SlideShare a Scribd company logo

Internal penetration test_hitchhackers_guide

D
Darin Fredde

The document outlines the process of conducting internal penetration tests to identify sensitive information and vulnerabilities within systems, emphasizing the need for permission and the use of proper tools. It discusses the complexities involved in discovering sensitive data, the types of information that can be exposed, and techniques for uncovering such data, including the use of regular expressions and specific command line operations. The conclusion highlights the importance of protecting sensitive data by demonstrating how cybercriminals might exploit vulnerabilities to exfiltrate this information.

Technology
Related topics:
Penetration-Testing
1 of 25
Downloaded 13 times
1
2
3
4
5
Most read
6
Most read
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Height = 42 Internal Penetration Test: The HitchHackers(TM) Guide to Discovering Sensitive Information ETHICAL HACKER | DON’T PANIC!
About Me Darin Fredde, CISSP Pentester at US Bank Adjunct Professor Richland College University of Dallas (UD) - Master of Science in Cybersecurity University of Dallas (UD) - Cybersecurity Graduate Certificate The US National Security Agency (NSA) and the Committee on National Security Systems (CNSS) Certification NIST 4011-4016 Certified Information Systems Security Professional (CISSP) CompTIA Network+ Certification CompTIA Security+ Certification
What is an Internal Penetration Test The Internal Penetration test mimics the actions of an actual attacker exploiting vulnerable systems, services, and applications or sensitive data using both automated and manual tools. However, an internal penetration test still requires permission. So, only hack if you have written consent to attack.
What is Sensitive Information Sensitive data is defined as information that is protected against unwarranted disclosure. Access to sensitive data should be safeguarded. Protection of sensitive data may be required for legal or ethical reasons, for issues pertaining to personal privacy, or for proprietary considerations.
The Scenario ▪ Discovering and reviewing sensitive information on a penetration test can be a time-consuming manual process. ▪ Blindly hunting around for sensitive information can be an incredibly challenging and even unproductive task. ▪ Aimlessly hopping from one system to another while looking for sensitive information get you caught. ▪ The challenge of having too much access to too many systems with limited days for testing. ▪ A lack of tools for searching inside of the content of files.
The Solution Even though with credentials some vulnerability scanners can test for sensitive data exposure an internal penetration test can illustrate the impact of a compromise. A internal penetration test can uncover vulnerabilities by leveraging the unstructured data to compromise or misuse an application. It should also be noted that a internal penetration test often uncover vulnerabilities that can’t be detected by vulnerability scans. It can lead to gaining a foothold, privilege escalation, or full domain compromise
The Findings Network share found with unsuitable permissions Confidential data found on network share Cleartext username and password found CWE-259: Use of Hard-coded Password Encoded Passwords PCI-DSS Violation: Primary Account Number (PAN) data at rest
BMC Patrol Cleartext Credentials Disclosure Reference: https://www.sentrysoftware.com/download/hardwareSentryKM/10.0.01/mshw_PATROL_10001_Documentation.pdf ▪ The password may appear in cleartext when a command times out, fails or from the use of a macro that inserts the password in command line. ▪ The BMC Universal Data Repository (UDR) file exposes the cleartext password. Software Description: BMC Patrol integrate with the agent Hardware Sentry KM for PATROL
WebSphere FFDC Cleartext Credential Disclosure ▪ Cleartext credentials found in the First Failure Data Capture (FFDC) logs. ▪ Observed the WebSphere Application Server SOAP connection Issue (IBM Probe Id:846) captured passwords in cleartext. Description IBM WebSphere Application Server is an application designed to host enterprise Web applications. Reference: https://www-01.ibm.com/support/docview.wss?uid=swg1IC54419 Reference: https://www-01.ibm.com/support/docview.wss?uid=swg24023927
Discovering Passwords in SYSVOL Passwords in the XML file can be searched using the key value “cpassword”. 32-byte AES as per Microsoft’s documentation, the encryption key is: Reference: https://niiconsulting.com/checkmate/2016/02/hunting-passwords-in-sysvol/ SYSVOL folder: run> %Logonserver% Local admin password in VBS file Examples:
Discovering System Data in Citrix Portal Reference: https://quest.com/
Tools and Techniques Reference: https://fireeye.com
Discovering Systems Listening on SMB Example(s): nmap –vv –Pn –n –p 445 10.11.22.0/24 –oA smb_hosts.txt nmap –script smb-enum-shares 10.11.22.0/24 -p445 –script-args smbuser=testuser,smbpass=password1 Reference: https://www.dionach.com/blog/discovering-sensitive-information-in-file-shares
