Monday, 14 September 2015

[Penetration Testing] Pwn without Payloads

The normal procedure of any black box penetration testing/ hacking is generally projects are generally dependent on the procedures of exploitation. Generally most of the clients would get freaked out if you would run payloads on the machines. And normally, if the payloads are available, ever we wouldn't be able to tell if they would be functioning correctly or would they be harming a system in a way that would impact any production system you run it on.

Problems faced during black box penetration testing

Too strict configuration of security policies - This sure is a good way to keep off script kiddies but is also if mis-configured, it can lead to a Denial of Service for the entire internal network.
Leaving the above problem alone, I remember one of my colleagues getting called on his mobile and asked for explanation for attacking the network by the SOC team of a client (Yes! Not only traced the attacks back to him but also were able to retrieve his mobile information - pro hax0r pwn'd).
So being too noisy in an internal penetration test would not only sometimes get you into denial of service zone, would also compromise your identity sometimes and disrupt your entire engagement.

Another HUGE problem being a black-box pentester is a "No exploits must be run" statement by the client. This statement would be great if it was a Compliance Audit or Compliance Review, however in a blackbox pentest it feels stupid. However, clients "pay".

Pwning without Payloads

Since those incidences and requirements, I realized the importance of being more silent and less violent and malicious in the network, especially during a black box penetration test.

A typical penetration testing life cycle would include -
Information Gathering - Service Enumeration - Penetration - Maintaining Access - Housekeeping

Our approach in a black box penetration test -
Intelligence Gathering - Information Gathering + Service Enumeration = 80% of our work (40% for entry point)
Penetration = 5% of our work
Lateral Movement = 55% of our work (40% intelligence gathering post exploitation + 15% penetration into the crown of the network)

Typically, we would never require to go into Maintaining Access would never be required in our internal penetration tests and hence required Housekeeping would be extremely less.

Intelligence Gathering (Information Gathering and Service Enumeration) - (40%)

My colleague and friend Vijay Kumar (bitvijays) has a good blog written for the Intelligence Gathering phase of a black box penetration test. It basically involves Active fingerprinting, passive fingerprinting, Internal infrastructure mapping, and sometimes employee reconnaissance.

Penetration - (5%)

The penetration phase would include less of exploitation. Most of our compromise would be done using the following two techniques.

LLMNR and NBT poisoning
Extracting Windows credentials (locally)

Lateral Movement (55%)

A combination of further Intelligence gathering and penetration using the following two techniques.

Powershell Enumeration (40% worth of intelligence gathering)
Gaining access to the Crown  (15% worth penetration)

Most of the black box penetration tests would be successful with just these techniques since the architecture of all enterprise trust anyone or anything in the physical location, without proper segregation.

I would be uploading demonstrations of all these processes slowly, one by one. I am also working on a script that could automate most of the process. But these would take some time.
So, those interested in these topics can feel free to get in touch with me for a faster reply on how to launch these attacks.
ShrekzZzCount Up