Network Pen Testing
Breaking the Corporate Network through Hackers Perspective
We will discuss about performing network penetration testing on the corporate network using grey box approach and exploiting the vulnerabilities from hackers perspective. This article concentrates
majorly on usage of NMap, Nessus, Metasploit for network penetration testing.
There are 3 approaches for performing network penetration testing.
• White box is when the tester has access to the complete network structures and admin credentials.
• Grey box is when the tester has the basic network information but does not have admin credentials.
• Black box is when the tester has no access to any of the information for starting penetration testing.
Generally prefer to go for grey box approach. We are targeting the corporate network we have to
keep in mind the we are bound to follow regulatory compliance and using the black box approach
may result in wrong results, incomplete vulnerability detection, targeting wrong IP’s (non critical systems from business perspective) and may lead to lots of rework.
If you use white box then obviously you are not performing any magic for the client, since you already have the network diagram, you have the admin credentials and you have access through the
ACL and Firewalls. White box may not detect the hidden intrusion points and may not give real understanding of what an attacker can do, since all the information is already available with the tester
and there is very little possibility that the tester will try to exploit the vulnerabilities. White box testing is only good if you are targeting to achieve compliance report for audit committee review.
On the other hand Grey Box approach detects lots of hidden intrusion points such as older version
of antivirus, insecure database services and weak passwords. Grey Box can perform real magic
for the client since the client is giving the list of IP’s and sharing a little information about the network – such as make of servers, firewalls and If required ACL access and not sharing any Admin
Credentials. It is really interesting to penetrate using minimal information. It also gives clear idea to
the client that how a person with malicious intent breaks into the network just by using end user access.
Standard Grey Box penetration testing approach follows the following steps (Figure 1).
On the Job – Penetration Testing
During the projects it is quite interesting to penetrate the servers and network through some trusted
software’s such as antivirus, databases and others. There are some services, packages which
are widely used to almost types of network environments such as SNMP, Anti Virus, SQL and Oracle
Databases. Will be showing examples for exploiting the same.
Oracle and SQL Enumeration and Exploitation
Database services are the most important part of the penetration testing activity. Most of the organizations have oracle and SQL databases installed for HRMS and finance servers. By default
SQL database runs on port 1433 and oracle runs on 1502. Both the databases have default
username and passwords such as “sa” / “sa”, SCOTT / TIGER and sometimes even blank password.
The oracle listener service (before v.10) is vulnerable for Oracle Listner Service Blank Password
Attack. Since the service act on operating system level and perform the commands given from the
remote listener an attacker can connect to remote listener service, access the db and perform administrative activities if the password is missing for oracle listener service.
SQL database has default “sa” accounts. If the password is missing or kept default for the “sa” account then an attacker can easily login to remote SQL server, access the database tables, perform
administrative activities, issue command to SQL Server and gain administrative control over remote
operating system. In the below example have exploited the remote SQL database using the default
username and password (sa/sa) and later accessed the base operating system with admin rights (Figure 2-Figure 6).
Exploiting Anti Virus Services
During one of the project I had an opportunity to play with antivirus installation and exploit the “Symantec Common Base Agent CreateProcessA() Function Remote Command Execution Vulnerability” The client team had installed Symantec on all the servers and was 100% sure that it will protect the critical servers and data residing in it. It is always advisable that multiple tiers of security solutions should be used. We always need to make sure that from the operating system level to the network level everything should be configured securely. In this scenario the client team only relayed on the Symantec installation and forgot the rest. Even for antivirus and end point security products security config. And patch management is required which was missing in this case.
Metasploit has various exploits / auxiliary, used following auxiliary to exploit the remote server
(Figure 7).
Using the CMD Command added backdoor admin user into remote servers administrator group.
Then Using DameWare NT Utilities checked the user rights and performed enumeration activities
(Figure 8).
Enabled the RDP using Dameware on the remote machine and gained GUI Access (Figure 9).
Collected the admin password hashes using metasploit meterpreter (hashdump module) and
by using the psexec was able to login into the domain controller since the password was same for
all the servers (Figure 10-Figure 13).
Then copied the entire domain controller’s password database by using PwDump (Figure 14).
Passwords were cracked using l0phtcrack (Figure 15).
And now we control entire domain with all the users and services access.
We used grey box approach for the above exploitation and just by using the basic information
we were able to gain to access over the entire network.