Identifying Which Network Shares Are Accessible Usage Scenario: Run PowerView in the context a domain user 1. Launch a command prompt on your Commando VM 2. runas.exe /netonly /user:<DOMAIN>Username cmd.exe 3. Enter the password. *The password will not be verified at this time and the command prompt will launch 4. C:> powershell.exe -nop -exec bypass 5. PS C:> Import-Module [full path to powerview.ps1] 6. Verify you have authenticated access via Get- NetDomainControllers command. If output successfully returns, you have authenticated to the domain controller! Reference: https://github.com/PowerShellMafia/PowerSploit Example: Command Invoke-ShareFinder -Verbose -HostList HostList.txt -ExcludeStandard -CheckShareAccess | Out-File -Encoding ASCII Found_Shares.txt
Identifying Files of Interest Usage Scenario: Example: file_results.txt using specific –terms Example: Command Invoke-FileFinder -Verbose -ShareList found_share.txt -Out-File -Encoding ASCII file_results.txt Reference: https://github.com/PowerShellMafia/PowerSploit Reference: https://www.sublimetext.com/
Regular Expressions (Regex) Card_Track_1:(D|^)%?[Bb]d{13,19}^[-/.ws]{2,26}^[0-9][0-9][01][0-9][0-9]{3} Credit_Card_Track_2:(D|^);d{13,19}=(d{3}|)(d{4}|=) Credit_Card_Track_Data:[1-9][0-9]{2}-[0-9]{2}-[0-9]{4}^d Mastercard:(D|^)5[1-5][0-9]{2}( |-|)[0-9]{4}( |-|)[0-9]{4}( |-|)[0-9]{4}(D|$) Visa:(D|^)4[0-9]{3}( |-|)[0-9]{4}( |-|)[0-9]{4}( |-|)[0-9]{4}(D|$) AMEX:(D|^)(34|37)[0-9]{2}( |-|)[0-9]{6}( |-|)[0-9]{5}(D|$) Social_Security_Number_dashes:(D|^)[0-9]{3}-[0-9]{2}-[0-9]{4}(D|$) Social_Security_Number_spaces:(D|^)[0-9]{3} [0-9]{2} [0-9]{4}(D|$) An example from regexper.com: Regex Railroad Diagram Example: Regex Text (?:[Pp][Aa][Ss][Ss][Ww][Dd]|[Pp][Aa][Ss][Ss]|[Pp][Ww][Dd]|[Pp][Aa][Ss][Ss][Ww][Oo][Rr][Dd])(?:[#: ])(?:[ |S])[0-9a-zA-Z!@#$%0-9]*[!@#$%0-9]+[0-9a-zA-Z!@#$%0-9]* ▪ Browsing through regular expression sites like http://www.regexlib.com/ can lead to some useful expressions to help us find all sorts of things like email addresses, social security numbers, md5 hashes, UUIDs, phone numbers, and credit card numbers. Reference: https://regexper.com/ Reference: Pen Test Poster: “White Board” – Bash – Find Juicy Stuff in the File System Reference: https://regexlib.com
Searching Content of Files Usage Scenario: Notepad++ Sample Credit Cards Regular Expression Reference: https://notepad-plus-plus.org/
Searching With Regular Expressions Usage Scenario: Sublime Sample Credit Cards Regular Expression Reference: https://www.sublimetext.com/
Searching UNC Paths Usage Scenario: Searching for files using two UNC paths separated by a comma. Reference: https://www.sublimetext.com/
Searching Multiple Servers UNC Paths Usage Scenario: Example Text query looking inside the files of ~ 57 servers ~ 60 UNC paths Reference: https://www.fileseek.ca/
Be aware of the security vulnerabilities in software used for testing Protect testing results, tool output, logs, notes, and reports May serve as a roadmap for threat actors Maintain host security (access control, audit trails) of system that contain import data. Redact the footprint of the sensitive data in final reports as much as possible “Cleanup” at the end of the engagement machines should be sufficiently scrubbed following each engagement use encryption and sanitize your test machine between tests. Protecting Penetration Tests Data
It is easy to have a narrow view and sometime focus on getting a reverse shell, privilege escalation, or, single-purpose objective to gain domain admin. The primary focus for most cybercriminals is to locate and exfiltrate sensitive data to monetize on underground black markets. The best tactic for protecting sensitive data is by testing a threat actors’ ability to locate and exfiltration data. Lets find it before they do. Conclusion
Reference: Presentation Outline: Template: A Complete Guide https://slidebean.com/blog/startups-presentation-outline-template Metadata: a hacker's best friend https://blog.sweepatic.com/metadata-hackers-best-friend/ SMB Share – SCF File Attacks https://pentestlab.blog/2017/12/13/smb-share-scf-file-attacks/ Penetration Testing vs. Vulnerability Assessment https://www.hitachi-systems-security.com/blog/penetration-testing-vs-vulnerability-assessment/ Penetration Testing 101 https://www.tracesecurity.com/blog/articles/penetration-testing-101 Types of Penetration Tests and Why They are Important https://www.sagedatasecurity.com/blog/types-of-penetration-tests-and-why-they-are-important Combining Shared Folder Permissions and NTFS Permissions http://www.ntfs.com/ntfs-permissions-combined.htm Commando VM: Lessons Learned https://0xdf.gitlab.io/2019/04/15/commando-vm-lessons.html Commando VM: The First of Its Kind Windows Offensive Distribution https://www.fireeye.com/blog/threat-research/2019/03/commando-vm-windows-offensive-distribution.html Finding the Leaks https://blog.secureideas.com/2013/01/finding-leaks.html Discovering Sensitive Information in File Shares https://www.dionach.com/blog/discovering-sensitive-information-in-file-shares FileSeek https://www.fileseek.ca/Download/ Notepad++ https://notepad-plus-plus.org/ Find text in a file with PowerShell