I’ve been reviewing some of our clients system security parameters, especially externally hosted systems. I’m finding a real mix, some are fairly secure others just scream ‘attack me’. For example I’ve found one externally hosted system that does not employ 2FA, minimum password age, password history or account lock after x incorrect passwords. So in theory if an attacker knows the URL and can guess or phish the naming convention for the user names, they can set up a programme to brute force account passwords until they get in.
Speaking to the system owners however and their defence is, ‘yes but you need to know the URL first’. This doesn’t stand well with me, I’m pretty sure that if you searched their companies website or google, you would have a good chance of finding the URL in some documentation somewhere. Or you can just ring them up and ask, I’m sure someone will tell you.
However if you got nowhere with this approach but you did find out that the system you’re after was hosted by a particular company, is it possible to get the URL by some kind of ‘probe’ at the hosting company. I’m not an expert but can you do something with DNS to find URLs or anything to determine what it could be apart from searching websites for documentation that might have been made public with the URL?