Infrastructure Penetration Testing Realities

Penetration testing is just like being a cybercriminal, right?

Honestly, it feels weird writing this, however I feel there’s a real issue with penetration testing and some myths that (for understandable and obvious reasons) exist in some people’s minds. So I’ve taken to trying to explain to people what an external penetration test actually entails in the real world of business. So here goes!

Education

Nmap & CrackMapExec (CME)

The swiss army knife of the cyber world, it can port scan, fingerprint, produce reports and run scripts using the nmap scripting engine (NSE).

Why do we care about NMAP, surely everyone knows how to NMAP?

Well, that’s simply not true, it’s always important to tech new people, to revise and hone existing skills and the world of nmap scripting is constantly evolving.

Port scanning and fingerprinting let alone leaking sensitive data and conducting “attacks” is all possible. You can do a basic vulnerability scan with nmap alone!

Guides

I AM BRUTE

How long should you test brute force password attempts for?

Well, a recent Microsoft report showed the average RDP brute force attack over the internet lasted about 3 days. Now let’s take a look at what a single attacker machine (IP) can send to a single target server over a well-connected network (1GBE low latency):

Hacking

Linux Privilege Escalation

When you gain access to a target node you will want to explore, the exact method you use to do this will depend upon operational security considerations, time constraints and style. You will be looking for a range of elements to support progressing an objective.

It should be noted that the objective may NOT require elevation. You may be trying to obtain data and access might already be possible using the context you have assumed.

You also may need to move from a www-data user to a named user account or get to root level of access. If so there’s a range of questions we should be asking ourselves:

Education

Installing Nessus Pro on Kali Linux

You can deploy Nessus in a range of ways, from direct install through to using a cloud-based deployment or virtual appliance.

A common reason for deploying on Kali or other distro rather than using the virtual appliance is for mobility, ease of use but also you might want to VPN or proxy traffic.

The install process is simple, log into your account on tenable community portal and download the relevant installation package.

Hacking

How to Crack NTHASH (commonly referred to as NTLM)…

Ok imagine this, you have got access to a file server and behold you find an unsecured, unencrypted backup of a domain controller (this isn’t made up I find these in networks sometimes!) and you yoink the NTDS.dit (or maybe it’s just a workstation SAM/SYSTEM file), you extract the hashes but now what, you need to crack those bad boys!

Check out the MS docs on how NT or LM Hashes are computed(hashed)! – (thanks @ANeilan for spotting my mistake!)

[MS-SAMR]: Encrypting an NT or LM Hash | Microsoft Docs

Guides

If I was looking for entry level jobs in…

Sales darling, it’s all about sales. It’s a harsh but true part of the world where you need to be able to sell. I’m not talking about business to business or hunters, farmers etc. I’m talking about being able to sell to someone that you are the right person to help them and their organisation.

Now this isn’t easy in the middle or tail end of a career let alone when you are starting off. But let’s for a minute role play and look at what I would do if I was new to the cyber world and was looking for a role?

This isn’t meant as a guide, it’s off the back of a convo I’ve just had with someone struggling in the job-hunting space. So, it’s a rough brain dump from me. The key thing I would say is: Read more “If I was looking for entry level jobs in cyber security – what would I do?” →

Defense

Penetration Testing

Overview

Penetration testing is the activity of conducting security testing with the aim of identifying and exploiting vulnerabilities to identify strengths and weaknesses. I include strengths because I believe it’s important for security testing to promote both positive and negative findings. I also think that there is a huge mis conception with what penetration is, what it helps with and how to best get value from a penetration test.

My definition isn’t too far from the NCSC one: https://www.ncsc.gov.uk/information/check-penetration-testing

A penetration test is a security assurance activity, but it’s one of many activities that I recommend people conduct. This is however largely only adopted by the few, for many a penetration test is a compliance tick box, either from a regulatory or contractual requirement.

When looking at a system a penetration test is not usually the most efficient starting point, especially if it’s from a black box perspective. Read more “Penetration Testing” →

Guides

From Zero to DA using ‘PetitPotam’

Introduction

Whilst I was on ‘holiday’ (seriously even when on holiday I almost always must do some work!) a few Windows vulnerabilities were published. Great work by Gilles Lionel, Benjamin Delpy and many many others!

Lab Setup

A Domain Controller
A Separate ADCS Install with Web Enrolment or two DCs one with ADCS installed.
A windows Client Device (non-domain joined)
An attacker device (I used Kali)

You do not need any domain credentials to conduct this exploit chain, so from a network adjacent unauthenticated position you can get DA with the right circumstances (default configuration). Read more “From Zero to DA using ‘PetitPotam’” →

CTF

Server Message Block (SMB) Enumeration, Attack and Defence

Introduction

If you see a service with TCP port 445 open, then it is probably running SMB. SMB is used for file sharing services. You will also see it related to other protocols in its operation:

https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/06451bf2-578a-4b9d-94c0-8ce531bf14c4

Checklist

Here is a check list of common things to check:

Can you enumerate the server version?
Can you enumerate shares?
What versions of the protocol are enabled?
Can you connect using anon bind?
Are there any known vulnerabilities?
Can you enumerate usernames?
Is SMB signing enabled?
Are there other hosts in the subnet that can be used?