This blog was co-written by Patrick Laverty.
When pen testers look at your network, one of their main goals is privilege escalation from a plain, uncredentialed user to that of a fully privileged enterprise administrator (EA) or domain administrator (DA). With either of these levels of access, the tester can do anything within the network, including add new users, read or alter contents of databases, and start up or shut down services. If a penetration tester can escalate privileges to that of a EA or DA, the network is considered fully compromised.
However, on a recent penetration testing service engagement, we were unable to escalate our access to a DA, as hard as we tried. This network had some great protections in place, including a system where no one maintained DA access. That was kept in a vault, and it required two approved users to give access to one person for a four-hour time period, and only from specific workstations.
Denied domain administrator access
Reaching this level of privilege is not the only goal of a pen tester. Another part of the test that is arguably more valuable is seeing what information or data can be found during the engagement. Even more valuable is what can be found either with a normal user’s level of access or with no privileges at all.
For example, if a curious or even disgruntled employee can find personally identifiable information in a network they should not be authorized to view, that needs to be fixed. This can also be an extra worry for organizations that fall under GDPR.
Before a penetration test, we will ask our customers to identify the most sensitive information they are trying to protect so we’ll know what we’ll try to target.
Plan B: Find the data
So, what data can we get as a regular user? Well, the first step is to obtain some level of access. That part is frequently easy enough. One method is catching credentials being sent through a network over LLMNR or NetBIOS. Another may be straight password guessing, as we know users often choose weak passwords if you let them. Another can be accessing local accounts on a machine because of missing security patches.
Armed with valid user accounts, we next start looking anywhere and everywhere for information. We’ll look in email inboxes, as people will store important company information there, including passwords. We’ll also look in file shares, as people see those as a safe place to store their information. Multiple times on engagements, these file shares have been the source of passport information, W2 tax information, resumes from applicants, student grades and tuition payment information, scripts for yet-to-be-released TV shows or movies, employee discipline letters, and in one case, even management’s plan for upcoming company layoffs.
If your company uses a data storage solution, this can also be a treasure trove for pen testers if the authorization is not set up properly. If any user can read any other user’s data in such a storage system, a pen tester will rummage through and see what can be found. On the recent test described earlier, we found the documentation on exactly how the DA access was handled, which helped to give us an idea of what it would take to escalate privileges.
Take a look at how your databases are protected. Do you use default credentials? Do your database administrators have weak passwords? Does it matter which host or IP the user is trying to log in from? Databases are another favorite target of pen testers. An infamous bank robber was once asked why he robs banks and answered, “Because that’s where the money is!” This is similar for pen testers and databases, because that’s where the data is.
Another pen tester favorite is internal websites. Do you have a company wiki used for documentation? How is that accessed? Does the wiki explain how to get user accounts or list the company’s default password? Or, are there other management systems with default or weak access? These are other things a pen tester will be looking for.
Think vertically, act laterally
These are just some things to think about when getting a penetration test. As you protect your network, you likely put a lot of focus on preventing privilege elevation, but take a look at what you are doing to prevent lateral movement around the network and stop the pilfering of data. What are your testers actually going to be looking for, and are those things protected? What can testers get access to, even without elevated privileges? This is often the area that is the biggest risk for companies, since their important information can be accessed too easily.