January 10, 2019
With a full service 24/7 Security Operations Centre (SOC), we’re fortunate to attract some of the UK’s brightest Cyber Security talent. You might remember, back in March ’19, we caught up with Joseph (not his real name), one of Comtact’s elite penetration testers on how he keeps up-to-date on the best ethical hacking techniques.
“I was able to scan a password from 14 billion potential passwords”
Joseph – Comtact Pen Tester
So, in Part II of this series, we asked Joseph to explain what techniques ethical hackers use to find security weak spots in organisations and how easy it is to obtain a password – the vulnerability gateway to your organisation’s data.
This ‘Pentester Tale’, will provide a greater understanding of where and how vulnerability areas are exploited and the steps required to secure and fix vulnerabilities – BEFORE they are exploited for real!
Cyber attacks are often opportunist crime
Cyber crime like most theft is an opportunist crime. The better defended your system, the more chance hackers will leave your system alone and go for an easier target. As such, it pays to use penetration testing to discover the weak points in your system before a hacker exploits them.
The easiest way into a system is via a password – they are the foothold you need to start cracking deeper into things. Using clever techniques, and sometimes sheer luck, a hacker can gain full administrative access in under 10 minutes. Joseph has ethically hacked some of the biggest brands in the world, and believes he can get access to most systems in just 9 minutes!
“You can get access via a vulnerable web page, vulnerable service, or an empty server and find some details that allow you to log in. There are two flags you need to capture – The user flag and the root flag which is administrative access and provides privilege escalation.”
Common techniques to determine vulnerabilities
Joseph reveals how he tests a system and what techniques he deploys that mirror a hacker attack:
Pass the hash
A pass the hash attack is an exploit in which an attacker steals a hashed user credential and, without cracking it, reuses it to trick an authentication system into creating a new authenticated session on the same network.
“The system encrypts the users passwords and then passes the hash to the device it’s trying to connect to (server of the hash). If I collect that hash, it’s the same as having the users password and I can use that hash to log on. This is the old way, new way is charmed response.”
Older systems are particularly vulnerable to this technique. A penetration tester uses software to do this and so do the hackers.
Cyber criminals interpose themselves between the victim and the website the victim is trying to reach, either to harvest the information being transmitted or alter it. This is one of the most common forms of cyber attacks.
I identify a system on the network that I want access to. In the background I run the system that intercepts all these requests, when I see a username ‘Admin’, that tells me they have access to the network so, I can replay this to another system.
“I have my target computer that has the server configured. Once my system picks up that request; rather than me answering it, I forward it to the server, and once the server responds I forward that back to the client computer and that gives me access to the server. The client does the authentication for me. This is the next step after pass the hash.”
The responder software that I use to test the system is also fully available on the commercial market – meaning hackers too will have access to this software.
Manually Scanning SD’s
I also target things manually. An SD (‘secure digital’) Card is an ultra small flash memory card designed to provide high-capacity memory to store data in portable electronic devices such as digital video camcorders, digital cameras, smartphones and audio players. SD cards are considered removable storage since they can be inserted and removed from another compatible device.
“I scan computers and look at them individually to find any network storage devices and connect to those for any interesting information. Some documents will be password protected and I often find many people will re-use their same passwords, which can give me access to other pieces of data.”
Exploiting weak or common-combination passwords is a bread-and-butter first step to gain a foothold onto a corporate network. Poor use of passwords is yet another easy way to make a system vulnerable. There are easily obtained tools that allow a 1,000 password guesses per second; effectively doing the work of a 100 people.
Here’s a brilliantly simple method that is employed by many IT professionals, to deconstruct the simple art of creating a strong, (semi-) unique password.
Utilising Social Media
If I still can’t get hold of a user list, I’ll turn to using LinkedIn and other social media channels. Most people voluntarily share large amounts of personal information, whether for business or personal reasons, on social networks without fully appreciating the risks. Unfortunately this means there’s always the possibility that hackers will use that (freely available) information for their own gain.
“I can derive and even find usernames from LinkedIn profiles. We do this to get names and usernames and then we try random passwords on different devices and see how lucky we get…which is often the case.”
You’re more vulnerable than you think
On one assignment, Joseph found an old unused admin account, discovered the password and had full access.
“I tried easy passwords like password123 or password01 and got into 10 successful logins, one was a domain admin and I had full control of the network – it’s that easy.”
Most organisations have vulnerabilities in them that can be easily closed. Assessing your current security posture marks the first and most important step towards forming an effective defence. A security audit and assessment provides a wide-ranging, top-level security evaluation to establish your current security posture, providing an actionable roadmap for implementation.
Penetration Testing: Part of on-going Cyber Security Programme
Regular penetration testing, sophisticated social engineering, strong passwords and in-depth user awareness training are all crucial parts of an on-going cyber security assessment programme that mitigates unwanted threats and will make a real difference to your cyber security posture.
- Pen Tester Tales – PART 1: Learning the best ethical hacking techniques
- Type of penetration test – what’s the difference?
- Buyers guide to penetration testing
- Key questions to ask your penetration testing providers.
- What penetration testing certifications should you insist on?
- Pros and cons of outsourcing your cyber security: In-house or Managed SOC?
About Comtact Ltd.
Comtact Ltd. is a government-approved Cyber Security and IT Managed Service Provider, supporting clients 24/7 from our ISO27001-accredited UK Security Operations Centre (SOC).
Located at the heart of a high security, controlled-access Tier 3 data centre, Comtact’s state-of-the-art UK Cyber Defence Centre (SOC) targets, hunts & disrupts hacker behaviour, as part of a multi-layered security defence, to help secure some of the UK’s leading organisations.