TOOLS
One of the most useful and widely used tools by pentesters, network admins, and engineers alike. Nmap is a network scanner that is used for host discovery, port scanning, version detection, fingerprinting, as well as a vulnerability scanner and exploitation toolkit.
Nmap keeps a very detailed set of documentation on its website that you can access HERE.
This is the basic Nmap
nmap <option> <flag> <value>
Example
nmap -Pn -p 80,443 -v target_url.com -oA output_fileBasic Nmap command that I use for scanning targets
sudo nmap -Pn -A -vvv -T4 -iL targets.txt -oA scan_resultsThis command makes use of the following flags:
- -Pn (This option skips the host discovery portion and treats all hosts as being online)
- -A (This option combines multiple flags together instead of having to call them specifically)
- -O (this option performs OS fingerprinting)
- -sV (This option performs service version detection)
- -sC (this option performs default Nmap script scanning)
- –traceroute (shows the trace hop paths to each host)
- -vvv (This option increases the verbosity of the scan to its fullest, this helps show what Nmap is doing while it is running)
- -T4 (This option increases the speed of the scan. Its not entirely stealthy but it helps speed up the process)
- -iL (This is the input file there I keep my hosts. Its a lot easier to update this than it is to individually list every IP, subnet, or hostname)
- -oA (This option combines 3 different outputs)
- -oN (This option creates an Nmap output file which lists details of the scan in plaintext)
- -oX (This option creates an Nmap output file in XML format)
- -oG (This option creates an Nmap output file that is easily greppable)
| open | Nmap is able to access the port and determine the application and service using the port. Finding open ports is ultimate goal of Nmap. |
| closed | Nmap is able to access the port but there is no application listening on it. |
| filtered | Nmpa is unable to determine the state of the port due to packet filtering preventing the port from being reached. |
| unfiltered | Nmap is unable to access the port. |
| open | filtered | Nmap is unable to determine if the port is open or filtered. If the port is open, this is from not receiving a response. |
| closed | filtered | Nmap is unable to determine if the port is closed or filtered. |
There are WAY TOO many options and flags to go over them all here. Probably one of the silliest questions I see is “what is the best Nmap scan script”. the answer is, each option has its purpose and a good pentester with a lot of experience will know when and how to use Nmap with time and experience.
Metasploit Framework is an extremely useful free tool for vulnerability scanning and exploitation. This tool provides exploits for commonly known vulnerabilities as well as tools for testing for vulnerabilities.
| COMMANDS | DESCRIPTION |
|---|---|
| EXPLOIT | Code that is used to execute a vulnerability against a targeted host |
| PAYLOAD | Code that runs on the targeted host after successful exploitation |
| AUXILIARY | Modules that provide additional functions such as scanning, sniffing, and fuzzing |
| ENCODER | Used to obfuscate modules against IDS/IPS, AV, and firewalls |
| METERPRETER | Payload that provides and interactive shell to execute code against the targeted host |
| COMMAND | USAGE | EXAMPLE |
|---|---|---|
| search | Look for a specific module | search eternalblue |
| use | Select the module to use | use exploit/windows/smb/ms17_010_eternalblue |
| show | List available modules based on the defined parameter | show auxiliary show payloads show exploits |
| options | List options for a specific module | options |
| set / setg | Set a value to an object / set a value to an object globally that will remain the same even if you change modules | set RHOST 192.168.1.1 set VERBOSE true set RPORT 8080 |
| run | Run the auxiliary module selected | run |
| exploit | Run the exploit module selected | exploit |
| info | List the info based on the selected exploit/module/auxiliary | info info exploit/windows/smb/ms17_010_eternalblue |
| check | ||
| sessions | List available sessions |
echo "What is the hash type?" && read -p "i.e. 1000, 2100, 5600, etc. " HASH && read -ep "File location of the hashes? " FILE && read -ep "File location of the rule? " RULE && read -ep "File location of the wordlist? " WORD && sudo hashcat -a0 -m $HASH -w3 -O $FILE $WORD -r $RULE
HASH TYPES
1000 | NTLV
2100 | Domain Cached Credentials 2 (DCC2), MS Cache 2
5600 | NetNTLMv2
27000 | MultiBit HD (scrypt)
13100 | Kerberos 5, etype 23, TGS-REPTESTING
I start off with creating 1 or 2 different files:
- hosts.txt – a list of networks, subnets, IP ranges etc.
