Infrastructure Penetration Testing Realities

Penetration testing is just like being a cybercriminal, right?

Honestly, it feels weird writing this, however I feel there’s a real issue with penetration testing and some myths that (for understandable and obvious reasons) exist in some people’s minds. So I’ve taken to trying to explain to people what an external penetration test actually entails in the real world of business. So here goes!

Leadership

UK NCSC Active Cyber Defence (ACD)

Defending a single server is often far more complex than people apreciate, defending a single organisation is significantly harder than a single server, defending a country… a much more complex challenge than I think people actually realise.

What is ACD?

According to the NCSC:

The aim of ACD is to “Protect the majority of people in the UK from the majority of the harm caused by the majority of the cyber attacks the majority of the time.” We do this through a wide range of mechanisms, which at their core have the ability to provide protection at scale.
ACD is intended to tackle the high-volume commodity attacks that affect people’s everyday lives, rather than the highly sophisticated and targeted attacks, which NCSC deal with in other ways.
UK NCSC

NCSC Active Cyber Defence

What is included?

The UK NCSC offer and run a range of Active Cyber Defence capabilities which include the following:

Defence

Offensive KEV Alpha 0.1

Working out what exploits to care about is a tough job, kill chains, availability of exploits, complexity, data flows, controls etc. all play a part in understanding a vulnerability and how it affects your organisational risk. To support this effort I’ve started to compile a list of public exploits against CISA Known Exploited Vulnerabilities (KEV). This may be useful for defensive and offensive security pros.

Education

Common Windows Services

Exploitation of common windows services is an important area of knowledge for both offense and defence.

Server Message Block (SMB)
Remote Desktop Protocol (RDP)
Windows Management Instrumentation (WMI)
Windows Remote Management (WinRM)
File Transfer Protocol (FTP)

Other common technology platforms in the Windows Stack Include

Active Directory Domain Services (ADDS)
Active Directory Certificate Services (ADCS)
Internet Information Services (IIS)
Microsoft SQL Server (MSSQL)

For now I’m just going to look at a few of the common protocols and vectors.

Leadership

Board Level Security Metrics

Everyone always asks what are the best security metrics to have? The answer is simple to me, use metrics that are valuable to your business governance and decision-making processes! Easy right.

Not so easy in real life right!

Guides

SMB (Server Message Block) Protocol Basics

SMB in a CLI world

If you are new or like me forget the bazzilion command syntaxes in the world, the use of the man command will be super helpful as well as google foo! To help people on their way here are some example of basic SMB tools, these come with kali.

SMB Ports

SMB typically operated on TCP 445

Nmap Example

Education

Nmap & CrackMapExec (CME)

The swiss army knife of the cyber world, it can port scan, fingerprint, produce reports and run scripts using the nmap scripting engine (NSE).

Why do we care about NMAP, surely everyone knows how to NMAP?

Well, that’s simply not true, it’s always important to tech new people, to revise and hone existing skills and the world of nmap scripting is constantly evolving.

Port scanning and fingerprinting let alone leaking sensitive data and conducting “attacks” is all possible. You can do a basic vulnerability scan with nmap alone!

Guides

I AM BRUTE

How long should you test brute force password attempts for?

Well, a recent Microsoft report showed the average RDP brute force attack over the internet lasted about 3 days. Now let’s take a look at what a single attacker machine (IP) can send to a single target server over a well-connected network (1GBE low latency):

CTF

Using CTFs for offensive and defensive training – Purple…

Pwning a legacy server on Hack the Box is good for a training exercise however what about if we want to think about how to use resrouces for red and blue. Looking at both sides of the coin when thinking about offense really should help people undesrand how to defend better. In the end of the day outside of a tiny tiny fraction of deployment types, you are going to need to be able to explain how to defend regardless of engagement type (vulnerability assessment, penetration test, purple team, red team etc.)

Getting access

I’m not going to talk through every step but here’s the commands you would need to run:

Hacking

Hash Cracking for Modern OS X (10.8+)

How do we crack OS X password hashes?

I haven’t had tea but I was thinking about the MAC i was remoting into and I suddenly thought.. I wonder how to crack the hashes from a MAC. Surely it’s just cat /etc/passwd and cat /etc/shadow and then unshadow and run hashcat right?

WRONG!

The hashes for local users are stored here: