Note from the Editor: This is the 6th installment of an 8-part blog series entitled, “Everything you need to know about an External Penetration Test.” To read series from the beginning, please start at “What is an External Penetration Test?”
Clients want to know how to improve the results of a penetration test. Whether it be to ensure your regulatory compliance, provide a clean penetration test report, or just to better your overall security posture, having a penetration test with fewer critical findings is a good thing. To help improve the results of your penetration test and have fewer critical findings, here a few tips.
Top Ways to Improve the Results of an External Penetration Test
Patch your Systems
This first one may be obvious, however it is still among the most common themes we see. Outdated systems consistently lead to exploits and more times than not, total system compromise. When a serious vulnerability is reported, Microsoft (or whoever the vendor is), resolves that vulnerability with a patch. And if you are not applying those patches, you are allowing those vulnerabilities to remain on the network. This enables a penetration tester, or attacker, to exploit your systems.
Even more risky is using un-supported systems. When systems are end-of-life, the vendor will no longer provide patches when vulnerabilities arise. Further, lack of support means that the vendors are less likely to research or disclose vulnerabilities against the system. Over time, vulnerabilities will continue to build up on these systems. It naturally follows that the older the system, the more likely a vulnerability will be present. This allows an attacker to gain access to the system.
There are certain situations where these systems may still be necessary, and removing them would cause a major business disruption. For those systems, segment them off into their own VLAN. Restrict access to those systems as much as possible. This means as few people as possible should be able to access these systems with as few exposed ports as possible. Depending on the risk, and what sensitive information this system holds, consider implementing further protections such as IDS/IPS on this segment. Finally, be sure to configure the system to alert you as soon as something happens that shouldn’t.
Secure your Passwords
One of the easiest ways for us to gain access to your system is right through the front door. Most likely, this means accessing your administrator applications and using the default password that came with the system. This happens far too often in penetration testing. And, it usually gives us full control over the application or underlying host. In the past, we have even gained access to an active directory manager using the credentials “admin:admin”. At that point, we created ourselves an account with domain administrator permissions and called the client. So how does this happen? Well, in some instances, the IT administrator was just trying to get the system working properly and forgot about it. In other instances, servers come with additional components or administrator consoles that the IT team didn’t know about.
To fix this, we recommend creating or adopting a hardening checklist. Be sure to follow this checklist every time and include the following:
- SNMP community strings
- default passwords
- unnecessary functionality
- disabling the guest account
Pilots use checklists prior to take off every single time. Why? Because it makes sure they don’t forget something. Even if they have flown 1,000 times. Be sure to implement this same concept across your IT team. Checklists can help ensure something doesn’t slip through the cracks. Using a hardening guide like the ones offered by NIST will quickly improve the results of your penetration test.
In addition to a checklist, perform periodic checks to make sure you haven’t forgotten any default passwords. Next, remove the weak passwords on the network. This all starts with user education. If you change the password requirement to 16 characters, users will just write it down on post-it notes. If you change it to 8 characters, you will have people using ‘Company1’ as their password. What we have found is that most users don’t know how to choose a strong password. Although user education and password policies can reduce your risk related to weak passwords, it’s not fool-proof. Because of this, wherever possible, implement multi-factor authentication. This will better your security posture and improve the results of your penetration test.
Prevent Password-Spraying Attacks
The password-spraying attack is one of the most successful attacks our penetration testing team uses. To conduct this attack, we first do some open-source reconnaissance against your organization. One thing we are looking for is the format of your organizations usernames/email accounts. Is it First.Last@Company.com or first initial + last name? Often it is very easy to find a few email addresses from Google, and then we can learn the pattern.
Once we know that pattern, we will get a list of employees from LinkedIn. Before long, we will have a list of hundreds of usernames we can use in password attacks. In a password spraying attack, we will use a common password (Password123! for example) against a large list of usernames. By doing this, we are able to avoid account lockouts. Further, we also can usually avoid setting off any alerts that would make our presence known. Usually, within a few guesses, we have a few accounts that we can now use for an initial foothold to things like email, SharePoint, etc.
