Faced with an ever-increasing number of internal attacks, network infrastructure security is a key factor in ensuring the confidentiality and integrity of data, as well as the continuity of an organization’s activities.
There are several ways of assessing the security of an internal network. In this article, we present the “offensive” approach, which we believe to be the most effective: internal penetration testing. We detail the principles and objectives, as well as use cases for black box and grey box penetration testing of an internal network.
Detailed plan:
An internal penetration test consists in assessing the security of an internal network from the position of an attacker who manages to break in. In this type of audit, a pentester will simulate the behavior of an attacker by exploiting potential security flaws, in order to measure their impact and propose corrective measures to reinforce network security.
For this purpose, two scenarios are generally considered:
A penetration test is a tailor-made operation. In fact, it is possible to test all the components of your internal network, or to focus on the elements most at risk, depending on the need identified.
During an internal penetration test, the pentesters’ objective will be to find all types of vulnerabilities that could compromise the confidentiality and integrity of stored and exchanged data, as well as the continuity of an organization’s activities.
The tests cover (but are not limited to):
For more information, take a look at our article exploring the most common vulnerabilities and attacks on the network infrastructure.
The methodology will depend on the chosen scenario (black box or grey box) and whether the network has an Active Directory. In both cases, however, the pentester will first perform a network reconnaissance and discovery phase.
During this phase, the pentester looks at its position in the network and the equipment around it. He will list the type of equipment, the services exposed and passively listen to communications. In this way, he can identify:
Following this reconnaissance, the pentester can launch the corresponding tests for each scenario.
In the absence of a valid account, the pentester will concentrate its efforts on attacks requiring no authentication. This involves analyzing exposed services or servers and their versions. This analysis will be used to detect publicly known vulnerabilities affecting non-updated network components.
Indeed, for an attacker, the presence of non-updated components represents a potential entry point. Some publicly known vulnerabilities have a strong impact on components or servers, such as remote code execution (RCE).
To detect them, the attacker simply needs to enumerate the versions of accessible services or operating systems, and compare the observed versions with databases of known vulnerabilities.
Taking the Windows operating system as an example, a non-updated version can enable an attacker to gain administrator access to the machine without prior authentication. Many publicly known vulnerabilities, such as Eternal Blue (MS17-010), are still being discovered during our audits. They are the direct consequence of a deprecated system or an insufficient update policy.
The example given for Windows machines applies to all network systems and services. The presence of non-updated systems is therefore a highly likely point of entry for an attacker without an account.
Given his position within the network, the attacker has the means to passively or actively eavesdrop on network communications.
This generally involves poisoning protocols such as ARP, NBT-NS or LLMNR.
In this way, the attacker will be able to observe and analyze network traffic even if his machine is not the initial target of the exchanges. The pentester will then be in a “Man-In-The-Middle” position.
This listening can even become active by replaying specific requests. In the scenario of an attacker without an account (i.e. in black box), this is a particularly effective attack, especially in an Active Directory environment, with the NTLM Relay attack on SMB ports.
This attack is made possible by the absence of the SMB protocol’s signature mode.
The reasons why this attack is so effective are as follows:
To carry out this attack, the attacker simply needs to be present on the network and launch open-source tools. These tools will place the attacker in a “Man-In-The-Middle” position and relay the NTLM authentications observed.
The consequence is to obtain a valid SMB session on machines not requiring the signature. This operation is invisible to the victim user.
The impact of the session obtained will depend on the privileges of the victim user. If the user does not have administrator rights, then this session will only enable access to the file shares exposed by the targeted servers. However, if only one of the victim users has administrator rights, then the attacker will be able to use this SMB session to write or read all files, or retrieve all password hashes present on the target machine.
Depending on the nature of these hashes, the attacker can either break them to obtain the password values in clear text, or use them directly on other services.
In this situation, the attacker goes straight to the second scenario (attacker with account).
Even in the absence of the SMB protocol and an Active Directory context, unsigned or unencrypted protocols can also be replayed or listened to using other protocols. This is the case, for example, with the http protocol, which does not guarantee the confidentiality of exchanges.
If the network has web servers for internal use, but these do not use the secure HTTPS protocol, then the attacker will be able to obtain the content of client-server exchanges by simply eavesdropping on the network. As soon as credentials are exchanged, via a login page for example, the attacker will also have knowledge of these credentials and will be able to use them to access this service.
On a network, services are sometimes exposed without requiring authentication. This can happen, for example, when an FTP or SMB service allows anonymous sessions.
Under these conditions, the attacker can interact with the service to see if any sensitive information is exposed (files, keys, personal data, etc.). Sometimes, these services allow write access to these anonymous sessions. In this case, the attacker will have the opportunity to drop malicious files that could trick other users using the service. This is the case, for example, with the deposit of a malicious SCF file in an SMB file share.
Any user subsequently visiting the file share with Windows Explorer will attempt an SMB connection to a server controlled by the attacker. This connection will disclose a netNTLMv2 connection secret to the attacker. This secret can be used to calculate the user’s password.
The success of the calculation will then depend on the complexity of the user’s password. If the password proves insufficiently complex, the attacker will obtain the plaintext value of the password and can then reuse the account thus obtained in the 2nd scenario.
As already mentioned, the success of certain attacks will depend on the complexity of user passwords or network services.
While it is difficult in the first scenario to obtain an exhaustive list of all users, it remains possible for the attacker to try to connect to exposed services with default or highly probable identifiers. In this way, the attacker can search for the services or models of certain equipment to gain access to them.
