This write-up walks us by means of one among my many journeys in my external penetration testing. After executing security assessments (e.g. Penetration Testing, Red Team, and so forth.), I make it a behavior to debrief my client’s senior administration on the work executed and my report. This creates a possibility to talk about stuff such because the attack Tactics, Techniques and Procedures (TTPs) used, attack vectors used, findings, suggestions, remediation efforts, and so forth. More usually than not, I get stunned seems to be from the management groups about a few of the methods I bought my preliminary foothold on the network or a few of the techniques I used.
For most of them, they anticipate some Tom Cruise Mission Impossible-style of hacking, bypassing firewalls, and so forth., solely to find out how easy it was for me to compromise their networks.
So, I often take the time with my clients to shed some gentle on how modern-day attacks are often carried out and the way a small loophole so simple as one weak user credential can topple the whole network protection.
The fact is, cyber-attacks are also about effectivity and never essentially magnificence. Thus, adversaries don’t search for the toughest methods to break-in. They largely search for the simplest methods to get in.
We popularly time period this strategy the path of least resistance and one among these paths is login credentials. All it takes is only one set of user credentials and your total network might fall to an adversary.
Back in 2018, a big healthcare group contacted us to conduct external penetration testing in opposition to its external network infrastructure. For the scope of the engagement, the group supplied us with their domain title and IP address ranges. Of course, the objective was to determine attack vectors to compromise the group from the web.
External Penetration Testing Checklist
Among different penetration testing methods, I needn’t point out or iterate the significance of reconnaissance in each cyber-attack or network penetration testing alike. This part of the cyber kill chain is the place you collect intelligence about your target, each passively and actively.
I often use this chance to do a lot of passive intelligence gathering utilizing Open Source Intelligence (OSINT) tools and platforms for External Penetration testing plan. I barely use scanning tools in opposition to a target’s network at this part since I can get nearly all the mandatory information to craft my attack technique.
So, what am I often on the lookout for on this part?
Well, among the many plethora of information that may be found from OSINT,
beneath are the key objects I usually concentrate to:
- Login portals (Citrix, OWA, VPN, SharePoint, and so forth.)
- Types of applied sciences (IIS, and so forth.)
- Email addresses
- Usernames (a lot of them)
External Penetration Testing Tools
Using tools, websites and platforms akin to Google (google.com), Shodan (shodan.io), Censys (censys.io), join.data.com, Fierce, Recon-ng, MerelyEmail, TheHarvester, SpiderFoot (spiderfoot.net), Email Hunter (hunter.io), VirusTotal (virustotal.com), FOCA, Maltego and Pastebin (pastebin.com),
I used to be ready to harvest a lot of information about my shopper akin to subdomains, electronic mail addresses, usernames, hosts, network services, open ports, leaked credentials from prior breaches, login portals, and so forth.
For the sake of this write-up and to hold the confidentiality of my shopper’s title intact, I’m utilizing a pattern domain and Email Hunter to exhibit one of many some ways I bought the username format and electronic mail addresses (and later extracted the usernames) of my target shopper.
In the image beneath, you possibly can see I bought greater than 9,000 electronic mail addresses and the username format for the target domain.
After I had spent a substantial quantity of time within the reconnaissance part and had gathered a lot of information, I used this phrase to undergo the plethora of data gathered and strategically mapped out my attack floor and the attack method I’d be utilizing.
While going by means of this data, I used to be within the application and network services that often authenticate to the group’s LDAP or AD environment.
This could possibly be SMB, OWA, Auto Discover, VPN, Citrix, Jenkins, SharePoint, custom-made applications, and so forth. Once I had found such services and which of them to attack, I then organized all the e-mail addresses and usernames I found from the reconnaissance part.
I made positive I had eliminated duplicate electronic mail addresses, usernames and in addition cross-checked that the external usernames and inner domain usernames are the identical codecs or if there are variations, I bought that checked too.
At the top of this part, I had found the shopper’s external OWA and Citrix applications, amongst others, and in addition gotten shut to about 1,000 distinctive usernames. From right here, I used to be prepared to roll into the subsequent part of my kill chain.