Implement Multi-Factor Authentication
The truth is, as discussed above, you will always have users that have weak passwords. The best way to prevent this is to use multi-factor authentication. By definition multi-factor authentication requires users to authenticate using at least two of the following:
- Something you know – For example, a password.
- Something you have – For example, a smart-card or your cell phone.
- Something you are – For example a fingerprint scan.
With multi-factor authentication in place, even if an attacker guesses the password, they will still have another step they have to bypass. This exponentially reduces the likelihood you will fall victim to a password attack. And vastly improves the results of your penetration test.
Turn off NBNS and LLMNR
Ok this one is a bit more technical, but bear with me. NetBIOS Name Service (NBNS) and Link-Local Multicast Resolution (LLMNR) are methods that Windows computers use when they cannot find a host on the network. These services are vulnerable to spoofing attacks, which allow an attacker to impersonate the host you are trying to reach.
Let’s walk through this attack:
In this attack scenario, lets say that you are trying to connect to a file server on the network. You mistype the name of the server (TYPO-server01). When your windows computer is trying to access this system across the network it will first check the local host file to see if it has talked to the system recently. As it is not in the local host file, your computer will then ask the DNS server where the system resides (Step 1 Above). As the system does not exist, the DNS server will be unable to assist (Step 2). So as a final resort, your Windows system will broadcast an NBNS or LLMNR request across the network (Step 3). This allows an attacker to respond to the request and receive it, claiming to be the system.
Most of the time, this is benign traffic that means nothing to the attacker. However, in the case of a file server like our example, you need to prove you have permissions to view the file you are trying to access. Because of this, your computer will send your hashed (one-way encryption) password to the machine it’s trying to access, which is the attacker in this case. This allows the attacker to take that password offline and perform password cracking to attempt to uncover it.
The above attack is the most common way we gain an initial foothold during an internal penetration test. The worst part is, in a normal corporate environment with an internal DNS server, NBNS and LLMNR are completely unnecessary. By disabling them you can improve the results of your penetration test.
Use Unique Local Administrator Accounts
Once we gain administrator or SYSTEM level permissions to a host, it is usually a sure-thing that we will get Domain Administrator permissions on the network. At that point, it is just a matter of finding and organization’s sensitive information so we can to take some screenshots and help convey risk. Why is it a sure thing that we will get Domain Admin from a single system? Well usually it is because the local administrator password on that machine is the same on most, if not all, systems on the network. Once we have SYSTEM level access on a host, we can dump contents from memory, including the SAM file which includes the password hashes for all local accounts, including Administrator. When you use that same password across the network, we can use that password hash we find to logon to all other devices, without even having to crack it.
In the past, the only way around this was an administrative nightmare. IT would have to remember (or write down/electronically store) the password for each and every machine in order for them to be unique. Luckily, Microsoft released the Local Administrator Password Solution (LAPS) to address this very issue. LAPS will automate the process of changing the password for every local administrator account across your network and keep it in a database for you.
Improve the Results of Your Penetration Test
In summary, the five steps listed above are a great way to improve the results of your penetration test. In order to keep it relatively high-level we left out a few technical details of how some of these attacks work, but hopefully it provides you with a good understanding of what the core issues are, why they are a risk to your organization, and how to resolve them. Of course, if you have any questions, feel free to reach out and we would love to talk it through further. Leave a comment below or reach out through our contact page. Have you found other items we left out? Are there other key ways to improve the results of your penetration tests? If so, let us know below.
For more information on our external penetration testing services, please contact us today.
About the Author
Matt is Director of Penetration Testing at SIG. He currently has his PCI QSA, CISSP, OSCP, C|EH, GSEC, GCIH, and CISA certifications. You can find Matt on Twitter @InfoSecMatthew.