Yes, I imagineyou are probably tired to see blog posts about "real-world" PenTesting, people talking about how to execute the perfect PenTest or what's thebest tactical solution, well I am sick of that too. What I can say is that I havealready seen dozens of this type of texts published around the world and Iwanted to try something different, but different how?
Well, I am going toenumerate the top 4 techniques I usewhen I get in an environment without the commonvulnerabilities that are usually discussed in other articles.
By no means this shouldbe used as a guide or something along those lines, these are just some hintsfrom a pentester (and hundreds of tests executed) that could be helpful toprevent attacks and also to execute a test successfully. These tips should workin more than 80% of the tests, and that is why I chose to list them.
I am not givingdetails about the vulnerabilities, because I don't think it is necessary! Whenyou read these tips, you can assume they are in some specific order, however itis not necessary to be used in the order I describe maybe in your approach you mayskip some of the steps or you can just utilize these techniques at any giventime of the test.
No cutting-edgetechniques will be posted here, as I mentioned, these are just a few tips/hintsfrom my experience on offensive tasks.
1 - NetBIOS Null Session
Normally, when I gotnothing on the network, just a few non-exploitable services, no sensitivetraffic, etc. I utilize the NetBIOS Null Session vulnerability mainly found onthe DNS servers to enumerate users from the domain, there is a little scriptthat does is awesome for accomplishing this called enum4linux.pl (http://labs.portcullis.co.uk/application/enum4linux/) amongstothers available that can also be used for that matter.
2 - Easy Passwords
Ever since I joinedSpiderLabs, I have been noticing that that users can be very lazy and that mostof passwords used out there are easy! After enumerating the usernames, youmight want to try username as password and also Password123 and/orCompanyName123, you will probably retrieve some credentials. I usually useMedusa (http://www.foofus.net/~jmk/medusa/medusa.html) forbrute-forcing, it's very simple and fast:
# medusa -hhost.you.retrieved.users -U userlist.txt -p Password123 -e s -O result -M smbnt
3 - Enumerate shared folders
If you happen to haveany domain credentials that are not administrative accounts, the best thing todo is to enumerate the shared folders that you have access, there are severalscripts that can make your life easier on this job, including a Metasploit (http://www.metasploit.com/)module:
msf > useauxiliary/scanner/smb/smb_enumshares
msfauxiliary(smb_enumshares) > set RHOSTS [TARGET HOST RANGE]
msfauxiliary(smb_enumshares) > run
It is not that uncommonto see shared folders that contain an entire drive (not administrative$ ones),and others not restricted containing sensitive information. It is very usefuleven when you don't have any credentials, anonymous shared folders sometimescan save our day!
While I was writingthis blog post, I was also executing an internal test where I found nothing,and I tried enumerating the shared folders with no credentials, you would besurprised how many shared folders I just had access, including entire drives,etc.
[*]172.16.1.172:139 My Book (H) - (DISK),E$ - Default share (DISK), IPC$ - Remote IPC (IPC), F Archive - (DISK), TV Archive1 - (DISK), TELESERVER1 - (DISK), G$ - Default share (DISK), TV Archive- (DISK), F$ - Default share (DISK),ADMIN$ - Remote Admin (DISK), H$ - Default share (DISK), ArchiverE - (DISK), C$ - Default share (DISK), Archiver- (DISK)
Domain=[XXXXXX]OS=[Windows 5.1] Server=[Windows 2000 LAN Manager]
smb: \> dir
$AVG DH 0 Thu Nov 4 09:00:45 2010
3com D 0 Tue Jul 17 12:08:47 2007
AUTOEXEC.BAT A 0 Wed Aug 11 18:15:00 2004
boot.ini AHSR 211 Tue Apr 3 12:54:48 2007
cda535ae48d15f7dca29bab5947e D 0 Sat Dec 16 05:29:13 2006
CONFIG.SYS A 0 Wed Aug 11 18:15:00 2004
dell D 0 ThuDec 14 09:23:23 2006
dell.sdr AHR 6177 Sat Nov 25 14:20:52 2006
Documents and Settings D 0 Thu Nov 4 08:58:19 2010
drivers D 0 Mon Aug 14 07:29:44 2006
FileSearch D 0 Fri Jan 18 09:41:16 2008
folder2 D 0 Fri Aug 24 14:38:50 2007
folder3 D 0 Mon Aug 27 11:34:19 2007
hiberfil.sys AHS 1005035520 Wed Aug 29 18:28:05 2012
i386 D 0 Tue Aug 21 15:02:41 2012
Inetpub D 0 Thu Jan 15 14:24:16 2009
INFCACHE.1 A 4128 Wed Jan 3 07:37:55 2007
IO.SYS AH 0 Wed Aug 11 18:15:00 2004
IPH.PH AH 832 Sat Nov 25 14:41:14 2006
iSeries Access Install Image D 0 Fri Apr 18 11:39:55 2008
MSDOS.SYS AH 0 Wed Aug 11 18:15:00 2004
My Documents D 0 Tue Oct 2 08:41:35 2007
NTDETECT.COM AHSR 47564 Wed Aug 4 06:00:00 2004
ntldr AHSR 250048 Fri Mar 11 08:45:00 2011
pagefile.sys AHS 1509949440 Wed Aug 29 18:28:05 2012
Program Files DR 0 Wed Sep 21 12:38:18 2011
RECYCLER DHS 0 Thu Mar 27 15:02:16 2008
Screen Savers D 0 Thu Jan 27 11:39:22 2011
Most of the times thatyou are able to list shared folders anonymously, you will be able to open thefolders.
In this case, theenvironment had a XAMP running and the web root folder was on the drive H: thatwas shared as "My Book (H)". So, I was able to copy a web shell andcompromise the system.
4 - Looking for important/helpful information on plain-text files
Based on my experience I know that all kinds of importantinformation are saved by the users, not just passwords, but for example anOracle SID can be very helpful since Oracle has multiple default credentials!This job is essentially manual, so you basically have to look for theinformation. I normally pick files named "New Text File.txt" or any"New*.*", Passwords*.*, and ofcourse, the configuration files, web.config (connection string line ==sometimes password in plain-text), tnsnames.ora file, etc
In the end, as I repeatedlysaid, nothing really new has been described above, however I bet that you, PenTester, might have forgot to take a deeper look at these simple techniques! Ihope you enjoyed!