Exterior Penetration Testing – A Full Information (Step-by-Step Strategies)

July 9, 2022

1

This write-up walks us by certainly one of my many journeys in my exterior penetration testing and the way I compromised the group on this write-up.

After executing safety assessments (e.g. Penetration Testing, Purple Teaming, and many others.), I make it a behavior to debrief my shopper’s senior administration on the work finished and my report.

This creates a chance to debate stuff such because the assault Techniques, Methods and Procedures (TTPs) used, assault vectors used, findings, suggestions, remediation efforts, and many others.

As a rule, I get shocked appears from the management groups about a few of the methods I acquired my preliminary foothold on the community or a few of the techniques I used.

For many of them, they anticipate some Tom Cruise Mission Unimaginable-style of hacking, bypassing firewalls, and many others., solely to learn how easy it was for me to compromise their networks.

So, I normally take the time with my shoppers to shed some mild on how modern-day assaults are normally carried out and the way a small loophole so simple as one weak consumer credential can topple the whole community protection.

The reality is, cyber-attacks are extra about effectivity and never essentially magnificence. Thus, adversaries don’t search for the toughest methods to break-in. They largely search for the best methods to get in.

We popularly time period this method the path of least resistance and certainly one of these paths is login credentials. All it takes is only one set of consumer credentials and your whole community may fall to an adversary.

The Mission

Again in 2018, a big healthcare group contracted us to conduct exterior penetration testing towards its exterior community infrastructure. For the scope of the engagement, the group supplied us with their area title and IP deal with ranges. In fact, the objective was to establish assault vectors to compromise the group from the web.

Exterior Penetration Testing Guidelines

Reconnaissance

Amongst different penetration testing methods, I needn’t point out or iterate the significance of reconnaissance in each cyber-attack or community penetration testing alike. This part of the cyber kill chain is the place you collect intelligence about your goal, each passively and actively.

I normally use this chance to do a lot of passive intelligence gathering utilizing Open Supply Intelligence (OSINT) instruments and platforms for Exterior Penetration testing plan. I barely use scanning instruments towards a goal’s community at this part since I can get nearly all the required info to craft my assault technique.

So, what am I normally in search of on this part?
Properly, among the many plethora of knowledge that may be found from OSINT,
beneath are the important thing gadgets I usually take note of:

Subdomains
Login
portals (Citrix, OWA, VPN, SharePoint, and many others.)
Varieties
of applied sciences (IIS, and many others.)
E-mail
addresses
Usernames
(a lot of ‘em)

Exterior Penetration Testing Instruments

Utilizing instruments, websites and platforms corresponding to Google (google.com), Shodan (shodan.io), Censys (censys.io), join.information.com, Fierce, Recon-ng, SimplyEmail, TheHarvester, SpiderFoot (spiderfoot.web), E-mail Hunter (hunter.io), VirusTotal (virustotal.com), FOCA, Maltego and Pastebin (pastebin.com),

I used to be capable of harvest a lot of details about my shopper corresponding to subdomains, e-mail addresses, usernames, hosts, community providers, open ports, leaked credentials from prior breaches, login portals, and many others.

For the sake of this write-up and to maintain the confidentiality of my shopper’s title intact, I’m utilizing a pattern area and E-mail Hunter to exhibit one of many some ways I acquired the username format and e-mail addresses (and later extracted the usernames) of my goal shopper.

Within the picture beneath, you’ll be able to see I acquired greater than 9,000 e-mail addresses and the username format for the goal area.

External Penetration Testing — ***Harvesting e-mail addresses***

Goal Improvement

After I had spent a substantial period of time within the reconnaissance part and had gathered a lot of info, I used this phrase to undergo the plethora of information gathered and strategically mapped out my assault floor and the assault method I’d be utilizing.

Whereas going by this information, I used to be within the software and community providers that normally authenticate to the group’s LDAP or AD surroundings.

This might be SMB, OWA, Autodiscover, VPN, Citrix, Jenkins, SharePoint, custom-made purposes, and many others. As soon as I had found such providers and which of them to assault, I then organized all the e-mail addresses and usernames I found from the reconnaissance part.

I made positive I had eliminated duplicate e-mail addresses, usernames and likewise cross-checked that the exterior usernames and inside area usernames are the identical codecs or if there are variations, I acquired that checked too.

On the finish of this part, I had found the shopper’s exterior OWA and Citrix purposes, amongst others, and likewise gotten near about1,000 distinctive usernames. From right here, I used to be able to roll into the subsequent part of my kill chain.

