With a full-service 24x7 Security Operations Centre (SOC), we’re fortunate to attract some of the UK’s brightest Cyber Security talent. You might remember that back in March 2019, we caught up with Joseph (not his real name), one of CyberOne’s elite penetration testers, about how he keeps up-to-date on the best ethical hacking techniques.
“I was able to scan a password from 14 billion potential passwords”
Joseph - CyberOne Pen Tester
So, in Part II of this series, we asked Joseph to explain what techniques ethical hackers use to find security weak spots in organisations and how easy it is to obtain a password - the vulnerability gateway to your organisation’s data.
This ‘Pentester Tale’ will provide a greater understanding of where and how vulnerability areas are exploited and the steps required to secure and fix vulnerabilities - BEFORE they are exploited for real!
Cybercrime, like most theft, is an opportunistic crime. The better defended your system, the less likely hackers will target it and go for an easier target. As such, it pays to use Penetration Testing to discover your system’s weak points before a hacker exploits them.
The easiest way into a system is via a password—they are the foothold you need to start cracking deeper into things. Using clever techniques and sometimes sheer luck, a hacker can gain full administrative access in under 10 minutes. Joseph has ethically hacked some of the biggest brands in the world and believes he can access most systems in just 9 minutes!
“You can access a vulnerable web page, a vulnerable server or an empty server and find details that allow you to log in. There are two flags you need to capture - The user flag and the root flag, which is administrative access and provides privilege escalation.”
Joseph reveals how he tests a system and what techniques he deploys that mirror a hacker attack:
A Pass-The-Hash attack is an exploit in which an attacker steals a hashed user credential and reuses it without cracking the authentication system to create a new authenticated session on the same network.
“The system encrypts the user’s passwords and then passes the hash to the device it’s trying to connect to (server of the hash). Collecting that hash is the same as having the user’s password; I can use that hash to log in. This is the old way; the new way is charmed response.”
Older systems are particularly vulnerable to this technique. A penetration tester and hackers use software to do this.
Cyber criminals interpose themselves between the victim and the website the victim is trying to reach, either to harvest the information being transmitted or alter it. This is one of the most common forms of cyber attacks.
I identify a system on the network that I want access to. In the background, I run the system that intercepts all these requests. When I see a username ‘Admin’, it tells me they have access to the network, and I can reply to another system.
“I have my target computer with the server configured. Once my system picks up that request, rather than answering it, I forward it to the server. Once the server responds, I forward that back to the client computer, giving me access to the server. The client does the authentication for me. This is the next step after passing the hash.”
The responder software to test the system is also fully available on the commercial market, meaning hackers still have access to this software.
I also target things manually. An SD (‘secure digital’) Card is an ultra-small flash memory card designed to provide high-capacity memory for storing data in portable electronic devices such as digital video camcorders, digital cameras, smartphones and audio players. SD cards are considered removable storage since they can be inserted and removed from another compatible device.
“I scan computers and look at them individually to find any network storage devices and connect to them for interesting information. Some documents are password protected, and I often find many people reuse the same passwords, which can give me access to other pieces of data.”
Exploiting weak or common-combination passwords is a bread-and-butter first step to gaining a corporate network’s foothold. Poor use of passwords is yet another easy way to make a system vulnerable. There are easily obtained tools that allow a 1,000 password guesses per second, effectively doing the work of 100 people.
Many IT professionals employ a brilliantly simple method to deconstruct the simple art of creating a strong,(semi-) unique password.
If I still can’t get hold of a user list, I’ll turn to using LinkedIn and other social media channels. Most people voluntarily share large amounts of personal information on social networks, whether for business or personal reasons, without fully appreciating the risks. Unfortunately, this means there’s always the possibility that hackers will use that (freely available) information for their gain.
“I can derive and even find usernames from LinkedIn profiles. We do this to get names and usernames, and then we try random passwords on different devices and see how lucky we get...which is often the case.”
On one assignment, Joseph found an old unused admin account, discovered the password and had full access.
“I tried easy passwords like password123 or password01 and got into 10 successful logins, one was a domain admin, and I had full control of the network – it’s that easy.”
Most organisations have vulnerabilities that can be easily closed. Assessing your current security posture marks the first and most important step towards forming an effective defence. A security audit and assessment provides a wide-ranging, top-level security evaluation to establish your current security posture, providing an actionable roadmap for implementation.
Regular Penetration Testing, sophisticated social engineering, strong passwords and in-depth user awareness training are all crucial parts of an ongoing security assessment programme that mitigates unwanted threats and will make a real difference to your cyber security posture.