- targets.txt – A list of confirmed hosts to target (IP addresses, domains, etc.)
Broad testing is done using the hosts.txt file with the goal to find live hosts and add them to targets.txt for further testing.
Add IP Routes
Adding IP routes to connect to multiple networks from one IP subnet. Use the command below to add the “hosts.txt” file to ip routes.
echo "set network interface" && ip -o link show | awk -F': ' '{print $2}' && read -p ">> " IFACE && SUBNET=$(ip addr list $IFACE | awk '/inet.*brd/ {print $2}') && IP=$(nmap -sL $SUBNET | sed -n '3p' | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}') && while IFS= read -r LINE; do sudo ip r add $LINE via $IP; done < hosts.txt
while IFS= read -r LINE; do ping -c 1 $LINE; done < targets.txtUsing Screen with Linux
Screen is a terminal multiplexer that allows you to start virtual terminal sessions inside a since terminal session.
This is INCREDIBLY useful for instances where you may be testing remotely and then, for whatever reason, the session is terminated or disconnected. Screen ensures that even if the host terminal session is canceled that the virtual terminal sessions continue to run. Super useful for longer scans or continual passive reconnaissance.
Check to make sure that screen is installed and if not, install it:
screen --version
sudo apt update
&& sudo apt install screen
-yI create a file with names of the different screen sessions I want to make (Its important to add that last bit into the file if you enjoy scrolling:
screen -t name1
screen -t name2
screen -t name3
termcapinfo xterm* [email protected]:[email protected]Next execute this command:
- -d (This says to detach the screen session from anywhere else)
- -R (This says to reattach the screen session)
- -c (This specifies the file that contains the )
screen -d -R <session_name> -c <file/location>You can get a list of screen sessions:
screen lsKill screen sessions with:
pkill screenIf you have a hosts.txt file, you need to generate a list of targets to scan. This can be generated quickly using an nmap ping scan (NOTE: it is important to use sudo for ping scanning):
sudo nmap -n -sn -vvv --script-args http.useragent="Mozilla 42" -iL hosts.txt -oG scan_ping.gnmapOnce the ping scan file is completed, parse through the file with the following command to look for up hosts. This command will grep for “up” hosts, pull the IP address, append it to the targets.txt file, then clean up targets.txt by sorting IPs, and removing duplicate entries.
cat scan_pin.gnmap | grep -i 'status: up' | grep -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)" >> targets.txt | cat targets.txt | sort -uV | tee targets.txtWhile a ping scan is a good option to get started right away, some hosts may not respond to a ping. For this, we need to run nmap skipping the enumeration step. This will take longer so its good to get start this after the ping scan. There is no “best” way to scan with nmap. Each network is different and will respond differently to scanning. This is a good command to start off with however might need some tweaking.
nmap --open -Pn -n -iL hosts.txt -vvv --script-args http.useragent="Mozilla 42" -T5 -oG scan_enum.gnmapTo parse through this list and add targets to the targets.txt file, perform the following:
cat scan_enum.gnmap | grep -E -o -"(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)" >> targets.txt | cat targets.txt | sort -uV | tee targets.txtRun Responder to Check for LLMNR NBT-NS Poisoning
LLMNR NBT-NS Poisoning is a very easily exploited vulnerability with a high success rate. In order to take advantage of this, you want to run this at the beginning of the test to collect as many hashes and then attempt to crack them with something like hashcat.
FIRST you need to move any old Responder logs and hashes to an archived location
read -p "What is the name of the client folder to archive to? " CLIENT && sudo mkdir /usr/share/responder/logs/archive/$CLIENT ; sudo mv /usr/share/responder/logs/* /usr/share/responder/logs/archive/$CLIENTNow run Responder.
sudo hashcat -a0 -m <num> -w3 -O <file> -r <rule>
echo "set network interface" && ip -o link show | awk -F': ' '{print $2}' && read -p ">> " IFACE && sudo responder -I $IFACE -wvFPPeriodically check responder logs for NTLMv2 hashes and attempt to crack them with hashcat.
