In the course of a recent external penetration test, one of SecureWorks testing experts, Nate Drier, found through the use of enumeration that a popular bug tracking software was running on a web server.
Unfortunately for the organisation they didn't put this popular software behind a VPN, leaving it open to further enumeration of usernames. Granted it required a valid password to go with the username but that only served to be a minor hurdle in infiltrating this software.
Once he was in, what Nate was able to collect on the organisation could be very damaging and served as a lesson learned to the organisation about putting internal tools out on the internet. Watch the video to learn more.
We were doing an external penetration test for our client and through the course of enumeration we found they had this really popular bug track software installed on one of their web servers and there is a function of the software that lets you enumerate usernames without being logged in. So the rest of the software is password protected before you can log in and submit tickets, so you had to know valid usernames and passwords, but you could enumerate usernames as anyone on the internet. So using some off the shelf tools we were able to enumerate over one thousand usernames.
Once we had a list of usernames we just tried passwords like password1 and low and behold it led us into one of the accounts, so now we were able to log into this bug tracking software and view tickets, we were able to gain additional usernames and passwords, look at code snippets and see all sorts of other internal information. So in general with things pushed out to the internet, if those don't need to be customer facing, it's best to put those behind a VPN that way in this case we wouldn't have been able to access the portions that application needed to enumerate usernames in the first place.