https://philerb.com/2011/11/find-text-in-a-file-with-powershell/ Finding Sensitive Data on Domain SQL Servers using PowerUpSQL https://blog.netspi.com/finding-sensitive-data-domain-sql-servers-using-powerupsql/ How to take Advantage of Weak NTFS Permissions https://www.blackhillsinfosec.com/how-to-take-advantage-of-weak-ntfs-permissions/ Regular Expressions for Beginners: How to Get Started Discovering Sensitive Data https://blog.netwrix.com/2018/05/29/regular-expressions-for-beginners-how-to-get-started-discovering-sensitive-data/ Windows PowerShell Tip of the Week https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-powershell-1.0/ff730947(v=technet.10) OpenDLP https://code.google.com/archive/p/opendlp/ DerbyCon 211: Chris Gates (CG) carnal0wnage/Rob Fuller (mubix) The Dirty Little Secrets they Didn’t Teach You in Pentesting Class http://www.carnal0wnage.com/papers/Derbycon2011_The_Dirty_Little_Secrets_Gates_Fuller.pdf Use Notepad++ to find text in all files of a folder https://www.ghacks.net/2016/09/16/use-notepad-to-find-text-in-all-files-of-a-folder/ Scavenger: Post-Exploitation Tool for Collecting Vital Data https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/scavenger-post-exploitation-tool-for-collecting-vital-data/ Hacker for hire http://hackerforhire.com.au/post-exploitation-finding-passwords-in-haystacks/ A Data Hunting Overview https://thevivi.net/2018/05/23/a-data-hunting-overview/ Goal Oriented Pentesting: The new Process for Penetration Testing https://spl0it.wordpress.com/2009/11/16/goal-oriented-pentesting-the-new-process-for-penetration-testing/ Pen Test Poster: “White Board” – Bash – Find Juicy Stuff in the File System https://pen-testing.sans.org/blog/2017/03/08/pen-test-poster-white-board-bash-find-juicy-stuff-in-the-file-system/ Detecting Credit Cards, SSNs and other Sensitive Data on Unix/Linux Systems https://www.tenable.com/blog/detecting-credit-cards-ssns-and-other-sensitive-data-on-unixlinux-systems Using Burp to Test for Sensitive Data Exposure Issues https://support.portswigger.net/customer/portal/articles/1965730-using-burp-to-test-for-sensitive-data-exposure-issues Domain Enumeration w/Netonly https://www.sixdub.net/?p=579 Veil-PowerView: A Usage Guide http://www.harmj0y.net/blog/powershell/veil-powerview-a-usage-guide/ Protecting Penetration Tests: Recommendation for Improving Engagement Security https://www.blackhat.com/docs/us-17/wednesday/us-17-McGrew-Protecting-Pentests-Recommendations-For-Performing-More- Secure-Tests-wp.pdf Regular Expressions for Pentesters http://blog.isecurion.com/2018/05/09/regexp-for-pentesters/ How to Find Sensitive Search Hard Drives for Files https://null-byte.wonderhowto.com/how-to/hacking-windows-10-find-sensitive-deleted-files-remotely-0183748/ Demonstrative examples CWE https://cwe.mitre.org/data/definitions/259.html Windows PowerShell: Changing the command prompt https://stackoverflow.com/questions/5725888/windows-powershell-changing-the-command-prompt An Introduction to PowerShell Modules https://www.red-gate.com/simple-talk/sysadmin/powershell/an-introduction-to-powershell-modules/ Using Functions https://docs.microsoft.com/en-us/previous-versions//dd745030(v=vs.85) What color is the dark green on ‘old fashioned’ green screen computer displays/VDUs? https://superuser.com/questions/361297/what-colour-is-the-dark-green-on-old-fashioned-green-screen-computer-displays PowerShellMafia/PowerSploit https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon Hunting for Sensitive Data with the Veil-Framework https://www.veil-framework.com/hunting-sensitive-data-veil-framework/ File Server Triage on Red Team Engagements http://www.harmj0y.net/blog/redteaming/file-server-triage-on-red-team-engagements/ PowerSploit and runas.exe https://github.com/PowerShellMafia/PowerSploit/issues/189 Test/Sample Data https://support.spirion.com/hc/en-us/articles/115000019252-Test-Sample-Data
Reference: How to add more than one machine to the trusted hosts list using winrm https://stackoverflow.com/questions/21548566/how-to-add-more-than-one-machine-to-the-trusted-hosts-list-using-winrm Ps Trusted Hosts https://www.powershellgallery.com/packages/psTrustedHosts/1.1.0 How to Add a Computer to the Trusted Hosts List https://winintro.ru/windowspowershell2corehelp.en/html/f23b65e2-c608-485d-95f5-a8c20e00f1fc.htm Active Directory Security – Active Directory & Enterprise Security, Methods to Secure Activ4e Directory, Attack Methods and Effective Defenses, PowerShell, Tech Notes, and Geek Triva… https://adsecurity.org/?p=2288 Sensitive Files to Grab in Windows https://medium.com/@hakluke/sensitive-files-to-grab-in-windows-4b8f0a655f40 The LaZagne Project !!! https://github.com/AlessandroZ/LaZagne Hunting Passwords In SYSVOL https://niiconsulting.com/checkmate/2016/02/hunting-passwords-in-sysvol/ Post Exploitation Google the following Linux - Linux Post Exploitation Command List Linux Post Exploitation Cheat Sheet Windows - Windows Post-Exploitation Command List Windows POST-Exploitation Cheat Sheet
Questions? 42 Contact Information Darin Fredde www.linkedin.com/in/darinfredde dfredde@hitchhackers.guide @dkfredde @H1tchHack3rs

