Penetration Testing Case Study: How We Improved Security Posture In 6 Weeks
[/vc_column_text][vc_empty_space height=”25px”][vc_column_text css_animation=”none”]Our certified (OSCP) assessors identified vulnerabilities resulting in a full domain compromise.
[/vc_column_text][vc_empty_space height=”75px”][/vc_column][vc_column width=”1/6″][/vc_column][/vc_row][vc_row content_width=”grid” css_animation=”qodef-element-from-left” css=”.vc_custom_1629063012497{background-color: #f7f7f7 !important;}”][vc_column width=”3/4″][vc_empty_space][vc_column_text]Home / Case Studies / Vision Healthcare Provider
[/vc_column_text][vc_empty_space][/vc_column][vc_column width=”1/4″][/vc_column][/vc_row][vc_row][vc_column][vc_text_separator title=”” border_width=”2″][vc_empty_space height=”2px”][/vc_column][/vc_row][vc_row content_width=”grid”][vc_column width=”1/2″][vc_empty_space height=”50px”][vc_column_text css_animation=”none”]What Happened
PurpleSec was contracted to conduct an internal penetration assessment of internal network environments to evaluate network security posture. All activities were conducted in a manner that simulated a malicious actor engaged in a targeted attack with the goals of:
- Determining whether an attacker could bypass internal controls and compromise the internal domain.
- Determining the impact of a security breach on:
- Confidentiality/Integrity/Availability of Personal Identifiable Information/Personal Health Information (PII/PHI)
How We Helped
PurpleSec utilized an “assume breach” methodology when conducting this assessment. “Assume breach” assumes that an attacker has successfully breached an organization’s perimeter controls and obtained a persistent foothold on the internal network.
This approach is commonly used as it allows assessors to focus on testing an organization’s internal network security posture rather than spending limited engagement time on bypassing external controls.
To mimic an adversary that had successfully breached the client’s external defenses, PurpleSec sent a pre-configured form-factor PC onsite that was plugged into the server subnet. Utilizing a secure VPN, PurpleSec assessors then connected to the device and conducted offensive operations against internal networks.[/vc_column_text][vc_empty_space height=”50px”][/vc_column][vc_column width=”1/2″][vc_empty_space height=”25px”][vc_column_text css_animation=”none”][/vc_column_text][vc_empty_space height=”50px”][vc_column_text css=”.vc_custom_1670213179891{padding: 40px !important;background-color: #f7f7f7 !important;border: 5px initial !important;}”]
High Level Findings
PurpleSec was able to chain the following three common vulnerabilities together to obtain full domain compromise:
- Over-privileged service/user accounts.
- LLMNR/NetBIOS-NS spoofing.
- SMB signing disabled.
Get started >[/vc_column_text][vc_empty_space height=”50px”][vc_row_inner][vc_column_inner][vc_empty_space height=”25px”][vc_single_image image=”6191″ img_size=”200×200″ alignment=”center” style=”vc_box_outline_circle” css_animation=”fadeIn”][vc_empty_space height=”16px”][vc_column_text]
Assessment Performed By
[/vc_column_text][vc_empty_space height=”25px”][/vc_column_inner][/vc_row_inner][vc_empty_space height=”50px”][/vc_column][/vc_row][vc_row content_width=”grid” css=”.vc_custom_1670511258497{background-color: #333333 !important;}”][vc_column width=”1/2″][vc_empty_space height=”35px”][vc_column_text]Discover The Value Of A Pen Test[/vc_column_text][vc_empty_space height=”25px”][/vc_column][vc_column width=”1/2″][vc_empty_space height=”25px”][qodef_button size=”” type=”” hover_animation=”” target=”_blank” icon_pack=”font_awesome” fa_icon=”fa-arrow-right” font_weight=”700″ text=”Download Sample Report” link=”https://purplesec.us/resources/sample-penetration-test-report/” color=”#ffffff” hover_color=”#333333″ background_color=”#b175ff” hover_background_color=”#ffffff” border_color=”#b175ff” hover_border_color=”#b175ff” font_size=”16″][vc_empty_space height=”25px”][/vc_column][/vc_row][vc_row content_width=”grid” css=”.vc_custom_1670208902582{background-color: #f7f7f7 !important;}”][vc_column width=”1/2″][vc_empty_space height=”50px”][vc_column_text css_animation=”none”]Reconnaissance
Initial reconnaissance of the client’s local domain resulted in the discovery of numerous Windows systems, which were used to build a target list for follow on attacks.
Assessors took advantage of flaws in the LLMNR/NetBIOS-NS protocol suites to listen and respond to queries in the local server subnet; since LLMNR/NetBIOS-NS does not provide verification of provided responses, assessors were able to spoof responses for a system attempting to resolve the IP address and subsequently trick the system into proffering NTLMv2 authentication info for the “services” account.[/vc_column_text][vc_empty_space height=”50px”][/vc_column][vc_column width=”1/2″][vc_empty_space height=”150px”][vc_column_text]