Pen Testing Stories from the Field: Combining Tools to Take Over an Entire Domain

There is no single set of instructions on how to run a penetration test, and no one manual on how to be a pen tester. The only real constant is that each job is a combination of preparation and improvisation to adapt and adjust to each environment’s quirks. So one of the best ways to learn and improve your own penetration testing techniques and strategies is from your peers, whether it be through watching them on the job, or from talking shop at a conference and hearing how they handled an interesting assignment. With this in mind, after we spoke with a pen tester about a recent job his team had completed with the assistance of Core Security’s tools, we asked him to go into detail, in order to pass along some valuable lessons from the field.

What was the engagement?

We were tasked with completing an internal penetration test on a large, multi-national manufacturer.

What tools were you using?

We had a jumpbox laptop that we placed on the network. We used a Nessus vulnerability scanner, as well as a variety of pen testing tools, including Core Impact and Cobalt Strike. And of course, our powers of reasoning and deduction.

Had this company ever had a pen test performed?

Yeah, quite a few, actually. They told us the one they had conducted the year prior had turned up “nothing in particular,” so we were pretty curious to check out the environment for ourselves.

So, where did you begin?

Once we had the jumpbox laptop installed, we ran the Nessus scan. The scan indicated that there were 23 machines running the Solarwinds Dameware Mini Remote Control—a tool that IT teams can use for remotely accessing employees’ computers, laptops, or servers for support. Core Impact happens to have an excellent exploit for this product, so we used it and managed to get onto 13 machines. We installed an agent onto all 13 of these machines, but only as an unprivileged user account, so our initial access was fairly limited.

How did you manage to escalate your privileges?

We used Impact’s privilege escalation RPT (Rapid Penetration Test), which saved us several hours. CVE-2020-0668 is a privilege elevation vulnerability in the Windows kernel. There is a patch for it, but we still found it on several machines, and were able to use it to place an agent running as SYSTEM, which is the Windows version of what a lot of people know as the “root” or superuser account.

Next, Core Impact’s Windows Secrets Dump module, which can collect user credentials from a compromised machine, helped us obtain the local password hash database. Looking at the database, we noticed that the “administrator” user had the same hash on four of the workstations. We wondered if this administrator had the same credentials on other machines.

It turned out that the administrator did have the same credentials elsewhere, and we were able to get into a couple hundred machines. We used the hash with CrackMapExec to get access to the LSA Secrets, which housed a large amount of domain cached credentials. Ultimately, we were able to harvest 900 other user credentials, including multiple Domain Admins. We also used the hash to deploy the Cobalt Strike beacon payload across other systems compromising the environment even further.

Yikes. How far did you take the compromise?

Oh, we eventually took over the entire domain. We had complete control.

That was probably an unpleasant surprise for the organization. But better that your team found it out now instead of an attacker down the line.

How could this have been avoided? What would you suggest they, and other organizations, prioritize to mitigate risk?

Well, to start, patch often and patch everything. If a patch is available for any of your devices, patch them. If a patch is available for any of your third-party software, patch them.

Also, never use the same credentials across machines—it’s a great way for attackers to quickly move laterally across the organization without much effort.  

Use two factor authentication for elevated access. Just do it.

And, naturally, I strongly encourage hiring savvy pen testers on a regular basis to validate those remediations.