Internal pentest DSecBypass Lyon

Pentest stories

This series of articles makes you follow Jean, an imaginary pentester, in his missions of intrusion tests. Clients and exploit stories are just as imaginary, but correspond to reality and are based on the experiences of DSecBypass experts.

It aims to popularize and ease the understanding of the different pentest offers.

 

Internal pentest

Jean really appreciates the internal pentests: 95% of the cases he ends up controlling the entire Information System, the famous “domain admin” rights. Sometimes it takes him less than an hour, sometimes he has to “try hard” and searches for many hours for the vulnerability that will allow him to elevate his privileges. In any case, it is an opportunity for him to understand the client’s Information System in depth and to test the latest vulnerabilities and techniques published.

πŸš— Today, he is traveling to a client in the Lyon region for a two-day internal audit. It’s a classic “malicious visitor” scenario: the client has prepared a meeting room for him in which he can connect his own PC and act like a visitor who is a little too curious.

βœ… A quick meeting at the start of the first day with the client makes it possible to recall the scenario, discuss with the teams the actions carried out, reassure on the availability of the pentester throughout the mission, then raise the last points of organization.

After a first coffee shared with the client, Jean connects to the network using his RJ45 cable. The socket is connected and he validates with the client that the network he is accessing is indeed the desired network: he has already happened to audit the VOIP network for an hour when the target was the user network. Everything is good, he can start the audit. 🀝

He takes screenshots of the network configurations taken by his PC and his VMs and undertakes to discover the internal network: are the servers accessible? where are the domain controllers? can he attack users and their PCs? what information can be captured on the network? The client’s network is large: distributed without apparent logic in 10.0.0.0/16. Luckily, discovering one of the server networks was fairly easy as it sits with the domain controller at 10.20.10.0/24. It then begins the enumeration of open services in order to exploit any misconfigurations or published vulnerabilities.

In parallel with his network discovery, the pentester poisons the users’ network using different techniques in the hope of recovering a Windows account.

At the end of the morning Jean managed to discover leaks of financial and HR information in public file shares, take control of certain servers, but he still could not elevate his privileges on the Windows domain . These privileges are required to access maximum functionality and data about the customer’s business. Before leaving to eat, he lets an attack script run which does not generate any side effects because a wise old man once taught him that users tend to let themselves go between noon and two.

He makes a quick summary of findings to the customer and goes to an adjoining restaurant hoping his script works for him. He is not too worried because he has several avenues of attack with this morning’s discoveries: finding administration scripts in file shares, accessing the keepass found on one of the compromised servers, finishing listing the various customer’s networks, and still other paths if needed.

🎯 On returning, he unlocks his PC and is pleasantly surprised to see on his terminal that the adm_fdupond was captured: the auditor is then in possession of a domain account (Windows), visibly privileged in view of the “adm” trigram . He hastens to check if he is a domain admin. Still not … Jean then checks the servers on which this account has administrative rights.

In the middle of all the “Pwn3d!” scrolling on his terminal, signifying that he controls many servers, one of the names catches his eye: SRV-ADMTOOLS. Given the name, it’s probably an admin server where he knows he can find scripts, plaintext passwords in browsers, maybe cached admin sessions and other venues to elevate its privileges.

He connects to it with the compromised account, bypasses the antivirus solution in operation by adding a specific directory as an exception and extracts the connection information from Windows memory with his favorite tools.

πŸ† The server not being hardened, the CLIENT.local\Administrateur account immediatly pops on his screen. Seizing it, he tests the connection to the domain controllers. It’s done, Jean is “domain admin” of the Windows CLIENT.local domain.

He informs the customer and continues to explore the various avenues of exploitation in order to be as exhaustive as possible. He also analyzes the security level of the Active Directory so as to provide the corresponding recommendations and work on in-depth security.

Jean took care to note all the actions that could modify the state of the Information System and took screenshots of each of the steps in order to provide the most complete and detailed report possible. Once the end of the mission has arrived, he deletes his tests and restores the Information System so that it is in the same state as when he arrived.

He holds a final on-site meeting with the client in order to summarize the results of the mission and give him an initial vision of the remediations to be carried out.

πŸ“š The next day he completes his audit report and sends it to one of his colleagues for proofreading and validation.

He then sends the report to the client in a secure manner and exchanges with the teams and management on the results of the internal pentest and the action plan thanks to the restitution by videoconference.

πŸ›‘οΈ DSecBypass accompanies you on your internal pentests, with quality services and significant experience on this type of service. Do not hesitate to contact us for additional information and/or a personalized quote πŸ“.