Intrusion

That is the place the precise motion occurs. For many assaults, this part is the place the adversary makes an attempt to realize an preliminary foothold. A number of issues are iterative on this part because the TTPs used on this part would differ primarily based on the data gathered from the Reconnaissance and Goal Improvement phases.

Throughout an Exterior penetration testing, effectivity is vital and more often than not, protecting issues easy is your greatest route. Within the early days of penetration checks, discovering vulnerabilities and exploiting them was normally the best way to go.

Nonetheless, as adversaries advanced of their TTPs, we needed to evolve as properly. With that mentioned, one of many primary, but efficient, assault methods is an authentication-based assault, also called password brute-forcing.

Within the typical password brute-force assault, you might have one username and also you attempt a number of potential passwords towards that username, hoping that the consumer is utilizing one of many passwords in your record.

Properly, directors turned wiser and began implementing account lockout insurance policies, thus, after login makes an attempt meet a sure threshold (say after 5 makes an attempt), the account locks out. To counter this management, a brand new breed of the authentication-based assault emerged known as Password Spray (some name it horizontal, reverse brute-forcing, and many others.).

With this assault, an adversary gathers a number of usernames or e-mail addresses (relying on the kind of software or community service being attacked) after which tries one password towards all of the usernames or e-mail addresses to establish which one of many customers could also be utilizing such a password.

This Hacking method has had and continues to have, the excessive success price in real-world assaults and on most of my penetration testing engagements. There are a number of instruments to hold out this assault, nonetheless, for application-based password spray assaults, my favourite go-to device is Burp Suite.

Burp Suite offers me sufficient room for customizing my password spraying corresponding to threading, throttling, grepping for strings, and many others. When selecting passwords for this assault, I normally attempt Season + Yr (e.g. Summer2018, Winter19, and many others.), CompanyName + Numbers (e.g. Company123, Company2003, and many others.), concepts from prior firm breaches, places, sports activities groups, and many others. Actually, there aren’t any proper or fallacious methods in selecting passwords for the password spray assault.

After establishing and configuring the whole lot inside net penetration Testing device Burp Suite towards the shopper’s Citrix net software, I kick-started the assault, slowly and steadily. My first spherical of spray gave me two legitimate consumer credentials with the password Winter2017.

Within the picture beneath, request numbers 208 and 853 are the legitimate credentials, with three ranges of redirects.

**Password spray assault towards Citrix login portal**

Off to an excellent begin!

Utilizing the 2 consumer accounts found, I used to be then capable of authenticate to the shopper’s Citrix purposes as these customers. Nonetheless, to my dismay, not one of the customers had any purposes of their Citrix software catalog. What a bummer.

Since I already had two legitimate credentials, I used the MailSniper device from Black Hills and dumped the shopper’s OWA International Tackle Record (GAL). This gave me extra usernames for my subsequent spherical of password spray assault.

This time, I attempted the spray assault towards the shopper’s OWA, utilizing the password Companyname123 (I used the precise shopper’s title and appended numbers 123 to it). This yielded me two extra legitimate credentials. Within the picture beneath, request numbers 395 and 431 are the legitimate credentials.

This time, one of many customers had an inside SAP software of their Citrix software catalog and this SAP software opens with Web Explorer.

Lateral Motion in Exterior Penetration Testing

On the lateral motion part, the adversary or the penetration tester has gotten some degree of entry on the goal, both from the appliance degree or the community degree, with both restricted or full entry.

The objective from this level going ahead is discovering methods to maneuver inside the goal’s community whereas evading inside community safety controls.

We (adversaries/pentesters) use the entry gained to collect extra info to maneuver inside the goal’s inside community.

Mainly, we’re again to reconnaissance and this may be host-based intelligence gathering and/or network-based intelligence gathering. Once more, the methods used on this part can differ primarily based on many elements.

Citrix Breakout

At this level, I had obtained application-level entry and my subsequent objective was to realize network-level entry. Since I had expertise in breaking out of Citrix environments, I noticed this as my alternative to interrupt into the network-level.

If you’re curious about studying extra about Citrix breakouts, the blokes at NetSPIhave an ideal weblog on that (see On The Net part for the hyperlink to the weblog). To execute the Citrix breakout assault, I opened the sufferer’s SAP account with Web Explorer and tried to save lots of the webpage’s supply.

**Viewing Citrix software’s webpage supply**

Then utilizing the “Save As” possibility from the File menu, I navigated to C:WindowsSystem32 listing and known as out Home windows CMD utility (cmd.exe).

This pop opened CMD and gave me entry to the backend Citrix server.

With entry to the backend Citrix server, I whipped up a PowerShell Empire listener, generated a PowerShell launcher, executed it on the Citrix server and acquired a name again to my Empire listener from the Citrix server.