More Related Content

PPTX
Introduction to penetration testing
Nezar Alazzabi
 
PPT
Penetration Testing Basics
Rick Wanner
 
PDF
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, Tripwire
MITRE - ATT&CKcon
 
PDF
Wm4
Umang Patel
 
PDF
Penetration and hacking training brief
Bill Nelson
 
PPTX
Application and Website Security -- Fundamental Edition
Daniel Owens
 
PPTX
Windows Live Forensics 101
Arpan Raval
 
PDF
Persistence in windows
Arpan Raval
 
Introduction to penetration testing
Nezar Alazzabi
 
Penetration Testing Basics
Rick Wanner
 
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, Tripwire
MITRE - ATT&CKcon
 
Wm4
Umang Patel
 
Penetration and hacking training brief
Bill Nelson
 
Application and Website Security -- Fundamental Edition
Daniel Owens
 
Windows Live Forensics 101
Arpan Raval
 
Persistence in windows
Arpan Raval
 

What's hot (20)

PPTX
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault
 
PPT
Web Based Security
John Wiley
 
PDF
A Threat Hunter Himself
Sergey Soldatov
 
PPT
NetworkSecurity
Peter Lawrence
 
PPTX
Penetration Testing
RomSoft SRL
 
PDF
Client-Side Penetration Testing Presentation
Chris Gates
 
PDF
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
PDF
ATT&CK BINGO
Adam Pennington
 
PPTX
Defend Your Data Now with the MITRE ATT&CK Framework
Tripwire
 
PPTX
NETWORK PENETRATION TESTING
Er Vivek Rana
 
PDF
The hacker playbook: How to think and act like a cybercriminal to reduce risk...
Paula Januszkiewicz
 
PDF
ATT&CKING Containers in The Cloud
MITRE ATT&CK
 
PDF
Accurately detecting source code of attacks that increase privilege
UltraUploader
 
PDF
Inception framework
한익 주
 
PDF
3. APTs Presentation
isc2-hellenic
 
PDF
Introduction to MITRE ATT&CK
Arpan Raval
 
PPT
Windows network
Jithesh Nair
 
PDF
Automation: The Wonderful Wizard of CTI (or is it?)
MITRE ATT&CK
 
PDF
RIoT (Raiding Internet of Things) by Jacob Holcomb
Priyanka Aash
 
PDF
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
MITRE ATT&CK
 
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault
 
Web Based Security
John Wiley
 
A Threat Hunter Himself
Sergey Soldatov
 
NetworkSecurity
Peter Lawrence
 
Penetration Testing
RomSoft SRL
 
Client-Side Penetration Testing Presentation
Chris Gates
 
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
ATT&CK BINGO
Adam Pennington
 
Defend Your Data Now with the MITRE ATT&CK Framework
Tripwire
 
NETWORK PENETRATION TESTING
Er Vivek Rana
 
The hacker playbook: How to think and act like a cybercriminal to reduce risk...
Paula Januszkiewicz
 
ATT&CKING Containers in The Cloud
MITRE ATT&CK
 
Accurately detecting source code of attacks that increase privilege
UltraUploader
 
Inception framework
한익 주
 
3. APTs Presentation
isc2-hellenic
 
Introduction to MITRE ATT&CK
Arpan Raval
 
Windows network
Jithesh Nair
 
Automation: The Wonderful Wizard of CTI (or is it?)
MITRE ATT&CK
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
Priyanka Aash
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
MITRE ATT&CK
 