We’re thinking here of certain printer brands or web interfaces accessible with the login combination “admin:admin”. Here, the pentester will use the results of the service enumeration phase as a basis, and attempt to find the most likely login/password combinations, within the limits of network policy.
At Vaadata, we take this a step further by recovering logins and passwords that have been leaked by an external source. For example, the LinkedIn professional social network leak, which took place in 2017. This type of leak has a chance of disclosing passwords that are still in use. A valid login then occurs if the user uses the same password both on external sites and to access his company’s internal service. In this case, the attacker will obtain a valid account and thus meet the conditions of the second scenario.
The password policy will also be put to the test every time the attacker intercepts a login secret or password hash. Indeed, the user’s plaintext password can be calculated from these secrets. Whether it’s hashes recovered from compromised workstations or hashes captured during NTLM authentication, the company’s password policy will make it more or less difficult to recover cleartext password values.
The application of a good password policy is therefore essential to ensure resistance to the attacks described above.
Once an attacker has an account, he or she is able to access certain less privileged services. In other words, services that are accessible to any authenticated user. The aim of this phase is to check that these services do not expose secrets that could be used to escalate privileges.
In an Active Directory context, the auditor will look at the LDAP database, GPOs and service accounts.
This directory, which is accessible to all authenticated users, contains the list of users and machines in the domain. In addition to providing useful information for the attacker to complete the enumeration phase, passwords are sometimes entered in the description field of LDAP objects. Inspection of these description fields is often fruitful in the discovery of new, valid accounts.
Another use of the LDAP directory by the attacker is the discovery of service accounts. Indeed, service accounts are privileged targets because of their behavior with the Kerberos authentication protocol.
This attack targets service accounts with important access rights. For example, an administrator account with the properties of a service account.
Once the attacker has a valid account, it is possible to request a Kerberos ticket to access domain services. This ticket can be requested even if the user does not initially have access to the service.
These tickets are generated using the secret (password) of the associated service accounts. A cryptographic logic enables the attacker to recover the original password of the service account if the complexity of the password is insufficient. This operation is known as the “Kerberoast” attack.
Compromising this password will allow access to a new account and associated services. In our example, this means that the attacker would have obtained the password to the administrator’s account.
Another way to exploit service accounts is to abuse their delegation properties. The Kerberos authentication protocol allows a machine or service account to pretend to be another user. This principle, known as delegation, exists in several forms and has been constantly improved with new versions of Windows. The successive forms of delegation make configuration complex.
The consequence is that a misconfiguration of this principle can be exploited by an attacker to obtain an escalation of privileges. To do this, the attacker will spoof an account with higher privileges by compromising a service account or a machine capable of delegation.
Thus, the analysis of the players in this delegation is a point of attention to have for the pentester.
These are group policies in an Active Directory domain. They determine the set of administration and configuration rules for the Windows machines in the network.
One method of auditing is to inspect the SYSVOL file share for passwords. This file share, which contains group policy information, is readable by all users. Passwords can be exposed in this file share, either because they are present in plain text in scripts, or because they are defined in a “GPP” (Group Policy Preferences). Originally, GPPs stored secrets, ensuring their confidentiality.
However, following the sharing of the private key to the encryption algorithm on Microsoft’s public documentation in 2012, all the secrets stored by GPP can now be decrypted.
Another method is to identify problematic configurations that could lead to privilege escalation in the Group Policies themselves. For example, users with excessive and unnecessary access rights. Such misconfigurations are detected by consulting all Group Policies.
A tool for graphically displaying these strategies and other properties in the form of a graph will enable the pentester to detect attack paths and enumerate them, even in complex organizations.
The ADCS solution provides customizable services for issuing and managing the digital certificates used by software employing public key technologies.
In our case, these digital certificates can be used to authenticate computer, user or device accounts on a network.
Although the features provided by the solution greatly facilitate certificate management operations, misconfiguration of this solution can have an impact on overall domain security.
Indeed, the solution’s configuration will define how a certificate can be requested, by which entity and for what purpose. Certain problematic configurations of this solution will allow an attacker to generate authentication certificates in the place of other users, thus enabling the spoofing of the user account associated with the generated certificate. In this way, privilege escalation becomes possible.
The various scenarios and tests presented are designed to assess the impact of an attacker on the audited system. At the end of the 2nd scenario, the auditor is able to assess the maximum impact of an attacker. This impact will depend on the level of privileges obtained.
A system that fails to protect itself from the attacks listed above is likely to allow an attacker to obtain the highest level of privileges.
In an Active Directory context, this refers to domain administrator privileges. Among other things, by obtaining domain administrator privileges, an attacker will be able to compromise all machines and accounts in the domain (user workstations, Windows servers, file sharing, etc.). However, the attacker’s impact generally doesn’t stop there. The disclosure of secrets present on domain machines generally enables the attacker to reach resources outside the domain.
We’re thinking here of website administration passwords, cloud environments and access keys to non-Windows systems. Also, an attacker with this level of privilege will be able to deploy malware across the entire network. This is the case, for example, with ransomware attacks.
It is important for any manager of an internal or Active Directory network to assess their network’s level of resistance to the attacks described in this article. This assessment can be carried out by one of the audits we offer. Whether black-box or grey-box, we can help you identify the weaknesses in your system and assist you in correcting them.
Contact us to discuss your challenges and requirements.
Author : Benoit PHILIPPE – Pentester @Vaadata