This is the place the precise motion occurs. For most attacks, this part is the place the adversary makes an attempt to achieve an preliminary foothold. Lots of issues are iterative on this part for the reason that TTPs used on this part would range based mostly on the information gathered from the Reconnaissance and Target Development phases.
During an External penetration testing, effectivity is key and many of the time, maintaining issues easy is your finest route. In the early days of penetration tests, discovering vulnerabilities and exploiting them was often the way in which to go.
However, as adversaries developed of their TTPs, we had to evolve as effectively. With that mentioned, one of many primary, but efficient, attack methods is an authentication-based attack, also referred to as password brute-forcing.
In the standard password brute-force attack, you may have one username and also you strive a number of doable passwords in opposition to that username, hoping that the user is utilizing one of many passwords in your listing.
Well, directors grew to become wiser and began implementing account lockout policies, thus, after login makes an attempt meet a sure threshold (say after 5 makes an attempt), the account locks out. To counter this control, a brand new breed of the authentication-based attack emerged known as Password Spray (some name it horizontal, reverse brute-forcing, and so forth.).
With this attack, an adversary gathers a number of usernames or electronic mail addresses (relying on the kind of application or network service being attacked) after which tries one password in opposition to all of the usernames or electronic mail addresses to determine which one of many customers could also be utilizing such a password.
This Hacking method has had and continues to have, the excessive success fee in real-world attacks and on most of my penetration testing engagements. There are a number of tools to perform this attack, nonetheless, for application-based password spray attacks, my favourite go-to tool is Burp Suite.
Burp Suite provides me sufficient room for customizing my password spraying akin to threading, throttling, grepping for strings, and so forth. When selecting passwords for this attack, I often strive Season + Year (e.g. Summer time2018, Winter19, and so forth.), CompanyName + Numbers (e.g. Firm123, Firm2003, and so forth.), concepts from prior firm breaches, places, sports activities groups, and so forth. Honestly, there aren’t any proper or mistaken methods in choosing passwords for the password spray attack.
After setting up and configuring every thing inside web penetration Testing tool Burp Suite in opposition to the shopper’s Citrix web application, I kick-started the attack, slowly and steadily. My first spherical of spray gave me two legitimate user credentials with the password Winter2017.
In the image beneath, request numbers 208 and 853 are the legitimate credentials, with three ranges of redirects.
Off to start!
Using the 2 user accounts found, I used to be then ready to authenticate to the shopper’s Citrix applications as these customers. However, to my dismay, not one of the customers had any applications of their Citrix application catalog. What a bummer.
Since I already had two legitimate credentials, I used the MailSniper tool from Black Hills and dumped the shopper’s OWA Global Address List (GAL). This gave me extra usernames for my subsequent spherical of password spray attack.
This time, I attempted the spray attack in opposition to the shopper’s OWA, utilizing the password Companyname123 (I used the precise shopper’s title and appended numbers 123 to it). This yielded me two extra legitimate credentials. In the image beneath, request numbers 395 and 431 are the legitimate credentials.
This time, one of many customers had an inner SAP application of their Citrix application catalog and this SAP application opens with Internet Explorer.
Lateral Movement in External Penetration Testing
At the lateral motion part, the adversary or the penetration tester has gotten some stage of entry on the target, both from the application stage or the network stage, with both restricted or full entry.
The objective from this level going ahead is discovering methods to transfer throughout the target’s network whereas evading inner network security controls.
We (adversaries/pentesters) use the entry gained to collect extra information to transfer throughout the target’s inner network.
Basically, we’re again to reconnaissance and this may be host-based intelligence gathering and/or network-based intelligence gathering. Again, the methods used on this part can range based mostly on many components.
At this level, I had obtained application-level entry and my subsequent objective was to achieve network-level entry. Since I had expertise in breaking out of Citrix environments, I noticed this as my alternative to break into the network-level.
If you have an interest in studying extra about Citrix breakouts, the blokes at NetSPIhave an important weblog on that (see On The Web part for the link to the weblog). To execute the Citrix breakout attack, I opened the victim’s SAP account with Internet Explorer and tried to save the webpage’s source.
