When most individuals think about hacking, they often envision someone in a hoodie typing intensely in a dark room with green code streaming across the screen. Actual penetration testing is somewhat less cinematic; nevertheless, it remains an intriguing process that requires meticulous planning, extensive knowledge of cybersecurity and cybersecurity tools, and a strategic approach.
In this post, we will provide insight into a real-world penetration test conducted for a mid-sized technology company. The details have been sanitized to maintain confidentiality, but you will grasp the approach, the tools employed, and how we managed to breach their systems. The goal is to identify weaknesses within their security infrastructure and recommend improvements to bolster their defenses.
Mission: Request to Hack
A SaaS company approached us with the following request: "We would like to ascertain the ease with which someone could infiltrate our network. Assume the role of a malicious entity and proceed."
This was a black box test, meaning we had:
- No insider information concerning the setup or configuration of their systems
- No prior access to any internal data or systems
- Only their domain and explicit permission to attempt infiltration
Our objective: Identify vulnerabilities that could be exploited, gain unauthorized access, navigate through their system, and hypothetically extract sensitive data - all without detection, replicating the actions of a genuine threat actor.
Step 1: Reconnaissance
Before engaging any systems directly, preliminary research was conducted using various online resources to gather as much information as possible about the target.
Tools used:
- Shodan: A search engine for exposed devices connected to the internet, allowing us to find potentially vulnerable assets.
- theHarvester & Recon-ng: Scripts designed to gather email addresses, subdomains, employee names, and other valuable data from public sources, providing potential entry points.
- Google Dorks: Advanced search techniques used to uncover hidden documents, login pages, and other sensitive information indexed by search engines.
During this phase, outdated software versions, active subdomains, and several PDF resumes listing company emails were discovered, which could be avenues for further exploitation.
Step 2: Scanning & Enumeration
The next step involved probing digital interfaces to identify accessible entry points and map out the network structure.
Tools employed:
- Nmap: A powerful network scanner capable of detecting open ports, running services, and the presence of firewalls.
- Nikto: A comprehensive web server scanner used to identify potential vulnerabilities in web applications and configurations.
- Dirb: A tool specifically aimed at discovering hidden URLs, directories, and files that may not be immediately visible.
One server was found running an outdated version of Apache Struts, a known application framework with multiple security vulnerabilities that could be leveraged for an attack.
Step 3: Exploitation
Using Metasploit, an industry-standard framework for penetration testing, a remote code execution attack was launched on the vulnerable server identified during scanning.
Through careful manipulation and exploitation of the Apache Struts vulnerability, successful access was obtained without triggering alarms or warnings, demonstrating potential gaps in the company's intrusion detection systems.
Step 4: Lateral Movement
With initial access established, further exploration of the internal network was conducted using BloodHound, a tool designed to map relationships within Active Directory environments.
Reused admin passwords across multiple systems facilitated escalation to Domain Admin privileges, granting extensive access and control over the network. This highlighted the critical issue of password reuse and the importance of unique credentials.
Step 5: Mock Data Exfiltration
A simulated customer data file was created, encrypted, and exfiltrated from the network as a test. This action did not activate any firewalls or alerts, demonstrating a lack of effective detection mechanisms and pointing to areas needing improvement in monitoring and response capabilities.
Conclusions:
Key takeaways from this exercise include:
- Ensure timely patching of software vulnerabilities to prevent exploitation by attackers
- Avoid the reuse of passwords across different systems to enhance security
- Implement network segmentation to restrict unauthorized movement between different parts of the network and limit damage in case of a breach
- Enhance visibility to improve detection capabilities and swiftly respond to suspicious activities
Final Thoughts on Penetration Testing
Penetration testing is an essential practice for identifying and mitigating security weaknesses. By simulating attacks, organizations can better understand their vulnerabilities and develop robust defense strategies to protect against actual threats. When was your last penetration test?
For more information on penetration testing, please contact your Gotham Technology Group rep.