Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More
Get access to immediate incident response assistance.
Get access to immediate incident response assistance.
Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More
Yes, I imagine you are probably tired to see blog posts about "real-world" PenTesting, people talking about how to execute the perfect PenTest or what's the best tactical solution, well I am sick of that too. What I can say is that I have already seen dozens of this type of texts published around the world and I wanted to try something different, but different how?
Well, I am going to enumerate the top 4 techniques I use when I get in an environment without the common vulnerabilities that are usually discussed in other articles.
By no means this should be used as a guide or something along those lines, these are just some hints from a pentester (and hundreds of tests executed) that could be helpful to prevent attacks and also to execute a test successfully. These tips should work in more than 80% of the tests, and that is why I chose to list them.
I am not giving details about the vulnerabilities, because I don't think it is necessary! When you read these tips, you can assume they are in some specific order, however it is not necessary to be used in the order I describe maybe in your approach you may skip some of the steps or you can just utilize these techniques at any given time of the test.
No cutting-edge techniques will be posted here, as I mentioned, these are just a few tips/hints from my experience on offensive tasks.
1 - NetBIOS Null Session
Normally, when I got nothing on the network, just a few non-exploitable services, no sensitive traffic, etc. I utilize the NetBIOS Null Session vulnerability mainly found on the DNS servers to enumerate users from the domain, there is a little script that does is awesome for accomplishing this called enum4linux.pl (http://labs.portcullis.co.uk/application/enum4linux/) amongst others available that can also be used for that matter.
2 - Easy Passwords
Ever since I joined SpiderLabs, I have been noticing that that users can be very lazy and that mostof passwords used out there are easy! After enumerating the usernames, you might want to try username as password and also Password123 and/orCompanyName123, you will probably retrieve some credentials. I usually use Medusa (http://www.foofus.net/~jmk/medusa/medusa.html) for brute-forcing, it's very simple and fast:
# medusa -hhost.you.retrieved.users -U userlist.txt -p Password123 -e s -O result -M smbnt
3 - Enumerate shared folders
If you happen to have any domain credentials that are not administrative accounts, the best thing todo is to enumerate the shared folders that you have access, there are several scripts that can make your life easier on this job, including a Metasploit (http://www.metasploit.com/)module:
msf > useauxiliary/scanner/smb/smb_enumshares
msfauxiliary(smb_enumshares) > set RHOSTS [TARGET HOST RANGE]
msfauxiliary(smb_enumshares) > run
It is not that uncommonto see shared folders that contain an entire drive (not administrative$ ones),and others not restricted containing sensitive information. It is very usefuleven when you don't have any credentials, anonymous shared folders sometimescan save our day!
While I was writingthis blog post, I was also executing an internal test where I found nothing,and I tried enumerating the shared folders with no credentials, you would besurprised how many shared folders I just had access, including entire drives,etc.
[*]172.16.1.172:139 My Book (H) - (DISK),E$ - Default share (DISK), IPC$ - Remote IPC (IPC), F Archive - (DISK), TV Archive1 - (DISK), TELESERVER1 - (DISK), G$ - Default share (DISK), TV Archive- (DISK), F$ - Default share (DISK),ADMIN$ - Remote Admin (DISK), H$ - Default share (DISK), ArchiverE - (DISK), C$ - Default share (DISK), Archiver- (DISK)
root@pentest:~#smbclient //172.16.1.172/Archiver
Enter root'spassword:
Domain=[XXXXXX]OS=[Windows 5.1] Server=[Windows 2000 LAN Manager]
smb: \> dir
$AVG DH 0 Thu Nov 4 09:00:45 2010
3com D 0 Tue Jul 17 12:08:47 2007
AUTOEXEC.BAT A 0 Wed Aug 11 18:15:00 2004
boot.ini AHSR 211 Tue Apr 3 12:54:48 2007
cda535ae48d15f7dca29bab5947e D 0 Sat Dec 16 05:29:13 2006
CONFIG.SYS A 0 Wed Aug 11 18:15:00 2004
dell D 0 ThuDec 14 09:23:23 2006
dell.sdr AHR 6177 Sat Nov 25 14:20:52 2006
Documents and Settings D 0 Thu Nov 4 08:58:19 2010
drivers D 0 Mon Aug 14 07:29:44 2006
FileSearch D 0 Fri Jan 18 09:41:16 2008
folder2 D 0 Fri Aug 24 14:38:50 2007
folder3 D 0 Mon Aug 27 11:34:19 2007
hiberfil.sys AHS 1005035520 Wed Aug 29 18:28:05 2012
i386 D 0 Tue Aug 21 15:02:41 2012
Inetpub D 0 Thu Jan 15 14:24:16 2009
INFCACHE.1 A 4128 Wed Jan 3 07:37:55 2007
IO.SYS AH 0 Wed Aug 11 18:15:00 2004
IPH.PH AH 832 Sat Nov 25 14:41:14 2006
iSeries Access Install Image D 0 Fri Apr 18 11:39:55 2008
MSDOS.SYS AH 0 Wed Aug 11 18:15:00 2004
My Documents D 0 Tue Oct 2 08:41:35 2007
NTDETECT.COM AHSR 47564 Wed Aug 4 06:00:00 2004
ntldr AHSR 250048 Fri Mar 11 08:45:00 2011
pagefile.sys AHS 1509949440 Wed Aug 29 18:28:05 2012
Program Files DR 0 Wed Sep 21 12:38:18 2011
RECYCLER DHS 0 Thu Mar 27 15:02:16 2008
Screen Savers D 0 Thu Jan 27 11:39:22 2011
Most of the times that you are able to list shared folders anonymously, you will be able to open the folders.
In this case, the environment had a XAMP running and the web root folder was on the drive H: that was shared as "My Book (H)". So, I was able to copy a web shell and compromise the system.
4 - Looking for important/helpful information on plain-text files
Based on my experience I know that all kinds of important information are saved by the users, not just passwords, but for example an Oracle SID can be very helpful since Oracle has multiple default credentials!This job is essentially manual, so you basically have to look for the information. I normally pick files named "New Text File.txt" or any" New*.*", Passwords*.*, and of course, the configuration files, web.config (connection string line ==sometimes password in plain-text), tnsnames.ora file, etc
Example:
<connectionStrings>
<add name="CPT_ConnectionString"
connectionString="Data Source=192.168.1.40\ccsql1;UserID=user;Password=pwd"
providerName="System.Data.SqlClient" />
</connectionStrings>
In the end, as I repeatedly said, nothing really new has been described above, however I bet that you, PenTester, might have forgot to take a deeper look at these simple techniques! I hope you enjoyed!
Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.
Copyright © 2024 Trustwave Holdings, Inc. All rights reserved.