Responder logs are located in the following directory
/usr/share/responder/logsHere is useful way to pull usernames:
echo "File string" && ls | grep txt && read -p ">> " STR && cat *$STR* | sed 's/\:\:.*/::/' | sed '/^=/d' | sed 's/\:\://' | sort -uVNetwork Fingerprinting with Nmap
Enumeration scanning with Nmap is just the first step, Nmap is a great tool to run to look for services, open ports, hardware info, vulnerabilities and more.
Nmap scanning is not a “one size fits all” approach. Each network is different and will respond differently to network scanning.
sudo nmap -Pn -vvv --script-args http.useragent="Mozilla 42" -A -iL targets.txt -oA scan_quickFor a more detailed scan on every port use the following:
sudo nmap -Pn -vvv --script-args http.useragent="Mozilla 42" -A -p- -iL targets.txt -oA scan_fullVulnerability Scanning with Nmap
NSE Script Categories:
- auth
- broadcast
- brute
defaultdiscoverydosexploitexternalfuzzerintrusivemalwaresafeversionvuln
Vulners queries the ExploitDB every time it is performed
sudo nmap -Pn -vvv -sV --script vulners -oA scan_vulners -iL targets.txtVuln looks for certain specified vulnerabilities
sudo nmap -Pn -vvv -sV --script vuln -oA scan_vuln -iL targets.txtVulscan queries a local database on the machine that is preconfigured before the scan starts.
sudo nmap -Pn -vvv -sV --script vulscan -oA scan_vulscan -iL targets.txtConfigure the database:
cd /usr/share/nmap/scripts/
git clone https://github.com/scipag/vulscan.git
ln -s `pwd`/scipag_vulscan /usr/share/nmap/scripts/vulscan
Update the database:
cd vulscan/utilities/updater/
chmod +x updateFiles.sh
./updateFiles.sh
SSL/TLS Scanning
Nmap
nmap -Pn -vvv --script-args http.useragent="Mozilla 42" --script ssl-cert,ssl-enum-ciphers -p 443,8443 -iL targets.txt -oA scan_sslSSLscan
sslscan --targets=targets.txt --verbose --xml=sslscan.xml > scan_sslscan.txtSSLyze
sslyze --targets_in targets.txt > scan_sslyze.txtTlssled
- SSLv3 + CBC = POODLE & BEAST
- TLSv1.0 + CBC = BEAST
See SSL/TLS Vulnerabilites for more informaiton on exploitation.
For exploitation there are a few resources I use:
- Metasploit (msfconsole in Kali)
- ExploitDB (using searchsploit Kali)
- Looking for POC exploits on Github
Metasploit
Metasploit is by far the most popular tool used for exploiting vulnerabilities identified during a test.
Initiate Metasploit
msfconsoleSearch for an exploit:
search <name>Use an exploit:
use <name>You will need to set certain basic options (such as RHOST).
I also personally prefer to set VERBOSE to true. (You can also set options globally with the setg option)
set <OPTION> <name>
setg <OPTION> <name>Then run the exploit
runExploitDB
Scan hosts identified in “targets.txt”
nmap -Pn -vvv -p 80,81,443,591,8008,8080,8443 --open -iL targets.txt -oA webscanGenerate the webhosts.txt file from the nmap scan
cat webscan.gnmap | awk '/Up$/{print $2}' | tee -a webhosts.txt && cat webhosts.txt | sort -uV | tee webhosts.txtHTTP ENUM scan with nmap
nmap -n -p 80 --script http-enum -vvv -iL targets.txtRun Nikto for webserver vulnerability analysis
nikto -Display V -h webhosts.txt -o nikto.txt -p 80,81,443,591,8008,8080,8443Run WhatWeb for webserver intelligence
whatweb -i webhosts.txt -v --log-verbose=whatweb.txt --log-xml=whatweb.xml --log-json=whatweb.jsonScan webservers for WordPress installed using WhatWeb
whatweb -p WordPress -v -i webhosts.txt --log-json=wp_scan.json && grep -i wordpress | grep -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)" >> wphosts.txt && cat wphosts.txt | sort -uV | tee wphosts.txtWPscan
read -p "API Token >> " TOKEN && while IFS= read -r LINE; do wpscan --verbose --user-agent "Mozilla 42" --url $LINE --api-token $TOKEN | tee -a wpscan.txt; done < wphosts.txtVULNERABILITIES / EXPLOITS
- LLMNR / NBT-NS Poisoning
- Log4Shell
- EternalBlue
- Blue Keep
- SSL / TLS Vulnerabilities
- Software (Outdated/EOL/Update Required)
- Plaintext Authentication Accepted
- Browser-Based Security Settings
LLMNR / NBT-NS Poisoning
LLMNR is an extremely successful and highly exploitable attack used for internal penetration testing. LLMNR (Link-Local Multicast Name Resolution) formally NBT-NS (NetBIOS Name Service) are both used to identify hosts when DNS fails. These services are able to identify hosts through the use of NTLM/NTLMv2 hashes. Its the NTLM hash that we are ultimately after as these are the exploitable factor in what makes LLMNR/NBT-NS vulnerable.
