We are live!
network pentest
Active Directory
Vulnerability Scanning
Vulnerability Scanning
The heart of every organization work environment. Active Directory is a prime target for adversaries and should be maintained and strengthened to avoid full domain compromise.
Vulnerability Scanning
Vulnerability Scanning
Vulnerability Scanning
Vulnerabilities exist everywhere from simple misconfigurations to outdated software. Frequent checks and tests are a good practice in keeping up with the evolving technology landscape.
Workstations
Vulnerability Scanning
Workstations
The margin of human error is always the highest since they are the weakest link in any work or production environment. Workstations tend to host lots of weaknesses.
Servers
Access Points
Workstations
The backbone of any web hosting or production line, Servers are favored targets by malicious individuals due to their valuable data.
Access Points
Access Points
Access Points
Access points are often overlooked and not segmented properly. A weak vulnerable access point can set the stage for even a bigger attack if left unsecured.
Cameras
Access Points
Access Points
Cameras can contain data or even credentials if not fully administered. They are another technology within your network that should not be ignored.
Routers & Switches
Routers & Switches
Routers & Switches
The pumping lungs for any network, they are usually a second thoughts once set up. They are prime targets for DDoS attacks -- Distributed Denial of service.
Printers
Routers & Switches
Routers & Switches
Printers are well known for usually having weak credentials for easy administration and workflow. However, they can be vulnerable to information leakage and sometimes hard coded credentials excavation.
Attacking a server inside the network
1. The client provided us with the following:
- IP address of the server
- A username: C0ldd
We proceed with our scan and we can see a Wordpress application resides on port 80 and an SSH service on port 4512.
2. Navigating to the webpage shows us a standard Wordpress website as you can see in the screen shot.
I have picked Wordpress as an example because its very common and popular among businesses.
3. Working with the user the client provided, we can start bruteforcing right away in hope of finding a matching password. As you can see we found a match quickly.
We are using a tool called "Wpscan" which is a vulnerability scanner designed specifically for testing Wordpress to uncover any misconfigurations, vulnerable plugins, themes and weak credentials.
4. We will head to the login page and log in with the credentials we have now.
Wordpress login pages by default have a fixed path unless changed by an administrator.
5. Wordpress themes are php based, meaning its possible to achieve code execution within them.
We can inject our payload aka "Malicious code" inside one of the templates in Wordpress and gain code execution.
6. The previous code allowed us to interact with the "Underlying system" that is hosting the website, meaning the server.
Now, we inject our "Reverse shell" payload into the poisoned template and set a "Netcat" listener to wait for a connection back so we can have an interactive shell on the machine.
We received a connection back and we operate as the user "www-data" in the server now.
7. Inside the machine we have a low-privileged user, meaning we cannot do much since we are restricted by permissions set by the admin.
This is where "Privilege Escalation" comes in, its simply the act of looking for loopholes or misconfigured services to escalate our user into a higher privileged user aka "Root".
The yellow binary in the screenshot allows us to do so by having "SUID" permissions.
8. There are great resources and techniques online on how to escalate privileges especially for common binaries.
9. After applying the commands, we are escalated to "Root" user which is the highest privileged user on the system and we have full control over the server by now.
10. Key Takeaways:
- Easy or default passwords can lead to very serious damage
- Default paths to login and sensitive pages should be administered.
- Permissions should be assigned and granted carefully especially for executable binaries and scripts.
- The absence of lockout mechanisms make bruteforcing a matter of time before an attacker gets the right combination.