Penetration Testing Case Study: How We Improved Security Posture In 6 Weeks
[/vc_column_text][vc_empty_space height=”25px”][vc_column_text css_animation=”none”]Our certified (OSCP) assessors identified vulnerabilities resulting in a full domain compromise.
[/vc_column_text][vc_empty_space height=”75px”][/vc_column][vc_column width=”1/6″][/vc_column][/vc_row][vc_row content_width=”grid” css_animation=”qodef-element-from-left” css=”.vc_custom_1629063012497{background-color: #f7f7f7 !important;}”][vc_column width=”3/4″][vc_empty_space][vc_column_text]Home / Case Studies / Vision Healthcare Provider
[/vc_column_text][vc_empty_space][/vc_column][vc_column width=”1/4″][/vc_column][/vc_row][vc_row][vc_column][vc_text_separator title=”” border_width=”2″][vc_empty_space height=”2px”][/vc_column][/vc_row][vc_row content_width=”grid”][vc_column width=”1/2″][vc_empty_space height=”50px”][vc_column_text css_animation=”none”]What Happened
PurpleSec was contracted to conduct an internal penetration assessment of internal network environments to evaluate network security posture. All activities were conducted in a manner that simulated a malicious actor engaged in a targeted attack with the goals of:
- Determining whether an attacker could bypass internal controls and compromise the internal domain.
- Determining the impact of a security breach on:
- Confidentiality/Integrity/Availability of Personal Identifiable Information/Personal Health Information (PII/PHI)
How We Helped
PurpleSec utilized an “assume breach” methodology when conducting this assessment. “Assume breach” assumes that an attacker has successfully breached an organization’s perimeter controls and obtained a persistent foothold on the internal network.
This approach is commonly used as it allows assessors to focus on testing an organization’s internal network security posture rather than spending limited engagement time on bypassing external controls.
To mimic an adversary that had successfully breached the client’s external defenses, PurpleSec sent a pre-configured form-factor PC onsite that was plugged into the server subnet. Utilizing a secure VPN, PurpleSec assessors then connected to the device and conducted offensive operations against internal networks.[/vc_column_text][vc_empty_space height=”50px”][/vc_column][vc_column width=”1/2″][vc_empty_space height=”25px”][vc_column_text css_animation=”none”]
[/vc_column_text][vc_empty_space height=”50px”][vc_column_text css=”.vc_custom_1670213179891{padding: 40px !important;background-color: #f7f7f7 !important;border: 5px initial !important;}”]
High Level Findings
PurpleSec was able to chain the following three common vulnerabilities together to obtain full domain compromise:
- Over-privileged service/user accounts.
- LLMNR/NetBIOS-NS spoofing.
- SMB signing disabled.
Get started >[/vc_column_text][vc_empty_space height=”50px”][vc_row_inner][vc_column_inner][vc_empty_space height=”25px”][vc_single_image image=”6191″ img_size=”200×200″ alignment=”center” style=”vc_box_outline_circle” css_animation=”fadeIn”][vc_empty_space height=”16px”][vc_column_text]
Assessment Performed By
[/vc_column_text][vc_empty_space height=”25px”][/vc_column_inner][/vc_row_inner][vc_empty_space height=”50px”][/vc_column][/vc_row][vc_row content_width=”grid” css=”.vc_custom_1670511258497{background-color: #333333 !important;}”][vc_column width=”1/2″][vc_empty_space height=”35px”][vc_column_text]Discover The Value Of A Pen Test[/vc_column_text][vc_empty_space height=”25px”][/vc_column][vc_column width=”1/2″][vc_empty_space height=”25px”][qodef_button size=”” type=”” hover_animation=”” target=”_blank” icon_pack=”font_awesome” fa_icon=”fa-arrow-right” font_weight=”700″ text=”Download Sample Report” link=”https://purplesec.us/resources/sample-penetration-test-report/” color=”#ffffff” hover_color=”#333333″ background_color=”#b175ff” hover_background_color=”#ffffff” border_color=”#b175ff” hover_border_color=”#b175ff” font_size=”16″][vc_empty_space height=”25px”][/vc_column][/vc_row][vc_row content_width=”grid” css=”.vc_custom_1670208902582{background-color: #f7f7f7 !important;}”][vc_column width=”1/2″][vc_empty_space height=”50px”][vc_column_text css_animation=”none”]Reconnaissance
Initial reconnaissance of the client’s local domain resulted in the discovery of numerous Windows systems, which were used to build a target list for follow on attacks.