The chart above should be pretty easy to follow but what basically happens is when a share is unable to be resolved, the victim machine (making the request) will broadcast the request when DNS is unable to resolve. The attacker will then quickly respond essentially volunteering to connect to the share in exchange for an NTLM hash. This hash then either be cracked using something like Hashcat or used in a Relay Attack. The tool that is used to exploit this vulnerability is called Responder.
Log4Shell
CVE-2021-44228
CVE-2021-45046
CVE-2021-4104
Description
On November 24, 2021, a vulnerability was discovered in the Java logging library log4j. A malicious adversary could take advantage of this zero day vulnerability to perform remote code execution(RCE) on the affected server. This would allow
Remediation
References
MITRE – CVE-2021-4104 – https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104
MITRE – CVE-2021-44228 – https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2021-44228
MITRE – CVE-2021-45046 – https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046
Exploitation
CVE-2017-0144
EternalBlue is the name of a software vulnerability in Microsoft’s Windows operating systems as well as a tool developed by the NSA to exploit the discovered vulnerability. This tool was released by the Shadow Brokers as part of a series of leaks on the NSA. A number of malicious software leverage the EternalBlue exploit such as WannaCry and NotPetya.
Use Nmap to check for servers with the vulnerability:
nmap -Pn -vv -p445 --open --max-hostgroup 3 --script smb-vuln-ms17-010 -iL targets.txt -oA nmap_eternalblue
TLS / SSL Vulnerabilities
Over the past few years, attacks against the deprecated versions of TLS, including both SSL version 2 and version 3, have become more numerous and increasingly easier to accomplish. However, since successful attacks against SSL require advanced capabilities and network visibility, the risk rating is reduced, despite the availability of numerous attack methods. Current industry best practice is to disable all support for SSL version 2 and 3, as well as TLS v1.0. TRUE rates these issues as minimal and recommends Webair disable these older protocols in the near future.
Testing SSL/TLS
Nmap
nmap -Pn -vvv --script ssl-cert,ssl-enum-ciphers -p 443,8443 -iL targets.txt -oA scan_sslSSLscan
sslscan --targets=targets.txt --verbose --xml=sslscan.xml > sslscan.txtSSLyze
SSL Version 2, 3, or TLS v1 Enabled
Description
The service accepts connections encrypted using SSLv2, SSLv3 or TLSv1, which reportedly suffer from several cryptographic flaws and have been deprecated for several years. This usage should be discontinued in favor of more modern secure protocols such as TLSv1.2 or TLSv1.3. No vendor patch is available for this issue.
Remediation
Disable the use of older versions of SSL/TLS (SSLv2, SSLv3, and TLSv1) and instead using protocols such as TLSv1.2 and TLSv1.3
Exploitation
References
HeartBleed (OpenSSL Memory Leak)
Description
In April 2014, versions of OpenSSL (before v1.0.1) were discovered to contain a memory leak flaw in the software that deals with health check messages sent from a client to the affected server. A malicious adversary would be able to exploit this memory leak vulnerability by sending specially crafted packets to the host that would result in information discloser of data stored in memory. This information could be payment information, passwords, and other sensitive or personal information. The vendor has released security patches on the date the vulnerability was publicly disclosed.