Similar to Internal penetration test_hitchhackers_guide (20)

PPT
Penetration testing, What’s this?
Dmitry Evteev
 
DOCX
Syed Ubaid Ali Jafri - Black Box Penetration testing for Associates
Syed Ubaid Ali Jafri
 
PDF
Unraveling the Confusion Surrounding the Purpose of Penetration Tests
Bo Birdwell
 
PPTX
Pentest Apocalypse - SANSFIRE 2016 Edition
Beau Bullock
 
PPTX
Assessing a pen tester: Making the right choice when choosing a third party P...
Jason Broz, CIPP/US
 
PDF
What is Penetration & Penetration test ?
Bhavin Shah
 
PPTX
WTF is Penetration Testing v.2
Scott Sutherland
 
PPTX
Hunt for the red DA
Neil Lines
 
PDF
Security and Penetration Testing Overview
QA InfoTech
 
PDF
ethical Hack
Viggi Unbeaten
 
PDF
Wm4
Umang Patel
 
PDF
Penetration testing using metasploit framework
PawanKesharwani
 
PDF
IRJET- A Study on Penetration Testing using Metasploit Framework
IRJET Journal
 
PDF
Attacker's Perspective of Active Directory
Sunny Neo
 
PDF
Ethical hacking
Khairi Aiman
 
PPTX
Pentest Apocalypse
Beau Bullock
 
PPTX
BSIDES-PR Keynote Hunting for Bad Guys
Joff Thyer
 
PDF
What is Penetration Testing?
Rapid7
 
PDF
Types _of_ Penetration_ Testing_ Training
priyanshamadhwal2
 
PPTX
Ethical hacking 101 - Singapore RSA 2019
Paul Haskell-Dowland
 
Penetration testing, What’s this?
Dmitry Evteev
 
Syed Ubaid Ali Jafri - Black Box Penetration testing for Associates
Syed Ubaid Ali Jafri
 
Unraveling the Confusion Surrounding the Purpose of Penetration Tests
Bo Birdwell
 
Pentest Apocalypse - SANSFIRE 2016 Edition
Beau Bullock
 
Assessing a pen tester: Making the right choice when choosing a third party P...
Jason Broz, CIPP/US
 
What is Penetration & Penetration test ?
Bhavin Shah
 
WTF is Penetration Testing v.2
Scott Sutherland
 
Hunt for the red DA
Neil Lines
 
Security and Penetration Testing Overview
QA InfoTech
 
ethical Hack
Viggi Unbeaten
 
Wm4
Umang Patel
 
Penetration testing using metasploit framework
PawanKesharwani
 
IRJET- A Study on Penetration Testing using Metasploit Framework
IRJET Journal
 
Attacker's Perspective of Active Directory
Sunny Neo
 
Ethical hacking
Khairi Aiman
 
Pentest Apocalypse
Beau Bullock
 
BSIDES-PR Keynote Hunting for Bad Guys
Joff Thyer
 
What is Penetration Testing?
Rapid7
 
Types _of_ Penetration_ Testing_ Training
priyanshamadhwal2
 
Ethical hacking 101 - Singapore RSA 2019
Paul Haskell-Dowland
 

Recently uploaded (20)

PDF
solutions_manual_-_materials___processing_in_manufacturing__demargo_.pdf
AbdullahSani29
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
Advanced IT Governance
University of Hertfordshire
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
solutions_manual_-_materials___processing_in_manufacturing__demargo_.pdf
AbdullahSani29
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Advanced IT Governance
University of Hertfordshire
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 

