Penetration Assessment
Case Study 1 (External Penetration Test)
- Global Software Distributor
- This audit was conducted as part of a SOC 2 compliance requirement.
- Assessment length 2 weeks
The client utilized a web server content management system (wordpress). During the process of the assessment, an entry point through an outdated plugin was
discovered that an internal network server was connected to. This server was poorly secured and had numerous outdated operating systems.
By utilizing several publicly available exploits to use on the machines on the internal network, we were able to achieve entire domain compromise. In addition, during the execution of the attack path, an artifact (back door) was found of a previous breach, which had gone unnoticed for approximately one year, until it was discovered during our assessment.
The client initiated incident response immediately as a result of this
knowledge. This company provides software to many different areas within the
construction/engineering sector on a global scale. The server that was compromised had also been used by the organization for distribution of very important installation files, which makes this a valuable supply chain target to an adversary (easy to distribute
malware to infect other corporations through these installation files).
Case Study 2 (Internal Penetration Test )
- Investment Boutique
- This audit was conducted due to shareholder pressure and IROC requirements
- Assessment length 10 days
Internal environment consisted of fully patched, and antivirus protected machines (via windows defender). Password spraying was performed on users throughout the domain, upon which a lower access level employee user account was compromised.Utilizing the lower privileged account, Kerberos (windows authentication service) was queried for service accounts belonging to domain.
Using a weakness in the implementation of kerberos, an encrypted hash of the users password was extracted from the environment. By cracking the service account password and authenticating through the compromised account, it was discovered that the account contains “Domain Administrator” level of permissions.
The password was weak, as this was a very old, forgotten about account – and environment was inherited/upgraded a variety of times. During the historical upgrades the administrators had overlooked the existence and susceptibility of the account, which now allowed for an entire domain compromise.
Case Study 3 (Internal Penetration Test )
- Research Company
- This audit was conducted to test recent security enhancements. The data this company produces and maintains is highly sensitive.
- Assessment length 2.5 weeks
The client’s environment was heavily locked down with network segregation, multiple endpoint protection products and up to date patching. A black box penetration was performed on the environment, by connecting a Remote Access Device provided to
the client.
Traffic was able to be poisoned, (type of technique used by white hat hackers) on the network due to a misconfiguration within the windows environment. An initial compromise was achieved by relaying user authentication to a misconfigured machine. To bypass the endpoint controls, custom developed XDR bypasses were created, and integrated into a payload, which was successfully deployed on the machine.
An administrator password hash was discovered on the machine which contained a strong password. By further a bus e of the windows functionality, a hash was then used (relayed) to several machines throughout the network and m ore users were compromised through the use of the same procedure. Several computer s were compromised, and their memory dumped . Credentials were then discovered which allowed us to move to other computer s and pivot to other networks.
Pivoting was achieved by installing common windows functionality with a compromised account (ssh server service). This service was then used to proxy attacks into the segregated environment. Upon compromising around 40 machines, it was discovered that one of the machines contained credentials to an account having “domain administrator” privileges, which the client was unaware of.
Domain Administrator was then compromised using this account. Several other vulnerabilities / misconfigurations were found throughout the network during the following of this attack path. Upon auditing user passwords within the domain controller, 25% were cracked via commonly used wordlists / rulesets, showing an inadequacy within the password policy.
Case Study 4 (Web A pplication Penetration Test )
- Software Application Developer
- Th e client was ready to release a multi million - dollar software application it has just finished developing. The buyer requested a thorough assessment of the application prior to delivery.
- Assessment length 14 days
During the assessment a
weakness was discovered within a web application which allowed
us to upload files (unauthenticated). A vulnerability was leveraged in combination with several other misconfigurations, to achieve “lower privileged access” to the internal of the web server.
Lower privileged account was then elevated to “superuser” account via a misconfiguration within the lo cal environment of the server, resulting in complete compromise of the server. Access keys were recovered which were leveraged to compromise the entire cloud environment throughout the organization, due to poor cleanup during automation processes for deploying the application.
