Unveiling Depths: A Manual Exploration Into The Network

Welcome to RBT’s first blog, where we’re diving into the details of one of our most recent penetration test engagements! Our client brought us on board to tackle both External and Internal Network Penetration Tests. In our commitment to fostering a safer environment for businesses, we embarked on this journey, uncovering how these tests enhance the company’s security posture.

To start things off, we launched Nmap to scan the external network’s scope. The scan identified several open ports on numerous hosts. While performing the reconnaissance, we discovered that one of the Windows servers had Remote Desktop Protocol (RDP) exposed to the Internet. 

The RDP service displayed the names of valid users who were logged in at that time. As shown in the image below, this is considered sensitive data; therefore, we would like to emphasize that by implementing security practices, such as limiting RDP access to trusted IP addresses or using a Virtual Private Network (VPN), companies can significantly enhance their security posture and protect against unauthorized access to systems.

Continuing our information-gathering phase, we identified a login portal responsible for managing configurations and operations. Employing a password-spraying technique, we successfully logged in to the portal with a default credential that we collected from the internet. Subsequent login using this default credential revealed the absence of Multi-Factor Authentication (MFA). We didn’t have access to any Personal Identifiable Information (PII), but we were able to access sensitive configuration details of the web application. Therefore, we must highlight two main misconfigurations: the use of default credentials and the absence of an MFA, which significantly heightens the risk of a security breach. As a recommended best practice, we encourage companies to enforce a second-factor authentication as an integral part of their security measures and change the default credentials.

As we continued the reconnaissance phase, three additional business-critical applications were discovered, and it came to our attention that the credentials were being reused across external web applications. The reuse of passwords is another significant factor that corporations need to pay attention to, as the reuse of passwords is a considerable amount of security risk. In our case, gaining “admin” access highlighted a strong need for more robust password policies in the corporate world.

Diving deeper into the engagement, our test revealed a significant security concern: the ability to interact with the SQL Server backend and execute SQL Queries directly through one of the web applications to retrieve the business data stored in the database. The severity of this issue is heightened as a malicious actor could manipulate existing data, escalating the potential business impact. This is particularly noteworthy since access was gained using default credentials, which are often publicly accessible in vendor publications, documentation, and online sources. It is imperative for companies to recognize the gravity of this risk, as it opens avenues for accessing network devices.

Transitioning to the Internal Pentest phase, we launched Nmap to check for live hosts meticulously and opened TCP ports. Simultaneously, we employed automated scans to find what we refer to as “low-hanging vulnerabilities.” This approach ensured that every possible avenue was explored, leaving no stone unturned. 

To enhance the comprehensiveness of our testing, we used our manual approach to check the identified open ports. This method is valuable for uncovering unexpected issues that might not be identified through predefined automated test scripts and also enables the simulation of real-world scenarios. 

In doing so, we discovered publicly accessible NFS network shares with both read and write permissions. While analyzing the NFS shares, we encountered Outlook backup files containing Personally Identifiable Information (PII). The Outlook backup files held a significant amount of sensitive data that could be exploited if accessed by unauthorized parties. Storing backup files on a publicly accessible NFS share creates a potential risk for unauthorized access and manipulation. This risk can be minimized if filesystem permissions on the NFS server are configured in a secure manner.

In simulating a real threat scenario, we examined the Outlook backup file and identified a critical security concern. The database, web, and VPN credentials were discovered embedded in email communications, representing a substantial security threat due to their exposure in clear text. To enhance security practices, a simple yet effective policy that companies can adopt is sending encrypted emails, thereby safeguarding transmitted credentials.

Leveraging the credentials we obtained, we gained access to the MSSQL and Oracle databases within the network as sysadmin. The “sysadmin” role allowed us to extract password hashes and execute commands (xp_cmd).

One critical observation that stood out was the database credential pattern, which highlighted the usage of the database name as both the username and password. This security oversight underscores the necessity for a more strong password policy for database authentication to address the potential risk of exploitation.

To conclude the test, we employed the credentials discovered in the Outlook backup file, which were obtained during the reconnaissance phase. These credentials granted us administrative access to the internal web applications. Once again, this underscores the presence of weak credential patterns within the web application segment, where credentials were easily guessable terms such as names or variations like “NAME/NEWCOMER-NAME.” This observation highlights the importance of reinforcing stronger and more secure credential practices within the web application infrastructure.

In the exploration of RBT’s recent penetration test engagement, spanning both External and Internal Networks, and our commitment to identify even the smallest vulnerabilities, our mission was to fortify the security posture of our client’s environment. Throughout the week-long endeavor, we delved into the intricacies of network vulnerabilities and uncovered critical insights that underscore the significance of robust security practices.

  • Restricting RDP access to trusted IP addresses
  • Enforcing Multi-Factor Authentication (MFA)
  • Pressing need for more rigorous password policies
  • Addressing the utilization of default credentials
  • Implementing secure permissions on the network shares to protect the data stored.
  • Encrypt sensitive emails before sending them for enhanced data security.
  • Implementation of strong and complex passwords.
  • Robust and secure credential policies within the internal infrastructure.

In summary, our penetration test not only revealed specific vulnerabilities but also provided actionable takeaways that advocate for implementing proactive security measures. These insights serve as a roadmap for our clients to fortify their security measures and establish a resilient defense against potential threats.

Join us on our next exciting adventure through the digital realm, where we will continue contributing to strengthening security measures. Keep an eye out for upcoming blog posts like this one!

Authors

  • Chanel Carr

    Professional security architect of multi-clouds, including Amazon Web Services (AWS), Microsoft Azure, and Google GCP, with experience evaluating and testing computer security systems, creating firewalls, improving network security to protect the system further.

  • Asif Khan

    Highly skilled Pentester with experience in various areas, including multi-clouds (AWS, Azure, and GCP), network, web applications, APIs, and mobile penetration testing. In addition, he is passionate about conducting Red and Purple Team assessments and developing innovative solutions to protect company systems and data.

Share the Post:

Subscribe To Our Newsletter