Internal penetration test_hitchhackers_guide

  • 1. Height = 42 Internal Penetration Test: The HitchHackers(TM) Guide to Discovering Sensitive Information ETHICAL HACKER | DON’T PANIC!
  • 2. About Me Darin Fredde, CISSP Pentester at US Bank Adjunct Professor Richland College University of Dallas (UD) - Master of Science in Cybersecurity University of Dallas (UD) - Cybersecurity Graduate Certificate The US National Security Agency (NSA) and the Committee on National Security Systems (CNSS) Certification NIST 4011-4016 Certified Information Systems Security Professional (CISSP) CompTIA Network+ Certification CompTIA Security+ Certification
  • 3. What is an Internal Penetration Test The Internal Penetration test mimics the actions of an actual attacker exploiting vulnerable systems, services, and applications or sensitive data using both automated and manual tools. However, an internal penetration test still requires permission. So, only hack if you have written consent to attack.
  • 4. What is Sensitive Information Sensitive data is defined as information that is protected against unwarranted disclosure. Access to sensitive data should be safeguarded. Protection of sensitive data may be required for legal or ethical reasons, for issues pertaining to personal privacy, or for proprietary considerations.
  • 5. The Scenario ▪ Discovering and reviewing sensitive information on a penetration test can be a time-consuming manual process. ▪ Blindly hunting around for sensitive information can be an incredibly challenging and even unproductive task. ▪ Aimlessly hopping from one system to another while looking for sensitive information get you caught. ▪ The challenge of having too much access to too many systems with limited days for testing. ▪ A lack of tools for searching inside of the content of files.
  • 6. The Solution Even though with credentials some vulnerability scanners can test for sensitive data exposure an internal penetration test can illustrate the impact of a compromise. A internal penetration test can uncover vulnerabilities by leveraging the unstructured data to compromise or misuse an application. It should also be noted that a internal penetration test often uncover vulnerabilities that can’t be detected by vulnerability scans. It can lead to gaining a foothold, privilege escalation, or full domain compromise
  • 7. The Findings Network share found with unsuitable permissions Confidential data found on network share Cleartext username and password found CWE-259: Use of Hard-coded Password Encoded Passwords PCI-DSS Violation: Primary Account Number (PAN) data at rest
  • 8. BMC Patrol Cleartext Credentials Disclosure Reference: https://www.sentrysoftware.com/download/hardwareSentryKM/10.0.01/mshw_PATROL_10001_Documentation.pdf ▪ The password may appear in cleartext when a command times out, fails or from the use of a macro that inserts the password in command line. ▪ The BMC Universal Data Repository (UDR) file exposes the cleartext password. Software Description: BMC Patrol integrate with the agent Hardware Sentry KM for PATROL
  • 9. WebSphere FFDC Cleartext Credential Disclosure ▪ Cleartext credentials found in the First Failure Data Capture (FFDC) logs. ▪ Observed the WebSphere Application Server SOAP connection Issue (IBM Probe Id:846) captured passwords in cleartext. Description IBM WebSphere Application Server is an application designed to host enterprise Web applications. Reference: https://www-01.ibm.com/support/docview.wss?uid=swg1IC54419 Reference: https://www-01.ibm.com/support/docview.wss?uid=swg24023927
  • 10. Discovering Passwords in SYSVOL Passwords in the XML file can be searched using the key value “cpassword”. 32-byte AES as per Microsoft’s documentation, the encryption key is: Reference: https://niiconsulting.com/checkmate/2016/02/hunting-passwords-in-sysvol/ SYSVOL folder: run> %Logonserver% Local admin password in VBS file Examples:
  • 11. Discovering System Data in Citrix Portal Reference: https://quest.com/
  • 13. Discovering Systems Listening on SMB Example(s): nmap –vv –Pn –n –p 445 10.11.22.0/24 –oA smb_hosts.txt nmap –script smb-enum-shares 10.11.22.0/24 -p445 –script-args smbuser=testuser,smbpass=password1 Reference: https://www.dionach.com/blog/discovering-sensitive-information-in-file-shares
  • 14. Identifying Which Network Shares Are Accessible Usage Scenario: Run PowerView in the context a domain user 1. Launch a command prompt on your Commando VM 2. runas.exe /netonly /user:<DOMAIN>Username cmd.exe 3. Enter the password. *The password will not be verified at this time and the command prompt will launch 4. C:> powershell.exe -nop -exec bypass 5. PS C:> Import-Module [full path to powerview.ps1] 6. Verify you have authenticated access via Get- NetDomainControllers command. If output successfully returns, you have authenticated to the domain controller! Reference: https://github.com/PowerShellMafia/PowerSploit Example: Command Invoke-ShareFinder -Verbose -HostList HostList.txt -ExcludeStandard -CheckShareAccess | Out-File -Encoding ASCII Found_Shares.txt