Assessors took advantage of flaws in the LLMNR/NetBIOS-NS protocol suites to listen and respond to queries in the local server subnet; since LLMNR/NetBIOS-NS does not provide verification of provided responses, assessors were able to spoof responses for a system attempting to resolve the IP address and subsequently trick the system into proffering NTLMv2 authentication info for the “services” account.[/vc_column_text][vc_empty_space height=”50px”][/vc_column][vc_column width=”1/2″][vc_empty_space height=”150px”][vc_column_text]
[/vc_column_text][vc_empty_space height=”50px”][/vc_column][/vc_row][vc_row content_width=”grid” css=”.vc_custom_1670208902582{background-color: #f7f7f7 !important;}”][vc_column width=”1/2″][vc_empty_space height=”150px”][vc_column_text]
[/vc_column_text][vc_empty_space height=”50px”][/vc_column][vc_column width=”1/2″][vc_empty_space height=”50px”][vc_column_text css_animation=”none”]
Poison A LLMNR/NetBIOS Response
Assessors were immediately able to poison a LLMNR/NetBIOS response and capture a NTLMv2 hash for the “Services” user.
This NTLMv2 hash could be taken offline for cracking, but an easier option would be to relay these credentials via a pass-the-hash attack to other hosts in the environment. NTLMRelayx, a component of the Impacket tool suite, was utilized to relay these credentials across live targets discovered via CrackMapExec.[/vc_column_text][vc_empty_space height=”50px”][/vc_column][/vc_row][vc_row content_width=”grid” css=”.vc_custom_1670208902582{background-color: #f7f7f7 !important;}”][vc_column width=”1/2″][vc_empty_space height=”50px”][vc_column_text css_animation=”none”]
Domain Accounts Identified
The majority of dumped credentials were local accounts, however, some domain accounts were found. Utilizing CrackMapExec, assessors were able to use the “pass-the-hash” technique with the NTLM hash for the local Administrator user to enumerate shares.
Assessors were subsequently able to connect as the “NT AUTHORITY\SYSTEM” account and browse/modify all file shares.[/vc_column_text][vc_empty_space height=”50px”][/vc_column][vc_column width=”1/2″][vc_empty_space height=”150px”][vc_column_text]
[/vc_column_text][vc_empty_space height=”50px”][/vc_column][/vc_row][vc_row content_width=”grid” css=”.vc_custom_1670208902582{background-color: #f7f7f7 !important;}”][vc_column width=”1/2″][vc_empty_space height=”150px”][vc_column_text]
[/vc_column_text][vc_empty_space height=”50px”][/vc_column][vc_column width=”1/2″][vc_empty_space height=”50px”][vc_column_text css_animation=”none”]
Enumerating Domain Admin
During this phase, local accounts were also dumped from database servers; PurpleSec did not attempt further exploitation against production databases to avoid possible interruption of services, but it would have been feasible at this point to degrade the confidentiality/availability/integrity of databases and underlying servers.
While connected, further domain enumeration was conducted. Using the built-in Windows “net” command, assessors were able to list all domain administrators.[/vc_column_text][vc_empty_space height=”50px”][/vc_column][/vc_row][vc_row content_width=”grid” css=”.vc_custom_1670208902582{background-color: #f7f7f7 !important;}”][vc_column width=”1/2″][vc_empty_space height=”50px”][vc_column_text css_animation=”none”]
Requesting Kerberos Ticket
Assessors utilized “Rubeus” to request a valid Kerberos ticket for the “synergy” user using a technique called “over-pass-the-hash” (OPtH). With a valid Kerberos ticket, users can effectively impersonate the user the ticket was issued for and interact with domain services.
Once the Kerberos ticket was imported into the current process, Rubeus was again used to request service tickets for all kerberoastable accounts in the domain. Each of these tickets are encrypted using the hash of the service account password; they can be exported and potentially cracked.[/vc_column_text][vc_empty_space height=”50px”][/vc_column][vc_column width=”1/2″][vc_empty_space height=”150px”][vc_column_text]
[/vc_column_text][vc_empty_space height=”50px”][/vc_column][/vc_row][vc_row content_width=”grid” css=”.vc_custom_1670208902582{background-color: #f7f7f7 !important;}”][vc_column width=”1/2″][vc_empty_space height=”75px”][vc_column_text]
[/vc_column_text][vc_empty_space height=”50px”][/vc_column][vc_column width=”1/2″][vc_empty_space height=”50px”][vc_column_text css_animation=”none”]
Cracking The Hash
Hashcat can use various rules to slightly alter words; in this case, the “d3adh0b0″ ruleset was used against the kaonashi word lists to generate 99,717,820,850,760 unique passwords to attempt to decrypt the previously obtained service tickets. Ultimately, this attack path was unsuccessful.
