The adversary simulation activity allowed the security team to demonstrate a complete compromise path while not using any usual, “exploitable” vulnerabilities.
The penetration testing team was tasked with segmentation testing for a sample of the customer's private subnet (both CDE, DMZ, and management subnets). The project required onsite testing, which was not possible with the time constraints of the project (approx. 2 days) and quarantine measures in the Customer's country.
The team created and mailed the customer mobile connect-back jumphosts that was later used to establish initial access, conduct network reconnaissance, and discover network and service-level vulnerabilities that may break segmentation.
The Attack Lifecycle
Several mobile jumphosts was created that connected back to our infrastructure over VPN. These were installed in every sampled subnet in scope.
After network access was established, traffic inspection and various types of network scanning were conducted to collect information about the networking setup.
Broadcast network traffic was analyzed, and exploitable endpoint and router configurations were identified that could allow for MitM attacks (e.g. NBNS poisoning, DHCPv6 poisoning, or abusing dynamic routing protocols).
Network filter evasion
A tunnel from segmented portions of the network was built to the Internet utilizing various techniques to highlight segmentation errors.
Your Cyber Resiliency is Our Passionschedule a call
WHY WORK WITH TENENDO?
Reducing high-severity vulnerabilities’ exposure by up to
Reducing the cost of security testing, audit, and consulting by up to
About security testing:
This case is a very good example why manual penetration tests are valuable – the team achieved compromise without administrator access to the application, not using any known exploits or discovering injection/deserialization/other RCE flaws.
Tenendo specialists discovered an unattended staging environment and leveraged its vulnerabilities for sensitive information disclosure. This information was later reused in an attack against the main application, that allowed us access to the payment API on behalf of other customers of our Client.