Monday, August 18, 2008

Day in the life of pentester #4


Day in the life of a pentester.

This one is short and sweet. Some things you probably shouldn't do.

1. fail use clear text protocols
2. get caught not following your own password policies
& the best one
3. add your Domain Users group to the Enterprise Admins group...oops ;-)

Internal test, some simple ARP Spoofing and LDAP query caught in plain text, RDP in, create a user account and add them to the appropriate admin group...done.
CG

5 comments:

Morgan Storey said...

My Favourite I have seen was domain users added to local admins on all machines meaning a virus could come in and pwn the network. They of course didn't see this as an issue.

CG said...

yup seen that one lately too, pretty much defeats the whole idea of having separate admin accounts with they just add their domain user as local admin

Anonymous said...

Do you consider using ARP spoofing a worthy method of defeating internal security or a method of which to gain admin rights then go and look for some real holes?

Anyone can ARP spoof to escalate their privileges. It is not a criticism but if this is the only method in which you look to escalate I am surprised.

I like reading your blog but i find the above post rather disappointing. Sorry.

xx

CG said...

@anonymous (if you are going to criticize have some balls and leave a name)

"Anyone can ARP spoof to escalate their privileges."

Three thoughts on that
1. If you want to read about my two days of scanning and trying things before we went the ARP spoofing option I guess I could have written that up, but its not too interesting. I scanned, tried exploits, boxes were patched, got nothing...wow!

2. If everyone/anyone can do it, it should be fair game on my test

3.There is alot of technology and protocols that can be in place that helps prevent alot of that.

For example most of the ldap hashes we caught were SSL'ed and just came back as jibberish, thats good. We knew there password policy was complex enough that a regular user wouldnt have a password of "password"

Anyway, pentesting isn't always about busting into a box with the latest 0day and hopping thru china and the moon to get access. If you are doing an internal look you need to try some things that an less security savy users may try. Sniffing and arp spoofing is in every hacking book in the world, its reasonable and insider would try that.

Besides, I'd love to hear your methodology or what you'd do when you do you scanning and have nothing but fully patched 2k3 SP2 servers and XP Sp3 clients.

-CG

Anonymous said...

@CG - Can't be bothered to sign up!

It is not a criticism as I originally pointed out, it was a question that was worded wrongly.

I have been in the same position as you multiple times with fully patched boxes.

I assumed you were using ARP spoofing before following other routes hence the question.

I am slightly against ARP spoofing mainly because of the issues associated with using it on certain networks. Think .gov, .mil etc. Using ARP spoofing brings the men in geek polo shirts and their nasty security people with guns.

xx