Using the same imported Kerberos token, assessors then successfully attempted to use PsExec, a SysInternals tool for remote system management to access the domain controller.[/vc_column_text][vc_empty_space height=”50px”][/vc_column][/vc_row][vc_row content_width=”grid” css=”.vc_custom_1670208902582{background-color: #f7f7f7 !important;}”][vc_column width=”1/2″][vc_empty_space height=”50px”][vc_column_text css_animation=”none”]
Extracting All Domain Password Hashes
Once on the domain controller, assessors utilized a built-in Windows system binary used for management of Active Directory Domain Services and Active Directory Lightweight Directory Services called “NTDSUtil” to create a copy of the NTDS.DIT file.
This file stores all Active Directory data, including all user accounts and their password hashes. Along with the backup of the NTDS.DIT file, the “HKEY_LOCAL_MACHINE\SYSTEM” registry keys necessary for decrypting the database were exfiltrated back to the attacker host.
Once on the attacker host, the NTDS.DIT file was decrypted and dumped using impacket-secretsdump tool, providing access to all user and machine password hashes in the domain. At this point, the domain is effectively compromised.[/vc_column_text][vc_empty_space height=”50px”][/vc_column][vc_column width=”1/2″][vc_empty_space height=”150px”][vc_column_text]
[/vc_column_text][vc_empty_space height=”50px”][/vc_column][/vc_row][vc_row content_width=”grid” content_aligment=”center” css_animation=”qodef-element-from-left” css=”.vc_custom_1670212496161{background-image: url(https://purplesec.us/wp-content/uploads/2022/08/Purple-gradiant-background-desktop.png?id=20893) !important;}”][vc_column][vc_empty_space height=”75px”][vc_column_text css_animation=”none”]
The Outcome
[/vc_column_text][vc_empty_space height=”25px”][vc_column_text]The client took the results of the internal pen test and immediately reached out to their IT provider to action recommendations. PurpleSec provided a retest 6 weeks after the initial test was conducted and confirmed the remediation of vulnerabilities found. As a result, the client was able to greatly improve their security posture and meet annual HIPAA compliance requirements.
[/vc_column_text][vc_empty_space height=”75px”][/vc_column][/vc_row][vc_row content_width=”grid” css=”.vc_custom_1633822500843{background-color: #f7f7f7 !important;}”][vc_column][vc_empty_space][vc_column_text css_animation=”appear” css=”.vc_custom_1660410323756{padding-top: 25px !important;}”]Explore Our Security Services
[/vc_column_text][vc_empty_space][vc_row_inner][vc_column_inner width=”1/4″][vc_empty_space][vc_single_image image=”10730″ img_size=”” css_animation=”appear”][vc_column_text css_animation=”appear” css=”.vc_custom_1633822266321{padding-top: 25px !important;}”]Penetration Testing
[/vc_column_text][vc_empty_space][/vc_column_inner][vc_column_inner width=”1/4″][vc_empty_space][vc_single_image image=”10731″ img_size=”” css_animation=”appear”][vc_column_text css_animation=”appear” css=”.vc_custom_1633822276337{padding-top: 25px !important;}”]Patch Management
[/vc_column_text][vc_empty_space][/vc_column_inner][vc_column_inner width=”1/4″][vc_empty_space][vc_single_image image=”10732″ img_size=”” css_animation=”appear”][vc_column_text css_animation=”appear” css=”.vc_custom_1633822284572{padding-top: 25px !important;}”]GAP Assessments
[/vc_column_text][vc_empty_space][/vc_column_inner][vc_column_inner width=”1/4″][vc_empty_space][vc_single_image image=”10733″ img_size=”” css_animation=”appear”][vc_column_text css_animation=”appear” css=”.vc_custom_1633822295422{padding-top: 25px !important;}”]Managed IT Security
[/vc_column_text][vc_empty_space][/vc_column_inner][/vc_row_inner][vc_empty_space][/vc_column][/vc_row]