Then utilizing the “Save As” option from the File menu, I navigated to C:WindowsSystem32 directory and known as out Windows CMD utility (cmd.exe).
This pop opened CMD and gave me entry to the backend Citrix server.
With entry to the backend Citrix server, I whipped up a PowerShell Empire listener, generated a PowerShell launcher, executed it on the Citrix server and bought a name again to my Empire listener from the Citrix server.
Enough has been mentioned and written about Kerberoasting so I gained’t dwell on its clarification right here, however quite go straight to what occurred subsequent. Most of the time, a Citrix server is taken into account a high-value system and as such, solely a restricted variety of customers have administrative privilege on the server.
With that mentioned, the user account with which I had gained entry to the Citrix server as an unprivileged user. However, any domain user account can be utilized to request Service Principal Names (SPN), a Windows characteristic utilized by Kerberos authentication to affiliate a service instance with a service logon account; for instance, an SPN for a service account that runs IIS.
Querying the AD for service accounts could be executed locally with Windows’ built-in utility setspn.exe or remotely with tools akin to Empire, Impackets, Metasploit, and so forth.
Using my Empire session, I dumped the SPNs and went about cracking the password hashes with Hashcat. Below is an instance command used for cracking the password:
hashcat -m 13100 -a zero spn.outputpassword.listing -r finest64.rule -o kerb.cracked
While reviewing the SPN question output, I seen a few of the accounts belonged to the Administrators group and Hashcat occurred to have cracked password hashes for one such account (IIS_Admin).
From my preliminary information gathering on this External Penetration Testing, I had obtained sure vital intel concerning the inner network such because the listing of Domain Admins, Enterprise Admins, Domain Controllers, and so forth.
So, to successfully use the newly obtained credentials to compromise the domain, I wanted to determine which methods the Domain Admins and/or Enterprise Admins had logged sessions or had beforehand logged in.
Tools akin to netview.py, Invoke-OccasionHunter can be utilized to accomplish that goal. After I had recognized a few methods the place Domain and Enterprise Admins had sessions, I kicked off CrackMapExec in opposition to these methods, utilizing the IIS_Admin account and the cracked password.
I recognized a few methods the place the IIS_Admin account had administrative privileges and, utilizing the Mimikatz module in
CrackMapExec, extracted credentials from these bins.
King’s Landing Falls!!!
Among the credentials extracted was one which belonged to a Domain Admin! The last factor I wanted to do was to verify the validity of the brand new Domain Admin credentials in opposition to a Domain Controller and in addition dump the NTDS database for offline password cracking and analysis.
Data Hunting and Ex-filtration
One of the first targets of an adversary is to entry and/or extract delicate/vital data, which we loosely name the “crown
jewels” of the target. This could possibly be:
- User credentials
- Secret formulae
- Customer data
- Personally Identifiable Information (PII)
- Medical Records
- Financial data
- Intellectual Property
The ex-filtration part is the place data is moved from the target’s network environment to the attacker-controlled methods (e.g. C2 server). This is often a part of the data looking actions. Gone are the days the place penetration testing used to be all about gaining a Domain Administrator (DA) stage entry and calling it a day.
Now, External penetration testing wants to exhibit the enterprise risk and impact your shopper might have suffered in case your tests and attacks have been executed by a real-world adversary. With that mentioned, this is among the vital phases in our tests.
As a penetration tester, it may be crucial to verify together with your shopper if data ex-filtration is required by the Rules of Engagement (RoE) earlier than you progress data out of their environment.
If allowed, I fastidiously analyze what sort of data to ex-filtrate to exhibit enterprise risk and impact to the shopper. Depending on the environment and the methods compromised, totally different ex-filtration methods can be utilized for various conditions.
Last Words – External Penetration Testing
As you might have seen all through this write-up, I didn’t run a single vulnerability scan on this test. Why am I bringing this up? Well, there have been a number of instances the place I’ve seen some penetration testing studies or work that claimed to be an External penetration testing however truly, they have been vulnerability assessments.
The debate concerning the variations between a penetration test and vulnerability assessments has been occurring for fairly some time so I’ll leave it alone.
Until then, thanks for studying.
Credits: Neil & Ethical Hackers Academy