External audit DSecBypass Lyon

Pentest stories

This series of articles makes you follow Jean, an imaginary pentester, in his missions of intrusion tests. Clients and exploit stories are just as imaginary, but correspond to reality and are based on the experiences of DSecBypass experts.

It aims to popularize and ease the understanding of the different pentest offers.

 

External pentest

Jean has been carrying out external security audits for several years. It has improved its methods and tools to easily identify servers or services exposed on the Internet that stand out. This is not obvious when the client exposes hundreds of IP addresses, and even more services. Finding the “right” services in the middle of the Internet also requires experience and somewhat of a trained eye despite these tools.

Today, he is on a mission for a French industrial group. The client is in the process of acquiring a new entity and wishes to validate the level of security of what he is going to acquire. The scope is therefore well identified:

  • client.com
  • client-outils.com
  • client-outils.en
  • several public IP addresses corresponding to the entity’s offices, factories and some servers hosted in the cloud

The scenario is a black box external pentest: the auditor only knows the scope information, any customer constraints, and has no account or documentation. As in the majority of this type of mission, the client authorized Jean’s IP addresses in advance in his security solutions (IPS, WAF) so that he would not find himself blocked during his tests. The effectiveness of these solutions can be tested in a second step, this time the emphasis is placed on the security of the exposed services.

Before starting the audit, Jean makes sure that the legal mandate has been correctly completed and signed by all the stakeholders. He sends an email to the contact at the customer and the new entity to inform of the start of the tests.

Jean starts his passive reconnaissance phase: what are the domain names linked to those of the perimeter (www.client.com, support.client.com, extranet.client.com etc.)? do search engines already communicate interesting information? can employee email addresses be found in publicly leaked databases? Which open services are already known? For this, he uses tools that he himself developed in order to correlate several public data sources on the Internet and thus consolidate a collection of information collected passively: he still has not accessed any service of the client’s Information System, and yet he already has a fairly precise vision of his external perimeter..

He then has a precise map of open services, their versions and the technologies used. His tools also revealed to him the services that are not up to date and are subject to vulnerabilities, the famous CVEs.

He manually tests the CVEs that seem to him to be exploitable but today the exploit conditions are not met. Vulnerable services will still be recorded in the audit report so that vulnerable software version upgrades can be planned.

He also makes an inventory of the “sensitive” services discovered: these are the services which make it possible to administer the servers (SSH, RDP, Telnet, FTP), the databases (MySQL, MSSQL, MongoDB, Elasticsearch) and generally all services that are out of the ordinary. He logs services that should not be exposed on the Internet (attack surface reduction), and uses common attack techniques on these services: password bruteforce, default accounts, anonymous authentication and other specific techniques to the services audited. He also uses the emails and passwords of employees discovered during the passive phase in order to eliminate potential password spraying.

Apart from information leaks in the banners of the services, he does not discover any notable flaws.

He therefore decides to attack the exposed websites and HTTP services. Jean spends time on the company’s main and e-commerce web sites and raises some significant impact vulnerabilities: possibility of recovering a customer database on a support website, vulnerabilities in the code of the main web site which allowattacking visitors by redirecting them to the competitor’s site. These are interesting feedbacks for the customer and his teams, but above all Jean seeks to break into the company’s network. So far the vulnerabilities discovered do not allow him to take control of a server, let alone compromise the client’s network.

🎯 A few hours later, he arrives at a server that seems to have been brought online to test a ticketing solution but has been forgotten. Being exposed on a non-standard port, the ticketing website certainly escaped indexing by search engines and automated hacker scans. The software is several versions behind and a critical exploit has been released: an administrator user can execute system commands on the server. Jean tests the solution’s default administration account (admin/admin) and manages to connect… classic!

The exploit allows him to take control of the server. Since the server is not in DMZ in the client’s network, Jean finds himself directly in the internal network. A phone call to the customer validates the possibility of continuing in the internal network. Using his favorite pivot technique, he proxifies all its tools in the internal network. Although he is at the other end of the internet, he is now in the same conditions as an internal pentest!

A few minutes later, Jean owns the entity’s Information System. A real-world attacker could then deploy a ransomware. He immediately informs the client and his teams of this critical vulnerability so that they can react.

At the end of his mission, Jean calls the client one last time in order to summarize the results of the mission and give him a first vision of the remediations to be carried out.

📚 The next day he completes his audit report and sends it to one of his colleagues for proofreading and validation.

He then sends the report to the client in a secure manner and exchanges with the teams and management on the results of the internal pentest and the action plan thanks to the restitution by videoconference.

🛡️ DSecBypass accompanies you on your external pentests, with quality services and significant experience on this type of service. Do not hesitate to contact us for additional information and/or a personalized quote 📝.