This case is a very good example why manual penetration tests are valuable – the team achieved compromise without administrator access to the application, not using any known exploits or discovering injection/deserialization/other RCE flaws.
The penetration testing team was hired to perform an internal adversary simulation assessment for an undisclosed financial institution. The end goal of the test was to obtain network access and valid application authentication credentials to the internal protected processing segment. It should be noted that generic quarterly infrastructure penetration tests were performed by a third-party team and the Client has mitigated vulnerabilities detailed in previous penetration test reports.
The simulation was staged onsite at the Client’s premises, which allowed for physical attacks to take place.
The penetration testing team obtained complete access to the Customer’s office domain, network access to processing segments, SSH credentials to critical servers, database passwords, and access to critical Web applications.
The Attack Lifecycle
The scenario assumed the attacker has office employee-level access. However, it was still deemed necessary to outline initial attack vectors for an outside attacker.
- Wireless Evil Twin attacks.
- USB keystroke injection attacks.
- Abusing NLA with internal network and service RCE vulnerabilities for initial domain access.
- Social engineering.
Local Privilege Escalation
Service misconfigurations were abused for LPE.
Command, Control, and Network filter evasion
EDR bypass and network filtering bypass techniques were developed and used to establish Command and Control.
Domain privilege escalation
Kerberoasting and password spraying were used to elevate domain privileges.
Keystroke logging and credential dumping were used to obtain credentials for a segmented domain, where transfer processing servers reside.
With the credentials available, RDP with the previously established C2 and EDR evasion techniques were used to gain access to the segmented infrastructure.
Segmented network enumeration
Once the network access to the processing segment was obtained, the penetration testing team performed password-hunting and service enumeration activities on the terminal virtual hosts.
An open share was discovered, containing employee manuals for processing operators. These manuals contained in unencrypted, unprotected form text files left over by previous and current employees with their authentication credentials, which allowed the security team’s complete access to both testing and production environments and databases.
At this point, on an agreement with the Customer, the adversary simulation activity was considered complete not to accidentally disrupt the normal workflow of the infrastructure.
Your Cyber Resiliency is Our Passionschedule a call
WHY WORK WITH TENENDO?
Reducing high-severity vulnerabilities’ exposure by up to
Reducing the cost of security testing, audit, and consulting by up to
About security testing:
The adversary simulation activity helped the client identify and remediate multiple issues with the on-premise infrastructure and vulnerabilities, calculate potential risks, and improve the overall security posture. Each finding also included proposed solutions for applying industry-standard defences.
The team created several hardware connect-back appliances and used it in a PCI DSS segmentation testing engagement to uncover impactful network vulnerabilities.