***Operating Empire PowerShell launcher on Citrix server***

Kerberoasting

‘Nough has been mentioned and written about Kerberoasting so I received’t dwell on its rationalization right here, however somewhat go straight to what occurred subsequent. More often than not, a Citrix server is taken into account a high-value system and as such, solely a restricted variety of customers have administrative privilege on the server.

With that mentioned, the consumer account with which I had gained entry to the Citrix server as an unprivileged consumer. Nonetheless, any area consumer account can be utilized to request Service Principal Names (SPN), a Home windows characteristic utilized by Kerberos authentication to affiliate a service occasion with a service logon account; for instance, an SPN for a service account that runs IIS.

Querying the AD for service accounts may be finished regionally with Home windows’ built-in utility setspn.exe or remotely with instruments corresponding to Empire, Impackets, Metasploit, and many others.

Utilizing my Empire session, I dumped the SPNs and went
about cracking the password hashes with Hashcat. Beneath is an instance command
used for cracking the password:

hashcat -m 13100 -a 0 spn.outputpassword.record -r best64.rule -o kerb.cracked

Whereas reviewing the SPN question output, I seen a few of the accounts belonged to the Directors group and Hashcat occurred to have cracked password hashes for one such account (IIS_Admin).

Credential Abuse/Re-use

From my preliminary info gathering on this Exterior Penetration Testing, I had obtained sure essential intel in regards to the inside community such because the record of Area Admins, Enterprise Admins, Area Controllers, and many others.

So, to successfully use the newly obtained credentials to compromise the area, I wanted to establish which methods the Area Admins and/or Enterprise Admins had logged periods or had beforehand logged in.

Instruments corresponding to netview.py, Invoke-EventHunter can be utilized to perform that goal. After I had recognized a number of methods the place Area and Enterprise Admins had periods, I kicked off CrackMapExec towards these methods, utilizing the IIS_Admin account and the cracked password.

I recognized a number of methods the place the IIS_Admin
account had administrative privileges and, utilizing the Mimikatz module in
CrackMapExec, extracted credentials from these bins.

King’s Touchdown Falls!!!

Among the many credentials extracted was one which belonged to a Area Admin! The very last thing I wanted to do was to substantiate the validity of the brand new Area Admin credentials towards a Area Controller and likewise dump the NTDS database for offline password cracking and evaluation.

Knowledge Looking and Exfiltration

One of many main targets of an adversary is to
entry and/or extract delicate/essential information, which we loosely name the “crown
jewels” of the goal. This might be:

Consumer
credentials
Secret
formulae
Blueprints
Buyer
information
Personally
Identifiable Info (PII)
Medical
Data
Monetary
information
Mental
Property

The exfiltration part is the place information is moved from
the goal’s community surroundings to the attacker-controlled methods (e.g. C2
server). That is normally a part of the information searching actions.

Gone are the times the place penetration testing was all about gaining a Area Administrator (DA) degree entry and calling it a day.

Now, Exterior penetration testing must exhibit the enterprise danger and impression your shopper may have suffered in case your checks and assaults had been executed by a real-world adversary. With that mentioned, this is among the essential phases in our checks.

As a penetration tester, it is likely to be vital to substantiate along with your shopper if information exfiltration is required by the Guidelines of Engagement (RoE) earlier than you progress information out of their surroundings.

If allowed, I fastidiously analyze what sort of information to exfiltrate to exhibit enterprise danger and impression to the shopper. Relying on the surroundings and the methods compromised, completely different exfiltration methods can be utilized for various conditions.

Final Phrases – Exterior Penetration Testing

As you’ll have seen all through this write-up, I didn’t run a single vulnerability scan on this check. Why am I bringing this up? Properly, there have been a number of situations the place I’ve seen some penetration testing experiences or work that claimed to be an Exterior penetration testing however in truth, they had been vulnerability assessments.

The talk in regards to the variations between a penetration check and vulnerability assessments has been occurring for fairly a while so I’ll depart it alone.

Nonetheless, I all the time inform those that, in our line of labor, we be taught each day from one another and from engagements and there are a number of methods to pores and skin a cat. I simply needed to share one of many some ways I execute exterior penetration testing. I’m not an professional so please, don’t maintain me as much as a normal if my write-up disappoints you!

Till then, thanks for studying.

Analysis On the Net

Citrix Break:https://weblog.netspi.com/breaking-out-of-applications-deployed-via-terminal-services-citrix-and-kiosks/
SPN:(https://msdn.microsoft.com/en-us/library/ms677949(v=vs.85).aspx).