Category: Uncategorized

Technical Objectives of Penetration Testing

October 7, 2023 / user / 0 Comments

With most forms of pentesting, the technical goal is to leverage an exisiting service to upload malicious

One thing I think is key to know early on is the mindset you need to have when trying to get code execution on a remote machine. Ultimately if you are trying to get remote code execution (RCE) on a machine, you are looking for a way to upload a shell/code or execute code or both. That is the foundational goal of hacking into anything. All the scanning, enumeration and everything else done to get RCE revolves around these key goals.

With that in mind, you need to think about how you can abuse each accessible function to achieve these things. Are you dealing with a website that you can upload pictures to a certain accessible folder? Can you upload malicious code such as a PHP shell and get the server to execute that? Is there an FTP server that has a share configured for anonymous upload permissions to the same folder that a webserver is running off of?
Remembering this concept while hacking in your lab or even a client’s network will result in popping more shells!

LLMNR Poisoning Still Relevant in 2023?

October 7, 2023 / user / 0 Comments

LLMNR (link-local multicast name resolution) is a protocol introduced with Windows Vista and has been enabled by default in subsequent OS versions. It serves as a quasi-DNS implementation, utilized when a DNS server is unavailable. While resembling DNS packets, LLMNR operates via multicast, broadcasting queries within a LAN environment on port 5355.

NetBIOS (Network Basic Input/Output System), another protocol used for resolving host names on local networks, has been enabled on Windows 2000 and later OS versions.

Both LLMNR and NetBIOS should be considered legacy protocols and are not recommended for use in modern environments. Employing proper DNS servers is essential to eliminate reliance on these outdated mechanisms.

The Risks Involved:

Even with a properly configured DNS server and the presence of these protocols, vulnerabilities still exist. For instance, imagine a scenario where a user attempts to access a mapped drive linked to a file server no longer in production and without a DNS entry. In such cases, the host queries DNS, finds no entry, and resorts to broadcasting LLMNR queries on the network, seeking the target host.

The potential danger arises when an attacker eavesdrops on these LLMNR requests. The attacker can then deceive the broadcasting machine, masquerading as the sought-after server and prompting the requesting host to authenticate with the attacker. Subsequently, the requesting host unwittingly sends its NTLM hash to the attacker’s machine, which can be cracked offline to reveal the plaintext password.

In conclusion, being aware of the vulnerabilities associated with LLMNR and NetBIOS is crucial for maintaining robust network security. Employing up-to-date DNS servers and disabling these legacy protocols ensures a safer environment and safeguards against such attacks.

Penetration Testing Workflow

October 7, 2023 / user / 0 Comments

Having a structured process or checklist and adhering to it is paramount when conducting a penetration test. This methodology remains consistent across different engagements or target machines. The process typically involves identifying IPs/hostnames, performing port scans to uncover exposed services, and utilizing various tools to further investigate these services.

For instance, when encountering a web server, conducting directory brute-force with wfuzz can reveal available paths, followed by running additional scripts to determine the underlying technologies. Similarly, if a Windows box with SMB exposure is found, Enum4Linux can be employed to check for null sessions and obtain a list of Active Directory objects. Additionally, scripts may be used to assess vulnerabilities with publicly available exploits.

Understanding the inner workings of each service and the appropriate tools to extract more information and exploit them is critical. The process should be dynamic, evolving as you learn about new enumeration and exploitation techniques. Future sections in this blog will offer commands and processes tailored to specific technologies frequently encountered during such engagements.

Here are some additional tips for an effective workflow:

Keep scans running continually, ensuring that you have a quick nmap scan on the box while exploring a web server or utilizing Aquatone to screenshot the root directory pages of all web servers within a larger scope.
Organize scans by creating a separate folder for each target box and saving all scan results to a file. This practice prevents redundant rescans and saves valuable time.
Initially, use tools manually to grasp their functionalities fully before automating processes. Understanding protocols, like HTTP headers, before deploying automated scripts is essential for effective and informed testing.
For professional pentesting engagements, consider using a console recording program that documents all commands and their outputs. This provides a “Cover Your Ass” (CYA) measure, especially if the client requests a comprehensive record of the engagement. Having detailed information about the scanning activities can be invaluable in troubleshooting and preventing potential issues.

By following these guidelines and maintaining a well-structured approach, you can impress clients with your meticulousness while delivering comprehensive and impactful penetration test results.

Delivering High Impact Penetration Tests

October 7, 2023 / user / 0 Comments

While engaging in pentesting can be an exhilarating experience, it is crucial to grasp the art of delivering maximum value during such assessments. While clients do expect you to exploit vulnerabilities in their systems, they also seek a comprehensive understanding of the risks associated with those vulnerabilities. Simply boasting about successfully sniffing credentials through LLMNR poisoning and cracking a domain admin’s account or leveraging XSS and CSRF for RCE, though impressive, falls short of meeting their expectations. What truly matters is explaining the significance of the identified vulnerabilities and their potential impact on the client’s business.

Rather than merely stating “I gained domain administrator privileges,” it is more impactful to elucidate how this could enable an attacker to access sensitive HR records or client social security numbers when infiltrating a web application or file server. By providing such context, the severity and implications of the security flaw become crystal clear.

Furthermore, it’s vital to recognize that each pentest may have specific goals tailored to the client’s needs. Understanding the client’s motivations for conducting the pentest is essential. They might already have an internal pentesting process and require a third-party assessment to fulfill a compliance requirement. Alternatively, they could be assessing the efficiency of their IT security team. Being aware of these background details allows you to customize your methodology accordingly.

In essence, successful pentesting involves not only showcasing technical expertise but also presenting findings in a manner that highlights their real-world impact on the client’s business. Tailoring the assessment to align with the client’s goals ensures a meaningful and valuable engagement.