  • 15. Identifying Files of Interest Usage Scenario: Example: file_results.txt using specific –terms Example: Command Invoke-FileFinder -Verbose -ShareList found_share.txt -Out-File -Encoding ASCII file_results.txt Reference: https://github.com/PowerShellMafia/PowerSploit Reference: https://www.sublimetext.com/
  • 16. Regular Expressions (Regex) Card_Track_1:(D|^)%?[Bb]d{13,19}^[-/.ws]{2,26}^[0-9][0-9][01][0-9][0-9]{3} Credit_Card_Track_2:(D|^);d{13,19}=(d{3}|)(d{4}|=) Credit_Card_Track_Data:[1-9][0-9]{2}-[0-9]{2}-[0-9]{4}^d Mastercard:(D|^)5[1-5][0-9]{2}( |-|)[0-9]{4}( |-|)[0-9]{4}( |-|)[0-9]{4}(D|$) Visa:(D|^)4[0-9]{3}( |-|)[0-9]{4}( |-|)[0-9]{4}( |-|)[0-9]{4}(D|$) AMEX:(D|^)(34|37)[0-9]{2}( |-|)[0-9]{6}( |-|)[0-9]{5}(D|$) Social_Security_Number_dashes:(D|^)[0-9]{3}-[0-9]{2}-[0-9]{4}(D|$) Social_Security_Number_spaces:(D|^)[0-9]{3} [0-9]{2} [0-9]{4}(D|$) An example from regexper.com: Regex Railroad Diagram Example: Regex Text (?:[Pp][Aa][Ss][Ss][Ww][Dd]|[Pp][Aa][Ss][Ss]|[Pp][Ww][Dd]|[Pp][Aa][Ss][Ss][Ww][Oo][Rr][Dd])(?:[#: ])(?:[ |S])[0-9a-zA-Z!@#$%0-9]*[!@#$%0-9]+[0-9a-zA-Z!@#$%0-9]* ▪ Browsing through regular expression sites like http://www.regexlib.com/ can lead to some useful expressions to help us find all sorts of things like email addresses, social security numbers, md5 hashes, UUIDs, phone numbers, and credit card numbers. Reference: https://regexper.com/ Reference: Pen Test Poster: “White Board” – Bash – Find Juicy Stuff in the File System Reference: https://regexlib.com
  • 17. Searching Content of Files Usage Scenario: Notepad++ Sample Credit Cards Regular Expression Reference: https://notepad-plus-plus.org/
  • 18. Searching With Regular Expressions Usage Scenario: Sublime Sample Credit Cards Regular Expression Reference: https://www.sublimetext.com/
  • 19. Searching UNC Paths Usage Scenario: Searching for files using two UNC paths separated by a comma. Reference: https://www.sublimetext.com/
  • 20. Searching Multiple Servers UNC Paths Usage Scenario: Example Text query looking inside the files of ~ 57 servers ~ 60 UNC paths Reference: https://www.fileseek.ca/
  • 21. Be aware of the security vulnerabilities in software used for testing Protect testing results, tool output, logs, notes, and reports May serve as a roadmap for threat actors Maintain host security (access control, audit trails) of system that contain import data. Redact the footprint of the sensitive data in final reports as much as possible “Cleanup” at the end of the engagement machines should be sufficiently scrubbed following each engagement use encryption and sanitize your test machine between tests. Protecting Penetration Tests Data
  • 22. It is easy to have a narrow view and sometime focus on getting a reverse shell, privilege escalation, or, single-purpose objective to gain domain admin. The primary focus for most cybercriminals is to locate and exfiltrate sensitive data to monetize on underground black markets. The best tactic for protecting sensitive data is by testing a threat actors’ ability to locate and exfiltration data. Lets find it before they do. Conclusion
  • 23. Reference: Presentation Outline: Template: A Complete Guide https://slidebean.com/blog/startups-presentation-outline-template Metadata: a hacker's best friend https://blog.sweepatic.com/metadata-hackers-best-friend/ SMB Share – SCF File Attacks https://pentestlab.blog/2017/12/13/smb-share-scf-file-attacks/ Penetration Testing vs. Vulnerability Assessment https://www.hitachi-systems-security.com/blog/penetration-testing-vs-vulnerability-assessment/ Penetration Testing 101 https://www.tracesecurity.com/blog/articles/penetration-testing-101 Types of Penetration Tests and Why They are Important https://www.sagedatasecurity.com/blog/types-of-penetration-tests-and-why-they-are-important Combining Shared Folder Permissions and NTFS Permissions http://www.ntfs.com/ntfs-permissions-combined.htm Commando VM: Lessons Learned https://0xdf.gitlab.io/2019/04/15/commando-vm-lessons.html Commando VM: The First of Its Kind Windows Offensive Distribution https://www.fireeye.com/blog/threat-research/2019/03/commando-vm-windows-offensive-distribution.html Finding the Leaks https://blog.secureideas.com/2013/01/finding-leaks.html Discovering Sensitive Information in File Shares https://www.dionach.com/blog/discovering-sensitive-information-in-file-shares FileSeek https://www.fileseek.ca/Download/ Notepad++ https://notepad-plus-plus.org/ Find text in a file with PowerShell https://philerb.com/2011/11/find-text-in-a-file-with-powershell/ Finding Sensitive Data on Domain SQL Servers using PowerUpSQL https://blog.netspi.com/finding-sensitive-data-domain-sql-servers-using-powerupsql/ How to take Advantage of Weak NTFS Permissions