is open source and was chosen by Android before being replaced with yet another impl). Netbios + SSDP is this solution (and kinda disjointed, tbh) for pre-Vista.

Edit: My own personal network doesn't use any of these, and I use a local dnsmasq install to do be dns and the dhcpd, serving static assignments via /etc/ethers + /etc/hosts. All machines support DNS, support for the various discovery mechanisms suck in random ways across vendors.

[tracker1]

DNS/DHCP configuration can add a domain suffix to use... You can use something like myoffice.lan or myoffice.localdomain ... Then when you use ssh me@some-box it will use some-box.myoffice.localdomain and you just have to make sure that resolves in your assigned DNS host/forwarder.

[moepstar]

How about mDNS and / or a DHCP-server?

[britneybitch]

Last I checked, mDNS didn't support Windows (requirement for our household) but it looks like it does now. I'll play with it next time I set up a new machine.

[jabroni_salad]

ah but you see, using authentication on a business network is very difficult and we must allow rando anonymous devices to do whatever they want, apparently.

[nisegami]

>We can't really just disable it willy-nilly.

Caedite eos. Novit enim Dominus qui sunt eius.

[nolok]

You really need to go out of your way to use smbv1 or unsigned smb, which usually means "in big slow entreprise setting", aka juicy targets ...

Even smbv2 is often only enabled because not-so-old printer don't support anything more recent.

[jabroni_salad]

Not even "big slow", just "slow and underserved". My clients are banks with 25-100 employees and under 10 branches. Their IT guy is usually a banker who got stuck with the role because somebody /has/ to be the IT officer.

In recent years they have been switching over from self service checklist audits to full spectrum pentest assessments and finding a lot of bugbears.

[Caboose8685]

SMB signing is only on by default for servers. I've done quite a few pentests where that's been leveraged to dump the SAM hashes of workstations that happen to have the Domain admin stored.

[technion]

Microsoft azhci will drop data and corrupt file systems if the servers attached have smb signing enforced. Good trap to keep in mind when a pentester says "just turn it on everywhere".

[not1ofU]

I worked previously with a security solution from $bigcorp, it ran on linux. If you wanted to do a backup to a Windows server, your only option, for a very long time, was to use SMBv1 only.

[jmau111]

> Everything I listed above can be solved by a single sysadmin with group policy and 30 minutes to kill, and they wont reoccur.

Good point. I tried to highlight that (not relying on default policies).