Three penetration testing tips to out-hack hackers
It should come as no surprise that hackers have been busy lately. According to my go-to resource on hacking stats, the Identify Theft Resource Center, breaches jumped from 780 in 2015 to 1,093 in 2016. Is there a way to take a proactive approach to data security that doesn’t involved investing in more firewalls or virus protection software and ultimately get to the real-source of vulnerabilities?
Yes and yes. The answer is penetration testing, or pen testing for short. It’s a white-hat approach that challenges organizations to expose the vulnerabilities inside their own systems by understanding how a cybercriminal could exploit their internal information.
In short: to defeat hackers, you have to think like one. Effectively, you probe your IT system with the same tools and techniques that hackers use. However, at a typical organization, many in IT may initially fear the practice, thinking it could bring down their system.
That is not the case!
In reality, pen testing is a shrewd method of passive information gathering, and in the Microsoft Windows server domain, that means leveraging Active Directory. Not often viewed as a pen testing tool, Active Directory, in fact, holds incredibly useful information that hackers have been taking advantage of over the years.
Up until recently, the issue for pen testers has been duplicating the hackers’ techniques for pulling user and group metadata out of Active Directory and analyzing it. But thanks to PowerShell and PowerView, which provides cmdlets for accessing AD metadata, pen testers now have an effective toolkit.
There are a few keys to improve the security of your AD-based system. For organizations that want to get started, the following are a three pen testing ideas that I’ve found effective:
- Take a Look Around
To get the lay of the land, pen testers should leverage a variety of programs that probe networks, servers, and folders. Programs such as nessus or crackmapexec, the "Swiss Army knife of pen testing", can help IT admins scan through a network, test login and password information, and run commands remotely.
A neat feature of crackmapexec is that it has a PowerView parameter that lets pen testers directly pass in PV cmdlets. In other words, you don’t need to download the PowerView modules and setup up the environment. So this powerful tool gives you instant PowerView capabilities to probe AD and other system information. Learn more here.
- Think Like a Hacker
Once a pen tester gets a sense of the lay of the land, it’s time to start thinking like a hacker -- deciding which folders seem like they would hold valuable information, and which user credentials can provide access to the data in the folder.
For example, a pen tester might spot a file belonging to an Active Directory group labeled as "VIPs" or "Legal Department." Odds are these groups have access to files and information that could give a hacker access to sensitive information about company’s finances or contracts.
But what if as a pen tester, you don’t have the appropriate access rights?
That’s where using pass-the-hash (PtH) comes into play.
The idea is that you wait for a user belonging to the appropriate group -- in this case, VIPs or Legal Department -- to login to the server. PowerView has a neat cmdlet, Get-NetUser, which does the trick -- displaying all the AD metadata about a user, including group memberships. Then after you’ve found the right user, you secretly dump and reuse the internal Windows authentication keys -- passing the authentication key or ‘hash’. To learn more about PtH, and stealing user credentials without knowing their passwords, read this awesome SANS article on the subject.
By the way, crackmapexec has built-in PtH capabilities, truly making it a multi-pronged pen testing app!
The lessons learned from this kind of pen testing exercise is that IT should carefully review who gets to see sensitive file data, restricting AD group memberships to those who really need it. By protecting the accounts of VIPs, a CEO, or other power users and walling off who has the privilege to see their information, an IT department can make it that much harder for hackers to get the goodies. Pen testing is really about recommending ways to reduce risks as much as possible.
- Derivative Admin
In large organizations, it’s not unusual to delegate local admin privileges to special domain level AD groups. It’s a way to control who in IT gets to have admin rights on workstations and servers. More importantly, it avoids the problem of having IT staff relying on Domain Admin privileges to do work on ordinary user’s machines. That’s a no-no, because their credentials can be stolen using PtH and then hackers would have the keys to the kingdom!
However, there’s an interesting problem that can result from having too many local admin groups. And it’s something that pen testers can help find. The real credit for spotlighting the "derivative admin" vulnerability belongs to Justin Warner, Andy Robbins and Will Schroeder. The details are a little too involved for this short article, but by using PowerView and other PowerShell code, it’s possible for pen testers to find ways to laterally more or hop from one server or laptop to another. Effectively, a local admin user on one machine can be leveraged to gain access to other machines that they normally would be blocked from. Still curious about those details? Learn more here.
Derivative admin is very cool and subtle idea, but that’s what pen testers do: come up with non-obvious ways to simulate a hack before the real hackers do it.
It’s All About Metadata
The bottom-line for pen testing is that it all comes down, in my opinion, to metadata. The above ideas really involve passively crawling through a network to spot which types of metadata provide the connections a hacker would need to infiltrate (and then take down) an organization.
The goal for IT then should be to configure its Active Directory users and groups in a way that greatly reduces the risk of hackers gaining credentials. As companies grow more and more complex, it’s easy to lose sight of who belongs to which group and what kind of privileges they deserve.
But when using the right tools and knowing which commands uncover this sensitive information, companies will find that pen testing and other risk assessment and reduction techniques will prove mightier than any hacker’s sword.
Photo Credit: BeeBright/Shutterstock
Andy Green is the editor of the Varonis Inside Out Security blog. Varonis is a provider of data governance and security solutions. Andy is a veteran technology journalist with over 12 years of experience writing about high-tech topics for B2B publications, market research firms, and leading sofware companies. At Varonis, he is focused on drawing connections between data security, compliance, and real-world IT. In his limited free time, Andy covers quirky startups and other tech topics for The Technoverse Blog (TvB), which he founded.