Remediation
For HeartBleed affected locations, RTC recommends upgrading to the latest release of OpenSSL (1.1.1n or 3.0.2) and disable all support for SSL version 2 and 3, as well as TLS v1.0 and v1.1.
Exploitation
There are currently 2 Metasploit modules for HeartBleed:
- auxiliary/server/openssl_heartbeat_client_memory
- auxiliary/scanner/ssl/openssl_heartbleed
References
SWEET32 (Birthday Attack)
Description
Legacy block ciphers having block size of 64 bits are vulnerable to a practical collision attack when used in CBC mode. All versions of the TLS protocol supporting cipher suites which use DES, 3DES, IDEA or RC2 as the symmetric encryption cipher are affected.
Remediation
Exploitation
References
3SHAKE (TLS Triple Handshake)
Description
TLS uses handshakes to first authenticate connections being made with hosts then negotiate and establish a share secret (Master Secret) that both of the hosts use to encrypt and decrypt traffic being sent. The TLS Triple Handshake attack takes advantage of a weakness in the TLS key negotiation which does not guarantee that keys used in communication will be unique. As a result, if connected to a malicious server, the attacker would be able to intercept the traffic and pass it to the legitimate server. The attacker could then force both the target and the legitimate server to use the same Master Secret.
Remediation
For 3SHAKE affected locations, RTC recommends increasing the strength of the deviation of the master secret by including the handshake hash or by strengthening the abbreviated handshake.
Exploitation
References
MITLS – 3SHAKE – https://www.mitls.org/pages/attacks/3SHAKE
RACCOON Attack (OpenSSL
Description
Remediation
Exploitation
References
MITRE – CVE-2020-1968 – https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1968
Raccoon Attack – https://raccoon-attack.com/
CRIME (Compression Ratio Info-leak Made Easy)
Description
Remediation
Exploitation
References
MITRE – CVE-2012-4929 – https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2012-4929
POODLE (Padded Oracle on Downgrade Legacy Encryption)
Description
SSL 3.0 and TLS implementations that are backwards compatible with SSL 3.0 with cipher-block chaining (CBC) are vulnerable to an attack that leverages weaknesses found in the protocol version negotiation built into SSL/TLS that forces connection using SSL 3.0. Data is then able to be decrypted selectively 1 byte at a time which creates a long list of connections during data transfer.
Remediation
Exploitation
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-3566
BEAST (Browser Exploit Against SSL/TLS)
Description
Versions of TLS 1.0 and earlier are vulnerable to a security flaw found in the Oracle/Java software framework. This exploit targets the Cipher Block Chaining (CBC) against the Predictable Initialization Vector (IV). By controlling part of the data being encrypted and predicting the IV being used, the attacker would then be able to decrypt some of the encrypted data being transferred.
Remediation
Exploitation
References
MITRE – CVE-2011-3389 – https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2011-3389
Weak Cipher (RC4/ARC4/ARCFOUR)
Description
RC4 (Rivest Cipher 4, also known as ARC4 or ARCFOUR) is a stream cipher that was adapted by SSL in 1995 and TLS in 1999. Originally designed as a simple, lightweight and quick cipher, this has since become deprecated and multiple flaws have been discovered with the cipher. RC4 was used notably as a solution to BEAST and Lucky13 attacks though multiple vulnerabilities were later disclosed with RC4. Since then, TLSv1.2 and TLSv1.3 have addressed the security issues of BEAST and Lucky13 and use of RC4 is highly discouraged.
Remediation
RTC recommends avoiding the use of RC4 cipher on the affected server vulnerable to BEAST and ARCFOUR.
Exploitation
References
MITRE – CVE-2013-2566 – https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-2566
MITRE – CVE-2015-2808 – https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-2808
Logjam (Diffie-Hellman Vulnerabilities)
Description
There exists a vulnerability in the Diffie-Hellman key exchange that allows attackers to downgrade TLS connections. Using a Man-in-the-Middle attack, an attacker can modify or alter data passed between the server and the client.
