ADVISORY: The techniques and tools referenced within this blog post may be outdated and do not apply to current situations. However, there is still potential for this blog entry to be used as an opportunity to learn and to possibly update or integrate into modern tools and techniques.
I was recently on an assessment where I was able to grab all the password hashes from the domain controller. When I extracted the hashes and saw that they were storing LANMAN hashes alongside the NTLM hashes I thought to myself …. Wow. I LOVE my job! There are many moments on pentests that you feel as giddy as that puppy….
…. so I decided to ask the other BHIS testers the following question:
When you are on in internal or pivot test, what is something that really “makes your day”?
And here is what they replied:
- Finding out that the organization grants administrator permissions to EVERYONE in the organization…now where is that Domain Admin logged in?? Hehehe – David
- Logging on to the password cracker and finding that 50% of passwords have been cracked (bonus if they are domain admin passwords) – Rick
- When Google’s answer to “$product_name default password” actually works. Double points if it’s the controller for the door locks. – BBKing
- Finding passwords in draft messages within Outlook. Easier to spot when the draft is named “Passwords”. -Kelsey
- Finding passwords in documents or source code. Especially when they are database passwords. And then finding the database contains social security numbers. – Ethan
- I love it when default credentials DON’T work. I’m so tired of telling that story. Other stories are so much more interesting to tell. Please make me come up with a better story. -Carrie
- Abusing security products to help further my malicious agenda. For example, getting access to a SIEM server, finding the web server’s private key, then intercepting and decrypting IT/security staff logins to the console. -Beau
- When I get caught by a client’s security team because they are doing the right thing and sufficiently monitoring log files and looking for anomalies in their environment. Then working with them to further find gaps in their monitoring and IR process to better detect actual attackers. Afterall, that’s why we do this pentest thing, right? To make the client better. -Derek
- When I’m making phone calls to social engineer employees and after just a few attempts the employee has notified their admin who then notifies the entire company that they’re being bombed with fake phone calls. As much as I want in, I really want people NOT to do what they are NOT supposed to do. -Sierra
- I once found an old baseboard management controller that was missed from the customer’s vulnerability management program. The exposed TCP/49152 GET PSBlock plaintext password worked on every other system board I could find; HP iLO, Dell iDRAC, IBM BMC… -Jordan
If you look carefully at the above list, we like these things because they represent low-hanging fruit. It lets us push the easy button. Now that might sound like pentesters are just inherently lazy but the truth is that our job is to mimic real attackers. Attackers take the path of least resistance, which means starting with the obvious stuff: default passwords, guessable passwords, crackable passwords, hard-coded passwords, unpatched systems, cleartext sensitive data, etc. If the easy stuff works and the attacker gets what s/he came for – game over.
If the customer’s up their game and fix the easy stuff it forces us to up our game as well or we will put ourselves out of business.