There are many things you should consider when starting a penetration test such as, who is the customer, what is the scope, what are the legal requirements associated with their network? Those questions are for the team lead and the "sales people", lets skip them and get to the fun part, breaking our way into the network.
The goal here is to gain initial access to the target network which can be used to pilfer data or escalate privileges at a later date.
Tactic – Exploiting a Network Service
Status of Forces: Exploiting a service is the most straightforward, easiest way to gain initial access to a target (except when the leave a default password on). However, because it is so easy, network defenders take extra care to make sure their public facing web services are protected and updated (usually). In this scenario we will be exploiting a service on a web server that is located inside the DMZ of the target network.
Initial Tactical Engagement: There are two types of exploits we are looking at today, N day exploits and 0 day exploits. N day represents the number of days the exploit has been pubic for where 0 means it has not been made public and is thus an unstoppable force because the developer that lazily put the banned function strcpy() in when they should have used strcpy_s().
As a penetration tester, N day exploits will be your bread and butter. It will be your job to gain access to a network, pivot around and throw these bad boys at anything you can see. This shows proof positive that the client is vulnerable and you were able to exploit it, no false positives when you’ve got a command line on target. Metasploit is not your only resource for N day exploits.
Exploit Database contains many quality exploits you can use and Kali contains a commandline search called “searchsploit” which can be used to quickly find an exploit for you.
Additionally, don’t forget there are less scrupulous parts of the internet that you can use to get exploits as well. Over the years there have been many leaks of high quality exploits that still work today.
As a penetration tester, 0 day exploits should not be used. They should be sold! What are you doing wasting a potential million dollar exploit on a customer that can’t possible defend against it!? Head on over to Zerodium and sell that bad boy to your favorite 3 letter agency (probably).
Adversary Counter Response: There are many ways an adversary can counter an exploit. The two best defenses against direct exploitation are firewalls and NAT. You may be thinking “NAT isn’t a network defense, it’s a ways to kick the IPv6 problem down the road decades” and you would be half right. NAT’s defense comes from preventing attackers from being able to directly communicate with devices behind the NAT implementation device.
Another adversary counter response is patching (duh). The only problem is, sysadmins are terrible, awful, lazy, garbage human beings that couldn’t be bothered to do their job if it would prevent their next heart attack. Therefore, N day exploits are a thing.
Intrusion prevention systems and intrusion detection systems can also foil your exploitation. Lucky for us, IPS are rare because they are required to be inline to work, and that slows down network traffic (read: youtube). Most companies, if they do implement this response, will have an out of band detection system that will tip off network defenders to your exploit attempts. Always escalate and insert persistence mechanisms quick, once you throw the exploit, the clock is ticking.
Tactic – Exploiting Layer 8 (social engineering)
Status of Forces: So, the client has their patch game in order and you are all out of ideas. Time to move to old reliable, social engineering. Social engineering is reliable because there is no patch for stupid and the network is designed to grant access to the user.
Initial tactical engagement:
In previous scenarios we crafted emails to send to users using the social engineering toolkit, here is a link to their website TrustedSec.
Another classic social engineering attack is to drop a flash drive or cd in a public area with a lot of foot traffic that contains a spreadsheet with malicious call back code such as an Empire powershell connection. While you do have to have physical access to your target’s parking lot and a few dollars laying around for some flash drives, this method boasts a high success rate depending on how graphic you are in labelling your media.
Last, we will go over what we all fear the most, social interaction. In the case that all else fails, you can call up your victims and ask them to browse to websites, click through warnings, and give up passwords. Depending on your charisma check, you can gain a lot of access with this method.
Adversary Counter Response:
The host intrusion prevention system is the thin line between users and chaos. If you send a meterpreter payload in a .exe, chance are it is going to get picked up by literally every hips on the market. These vendors go through all the common malware and create signatures for defaults to look for in files and scan every piece of software that is created on the computer.
A good network defender makes sure that a user has no rights. This is why privilege escalation is a thing. Even if you manage to successfully exploit a user, it can be a pain to leverage that to actually do anything on the network.
Part of making sure a user has no rights and their life is a living hell is disabling their ability to load removable media. This can be done by editing group policy objects under Computer Configuration\Administrative Templates\System\removable storage access.
Unfortunately, there are many products out there that attempt to solve the phishing problem and some of them are effective. In the event that you want to pansy out of doing real work, you can scope your penetration test such that the customer gives you a valid email with which to phish from so that you can specifically test users and not have to worry about the tech you can’t overcome.
Tactic – Breaking and Entering, Physical attacks
Status of Forces: You’ve tried exploiting services and people and failed at both. What a disappointment you are. It is time to put your sad soft body on the line and get physical access to your targets. We are going to bypass the whole jumping a fence and smashing a window with a rock bit, you are standing in front of a workstation, what do you do?
Initial Tactical Engagement: Whip out your trusty live image usb of Kali linux () and slap that in the USB port. Reboot that computer and jump into the computer’s BIOS settings and change the boot order to flash drive first. From there, hack to your hearts content on the network until security arrives and drags you away.
Alternatively, you can use your live image to mount the hard drive and move files around on the computer and replace c:\windows\system32\utilman.exe with c:\windows\system32\cmd.exe. Pull the USB drive out of the computer, boot to windows, and click on the utilities in the bottom right corner, boom, powershell as system. Go ahead and download a payload of your choice from the web server you definitely set up beforehand using curl and execute it.
The more astute of you may see that I used a Ubuntu live image instead of Kali and thats because it is the first ISO file I ran across on my computer while writing this blog #dontjudgeme.
Adversary Counter Response: They are going to arrest you. For gods sake you threw a rock through a window, what were you thinking? Physical destruction of property was not in the scope of this penetration test.
Gaining initial access can be the hardest part of the nut to crack. Network defenders have been trained for years to focus on having an impenetrable outer shell of a network and to leave the inside wide open because no one will ever get to that. Social engineering is especially effective because it gets you to the soft gooey center of a network and past that hard outer shell. Physical attacks are even more effective because many network defenders get lost in the technical details of the network that they forget about the physical security. In the end, the world is your oyster, try not to get arrested doing your day job.