Remediation
Exploitation
References
VULNERABILITY
Description
Remediation
Exploitation
References
Software (Outdate/EOL/Update Required)
Software updates are an important part of the software development lifecycle in which developers will identify bugs in the program and apply patch updates. This type of maintenance is critical in ensuring that the software runs as indented by the vendor and prevents catastrophic events from occurring in user environments. Applying software updates is an important part of network maintenance and when scheduled updates are not performed, system efficiency can deteriorate overtime. Additionally, when software reaches the end of its life, vendors are no longer providing updates. This can be a result of a new version push or abandonment of the project entirely. When security vulnerabilities are disclosed, vendors work to quickly to patch the issue and push the change. Some of these patches are done outside of the scheduled version release and occur as part of a critical to protect the software integrity.
Apache Server
An Apache server has been identified with multiple security vulnerabilities
When software reaches the end of its life, vendors are no longer providing updates for the software. Over time, the software can become incompatible on the system or bugs can cause . Additionally, critical security vulnerabilities can be reported with no fixes issued by vendor.
jQuery
INFO
MITIGATION
RTC recommends upgrading to the latest stable release of jQuery (v3.6.0) and configuring scheduled updates to the system.
Reference:
jQuery – Downloads – https://jquery.com/download/
Microsoft IIS
INFO
MITIGATION
RTC recommends upgrading to the latest stable release of Microsoft IIS (IIS 10 [for server Server2019, Server2016, Windows10], IIS 8.5 [for Server2012, or Windows8.5] , or IIS 8 for Server2012).
Reference:
Microsoft – IIS Release Information – https://docs.microsoft.com/en-us/lifecycle/products/internet-information-services-iis
Microsoft Server
INFO
The current instances of Microsoft Server that have been detected on the network are running outdated versions that are no longer supported by the vendor. The versions running have been identified with several vulnerabilities that affect the security of the system and the data stored on it.
MITIGATION
RTC recommends upgrading to the latest stable release of Microsoft Windows Server (Windows Server 2022, v20H2, v1909, 2019v1809, or 2016v1607).
Reference:
Microsoft – Windows Server Release Information – https://docs.microsoft.com/en-us/windows-server/get-started/windows-server-release-info
Microsoft SQL Server
INFO
MITIGATION
RTC recommends upgrading to the latest stable release of Microsoft SQL Server (SQL Server 2019, 2017, 2016, 2014, or Azure SQL Database).
Reference:
Microsoft – SQL Server Release Information – https://docs.microsoft.com/en-us/troubleshoot/sql/general/determine-version-edition-update-level
OpenSSL
PHP Server
INFO
MITIGATION
RTC recommends upgrading to the latest stable release of PHP (v8.1.5, v8.0.18, or v7.4.29) and configuring scheduled updates to the system.
Reference:
PHP – Downloads – https://www.php.net/downloads.php
Plaintext Authentication Accepted
Encryption allows communication between a client and a server to remain secure. This happens by changing human readable plaintext into unreadable ciphertext. In order to decrypt the communication, a cipher and the proper secret is required. Hackers are able to perform man-in-the-middle (MITM) attacks in order to intercept this data. Information such as login credentials, payment information or other sensitive data is readily available to malicious adversaries. Services exist that use insecure methods of data transmission from before when data security was not a primary concern. These services should be replaced with more secure methods of communication that enforce encryption by default.
FTP (SFTP, FTPS, FTP over SSH)
RTC discovered a host running an ftp server. This plaintext protocol allows for unencrypted authentication and communication between a vulnerable client and server.
RTC recommends using encrypted methods of communication (such as SFTP, FTPS, and FTP over SSH) for accessing and transferring files and in some cases (HTTPS) when accessing FTP servers from a web interface.
Reference: https://security.sdsc.edu/self-help/no-plaintext/
Telnet (SSH)
RTC discovered a host running a telnet server. This plaintext protocol allows for unencrypted authentication and communication between a vulnerable client and server.
RTC recommends using encrypted methods of communication (such as SSH) when accessing remote hosts from a command line interface.
Reference: https://security.sdsc.edu/self-help/no-plaintext/
HTTP (HTTPS)
RTC discovered a host running an HTTP server. This plaintext protocol allows for unencrypted authentication and communication between a vulnerable client and server.
RTC recommends using encrypted methods of communication (such as HTTPS) for accessing web services and applications.
Reference: https://security.sdsc.edu/self-help/no-plaintext/