Go Ahead, Make Our Day

Sally Vandeven & the BHIS Team //

I was recently on an assessment where I was able to grab all the password hashes from the domain controller. When I extracted the hashes and saw that they were storing LANMAN hashes alongside the NTLM hashes I thought to myself …. Wow. I LOVE my job! There are many moments on pentests that you feel as giddy as that puppy….

 …. so I decided to ask the other BHIS testers the following question:

When you are on in internal or pivot test, what is something that really “makes your day”?

And here is what they replied:

  • When Google’s answer to “$product_name default password” actually works. Double points if it’s the controller for the door locks. – BBKing
  • Finding passwords in draft messages within Outlook. Easier to spot when the draft is named “Passwords”. -Kelsey
  • I love it when default credentials DON’T work. I’m so tired of telling that story. Other stories are so much more interesting to tell. Please make me come up with a better story. -Carrie
  • Abusing security products to help further my malicious agenda. For example, getting access to a SIEM server, finding the web server’s private key, then intercepting and decrypting IT/security staff logins to the console. -Beau
  • I once found an old baseboard management controller that was missed from the customer’s vulnerability management program. The exposed TCP/49152 GET PSBlock plaintext password worked on every other system board I could find; HP iLO, Dell iDRAC, IBM BMC… -Jordan

If you look carefully at the above list, we like these things because they represent low-hanging fruit.  It lets us push the easy button. Now that might sound like pentesters are just inherently lazy but the truth is that our job is to mimic real attackers.  Attackers take the path of least resistance, which means starting with the obvious stuff: default passwords, guessable passwords, crackable passwords, hard-coded passwords, unpatched systems, cleartext sensitive data, etc.  If the easy stuff works and the attacker gets what s/he came for – game over.

If the customer’s up their game and fix the easy stuff it forces us to up our game as well or we will put ourselves out of business.

Challenge Accepted!