https://www.blackhillsinfosec.com/how-to-take-advantage-of-weak-ntfs-permissions/ Regular Expressions for Beginners: How to Get Started Discovering Sensitive Data https://blog.netwrix.com/2018/05/29/regular-expressions-for-beginners-how-to-get-started-discovering-sensitive-data/ Windows PowerShell Tip of the Week https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-powershell-1.0/ff730947(v=technet.10) OpenDLP https://code.google.com/archive/p/opendlp/ DerbyCon 211: Chris Gates (CG) carnal0wnage/Rob Fuller (mubix) The Dirty Little Secrets they Didn’t Teach You in Pentesting Class http://www.carnal0wnage.com/papers/Derbycon2011_The_Dirty_Little_Secrets_Gates_Fuller.pdf Use Notepad++ to find text in all files of a folder https://www.ghacks.net/2016/09/16/use-notepad-to-find-text-in-all-files-of-a-folder/ Scavenger: Post-Exploitation Tool for Collecting Vital Data https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/scavenger-post-exploitation-tool-for-collecting-vital-data/ Hacker for hire http://hackerforhire.com.au/post-exploitation-finding-passwords-in-haystacks/ A Data Hunting Overview https://thevivi.net/2018/05/23/a-data-hunting-overview/ Goal Oriented Pentesting: The new Process for Penetration Testing https://spl0it.wordpress.com/2009/11/16/goal-oriented-pentesting-the-new-process-for-penetration-testing/ Pen Test Poster: “White Board” – Bash – Find Juicy Stuff in the File System https://pen-testing.sans.org/blog/2017/03/08/pen-test-poster-white-board-bash-find-juicy-stuff-in-the-file-system/ Detecting Credit Cards, SSNs and other Sensitive Data on Unix/Linux Systems https://www.tenable.com/blog/detecting-credit-cards-ssns-and-other-sensitive-data-on-unixlinux-systems Using Burp to Test for Sensitive Data Exposure Issues https://support.portswigger.net/customer/portal/articles/1965730-using-burp-to-test-for-sensitive-data-exposure-issues Domain Enumeration w/Netonly https://www.sixdub.net/?p=579 Veil-PowerView: A Usage Guide http://www.harmj0y.net/blog/powershell/veil-powerview-a-usage-guide/ Protecting Penetration Tests: Recommendation for Improving Engagement Security https://www.blackhat.com/docs/us-17/wednesday/us-17-McGrew-Protecting-Pentests-Recommendations-For-Performing-More- Secure-Tests-wp.pdf Regular Expressions for Pentesters http://blog.isecurion.com/2018/05/09/regexp-for-pentesters/ How to Find Sensitive Search Hard Drives for Files https://null-byte.wonderhowto.com/how-to/hacking-windows-10-find-sensitive-deleted-files-remotely-0183748/ Demonstrative examples CWE https://cwe.mitre.org/data/definitions/259.html Windows PowerShell: Changing the command prompt https://stackoverflow.com/questions/5725888/windows-powershell-changing-the-command-prompt An Introduction to PowerShell Modules https://www.red-gate.com/simple-talk/sysadmin/powershell/an-introduction-to-powershell-modules/ Using Functions https://docs.microsoft.com/en-us/previous-versions//dd745030(v=vs.85) What color is the dark green on ‘old fashioned’ green screen computer displays/VDUs? https://superuser.com/questions/361297/what-colour-is-the-dark-green-on-old-fashioned-green-screen-computer-displays PowerShellMafia/PowerSploit https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon Hunting for Sensitive Data with the Veil-Framework https://www.veil-framework.com/hunting-sensitive-data-veil-framework/ File Server Triage on Red Team Engagements http://www.harmj0y.net/blog/redteaming/file-server-triage-on-red-team-engagements/ PowerSploit and runas.exe https://github.com/PowerShellMafia/PowerSploit/issues/189 Test/Sample Data https://support.spirion.com/hc/en-us/articles/115000019252-Test-Sample-Data
  • 24. Reference: How to add more than one machine to the trusted hosts list using winrm https://stackoverflow.com/questions/21548566/how-to-add-more-than-one-machine-to-the-trusted-hosts-list-using-winrm Ps Trusted Hosts https://www.powershellgallery.com/packages/psTrustedHosts/1.1.0 How to Add a Computer to the Trusted Hosts List https://winintro.ru/windowspowershell2corehelp.en/html/f23b65e2-c608-485d-95f5-a8c20e00f1fc.htm Active Directory Security – Active Directory & Enterprise Security, Methods to Secure Activ4e Directory, Attack Methods and Effective Defenses, PowerShell, Tech Notes, and Geek Triva… https://adsecurity.org/?p=2288 Sensitive Files to Grab in Windows https://medium.com/@hakluke/sensitive-files-to-grab-in-windows-4b8f0a655f40 The LaZagne Project !!! https://github.com/AlessandroZ/LaZagne Hunting Passwords In SYSVOL https://niiconsulting.com/checkmate/2016/02/hunting-passwords-in-sysvol/ Post Exploitation Google the following Linux - Linux Post Exploitation Command List Linux Post Exploitation Cheat Sheet Windows - Windows Post-Exploitation Command List Windows POST-Exploitation Cheat Sheet
  • 25. Questions? 42 Contact Information Darin Fredde www.linkedin.com/in/darinfredde dfredde@hitchhackers.guide @dkfredde @H1tchHack3rs