Breaking the Corporate Network through Hackers Perspective
We will discuss about performing network penetration testing on the corporate network using grey box approach and exploiting the vulnerabilities from hackers perspective. This article concentrates
majorly on usage of NMap, Nessus, Metasploit for network penetration testing.
There are 3 approaches for performing network penetration testing.
• White box is when the tester has access to the complete network structures and admin credentials.
• Grey box is when the tester has the basic network information but does not have admin credentials.
• Black box is when the tester has no access to any of the information for starting penetration testing.
Generally prefer to go for grey box approach. We are targeting the corporate network we have to
keep in mind the we are bound to follow regulatory compliance and using the black box approach
may result in wrong results, incomplete vulnerability detection, targeting wrong IP’s (non critical systems from business perspective) and may lead to lots of rework.
If you use white box then obviously you are not performing any magic for the client, since you already have the network diagram, you have the admin credentials and you have access through the
ACL and Firewalls. White box may not detect the hidden intrusion points and may not give real understanding of what an attacker can do, since all the information is already available with the tester
and there is very little possibility that the tester will try to exploit the vulnerabilities. White box testing is only good if you are targeting to achieve compliance report for audit committee review.
On the other hand Grey Box approach detects lots of hidden intrusion points such as older version
of antivirus, insecure database services and weak passwords. Grey Box can perform real magic
for the client since the client is giving the list of IP’s and sharing a little information about the network – such as make of servers, firewalls and If required ACL access and not sharing any Admin
Credentials. It is really interesting to penetrate using minimal information. It also gives clear idea to
the client that how a person with malicious intent breaks into the network just by using end user access.
Standard Grey Box penetration testing approach follows the following steps (Figure 1).
On the Job – Penetration Testing
During the projects it is quite interesting to penetrate the servers and network through some trusted
software’s such as antivirus, databases and others. There are some services, packages which
are widely used to almost types of network environments such as SNMP, Anti Virus, SQL and Oracle
Databases. Will be showing examples for exploiting the same.
Oracle and SQL Enumeration and Exploitation
Database services are the most important part of the penetration testing activity. Most of the organizations have oracle and SQL databases installed for HRMS and finance servers. By default
SQL database runs on port 1433 and oracle runs on 1502. Both the databases have default
username and passwords such as “sa” / “sa”, SCOTT / TIGER and sometimes even blank password.
The oracle listener service (before v.10) is vulnerable for Oracle Listner Service Blank Password
Attack. Since the service act on operating system level and perform the commands given from the
remote listener an attacker can connect to remote listener service, access the db and perform administrative activities if the password is missing for oracle listener service.
SQL database has default “sa” accounts. If the password is missing or kept default for the “sa” account then an attacker can easily login to remote SQL server, access the database tables, perform
administrative activities, issue command to SQL Server and gain administrative control over remote
operating system. In the below example have exploited the remote SQL database using the default
username and password (sa/sa) and later accessed the base operating system with admin rights (Figure 2-Figure 6).
Exploiting Anti Virus Services
During one of the project I had an opportunity to play with antivirus installation and exploit the “Symantec Common Base Agent CreateProcessA() Function Remote Command Execution Vulnerability” The client team had installed Symantec on all the servers and was 100% sure that it will protect the critical servers and data residing in it. It is always advisable that multiple tiers of security solutions should be used. We always need to make sure that from the operating system level to the network level everything should be configured securely. In this scenario the client team only relayed on the Symantec installation and forgot the rest. Even for antivirus and end point security products security config. And patch management is required which was missing in this case.
Metasploit has various exploits / auxiliary, used following auxiliary to exploit the remote server
(Figure 7).
Using the CMD Command added backdoor admin user into remote servers administrator group.
Then Using DameWare NT Utilities checked the user rights and performed enumeration activities
(Figure 8).
Enabled the RDP using Dameware on the remote machine and gained GUI Access (Figure 9).
Collected the admin password hashes using metasploit meterpreter (hashdump module) and
by using the psexec was able to login into the domain controller since the password was same for
all the servers (Figure 10-Figure 13).
Then copied the entire domain controller’s password database by using PwDump (Figure 14).
Passwords were cracked using l0phtcrack (Figure 15).
And now we control entire domain with all the users and services access.
We used grey box approach for the above exploitation and just by using the basic information
we were able to gain to access over the entire network.