Blogs & Stories

SpiderLabs Blog

Attracting more than a half-million annual readers, this is the security community's go-to destination for technical breakdowns of the latest threats, critical vulnerability disclosures and cutting-edge research.

PenTesting: From Low Risk Issues to Sensitive Data Compromising

Yes, I imagineyou are probably tired to see blog posts about "real-world" PenTesting, people talking about how to execute the perfect PenTest or what's thebest tactical solution, well I am sick of that too. What I can say is that I havealready seen dozens of this type of texts published around the world and Iwanted to try something different, but different how?

Well, I am going toenumerate the top 4 techniques I usewhen I get in an environment without the commonvulnerabilities that are usually discussed in other articles.

By no means this shouldbe used as a guide or something along those lines, these are just some hintsfrom a pentester (and hundreds of tests executed) that could be helpful toprevent attacks and also to execute a test successfully. These tips should workin more than 80% of the tests, and that is why I chose to list them.

I am not givingdetails about the vulnerabilities, because I don't think it is necessary! Whenyou read these tips, you can assume they are in some specific order, however itis not necessary to be used in the order I describe maybe in your approach you mayskip some of the steps or you can just utilize these techniques at any giventime of the test.

No cutting-edgetechniques will be posted here, as I mentioned, these are just a few tips/hintsfrom my experience on offensive tasks.

1 - NetBIOS Null Session

Normally, when I gotnothing on the network, just a few non-exploitable services, no sensitivetraffic, etc. I utilize the NetBIOS Null Session vulnerability mainly found onthe DNS servers to enumerate users from the domain, there is a little scriptthat does is awesome for accomplishing this called enum4linux.pl (http://labs.portcullis.co.uk/application/enum4linux/) amongstothers available that can also be used for that matter.


2 - Easy Passwords

Ever since I joinedSpiderLabs, I have been noticing that that users can be very lazy and that mostof passwords used out there are easy! After enumerating the usernames, youmight want to try username as password and also Password123 and/orCompanyName123, you will probably retrieve some credentials. I usually useMedusa (http://www.foofus.net/~jmk/medusa/medusa.html) forbrute-forcing, it's very simple and fast:

# medusa -hhost.you.retrieved.users -U userlist.txt -p Password123 -e s -O result -M smbnt

3 - Enumerate shared folders

If you happen to haveany domain credentials that are not administrative accounts, the best thing todo is to enumerate the shared folders that you have access, there are severalscripts that can make your life easier on this job, including a Metasploit (http://www.metasploit.com/)module:

msf > useauxiliary/scanner/smb/smb_enumshares

msfauxiliary(smb_enumshares) > set RHOSTS [TARGET HOST RANGE]

msfauxiliary(smb_enumshares) > run

It is not that uncommonto see shared folders that contain an entire drive (not administrative$ ones),and others not restricted containing sensitive information. It is very usefuleven when you don't have any credentials, anonymous shared folders sometimescan save our day!

While I was writingthis blog post, I was also executing an internal test where I found nothing,and I tried enumerating the shared folders with no credentials, you would besurprised how many shared folders I just had access, including entire drives,etc.

[*] My Book (H) - (DISK),E$ - Default share (DISK), IPC$ - Remote IPC (IPC), F Archive - (DISK), TV Archive1 - (DISK), TELESERVER1 - (DISK), G$ - Default share (DISK), TV Archive- (DISK), F$ - Default share (DISK),ADMIN$ - Remote Admin (DISK), H$ - Default share (DISK), ArchiverE - (DISK), C$ - Default share (DISK), Archiver- (DISK)

root@pentest:~#smbclient //

Enter root'spassword:

Domain=[XXXXXX]OS=[Windows 5.1] Server=[Windows 2000 LAN Manager]

smb: \> dir

$AVG DH 0 Thu Nov 4 09:00:45 2010

3com D 0 Tue Jul 17 12:08:47 2007

AUTOEXEC.BAT A 0 Wed Aug 11 18:15:00 2004

boot.ini AHSR 211 Tue Apr 3 12:54:48 2007

cda535ae48d15f7dca29bab5947e D 0 Sat Dec 16 05:29:13 2006

CONFIG.SYS A 0 Wed Aug 11 18:15:00 2004

dell D 0 ThuDec 14 09:23:23 2006

dell.sdr AHR 6177 Sat Nov 25 14:20:52 2006

Documents and Settings D 0 Thu Nov 4 08:58:19 2010

drivers D 0 Mon Aug 14 07:29:44 2006

FileSearch D 0 Fri Jan 18 09:41:16 2008

folder2 D 0 Fri Aug 24 14:38:50 2007

folder3 D 0 Mon Aug 27 11:34:19 2007

hiberfil.sys AHS 1005035520 Wed Aug 29 18:28:05 2012

i386 D 0 Tue Aug 21 15:02:41 2012

Inetpub D 0 Thu Jan 15 14:24:16 2009

INFCACHE.1 A 4128 Wed Jan 3 07:37:55 2007

IO.SYS AH 0 Wed Aug 11 18:15:00 2004

IPH.PH AH 832 Sat Nov 25 14:41:14 2006

iSeries Access Install Image D 0 Fri Apr 18 11:39:55 2008

MSDOS.SYS AH 0 Wed Aug 11 18:15:00 2004

My Documents D 0 Tue Oct 2 08:41:35 2007

NTDETECT.COM AHSR 47564 Wed Aug 4 06:00:00 2004

ntldr AHSR 250048 Fri Mar 11 08:45:00 2011

pagefile.sys AHS 1509949440 Wed Aug 29 18:28:05 2012

Program Files DR 0 Wed Sep 21 12:38:18 2011

RECYCLER DHS 0 Thu Mar 27 15:02:16 2008

Screen Savers D 0 Thu Jan 27 11:39:22 2011

Most of the times thatyou are able to list shared folders anonymously, you will be able to open thefolders.

In this case, theenvironment had a XAMP running and the web root folder was on the drive H: thatwas shared as "My Book (H)". So, I was able to copy a web shell andcompromise the system.

4 - Looking for important/helpful information on plain-text files

Based on my experience I know that all kinds of importantinformation are saved by the users, not just passwords, but for example anOracle SID can be very helpful since Oracle has multiple default credentials!This job is essentially manual, so you basically have to look for theinformation. I normally pick files named "New Text File.txt" or any"New*.*", Passwords*.*, and ofcourse, the configuration files, web.config (connection string line ==sometimes password in plain-text), tnsnames.ora file, etc



<add name="CPT_ConnectionString"

connectionString="Data Source=\ccsql1;UserID=user;Password=pwd"

providerName="System.Data.SqlClient" />


In the end, as I repeatedlysaid, nothing really new has been described above, however I bet that you, PenTester, might have forgot to take a deeper look at these simple techniques! Ihope you enjoyed!