PART 1
The first step to start off with any penetration test is Passive Intelligence Gathering. Passive Reconnaissance or OSINT or Information Gathering is to gather information about a target using publicly available information.
Make sure that you are not making any active contact to the servers of the target organization.
Reconnaissance Tasks Include:
Identification of IP addresses, subdomains, ports and services that can increase our attack surface.
Identification of technologies used, application platform and other infrastructure details
Identification of sensitive information for e.g. API keys, AWS S3 buckets, leaked credentials, etc.
Other data includes identification of, web portals, Log files, Backup files, Database files, Client-side code, JavaScript libraries and Configuration files
Useful Tools & Websites for Reconnaissance:
There are few concepts which everyone should have a good knowledge of before beginning the internal PT. I have listed and explained the basic purpose of these concepts below.
I. Network Access Control (NAC):
NAC solutions are designed to boost the overall security of your internal infrastructure by enforcing policies across all users and devices. It is a technology to authenticate the endpoint devices being plugged in the network.
NAC can also check the device for policy updates and necessary virus definitions before allowing access to the corporate resources. Their authentication may be based on MAC address or certificate issued to the device.
II. 802.1x Authentication Protocol:
Devices attempting to connect to a LAN or WLAN require an authentication mechanism. IEEE 802.1X, an IEEE Standard for Port-Based Network Access Control (PNAC), provides protected authentication for secure network access.
This protocol protects from unauthorized user access by blocking all traffic to and from a newly connected device (also called supplicant) at the port until the supplicant’s credentials are presented and matched on the authentication server.
It has an authentication server called a RADIUS Server where it checks a user’s credentials to see if they are an active member of the organization and, depending on the network policies, grants users varying levels of access to the network.
When the supplicant is authenticated, the switch stops blocking access and opens the interface to the supplicant.
III. LLMNR:
LLMNR stands for Link Local Multicast Name Resolution Protocol. As the name says it all, this protocol allows name resolutions without the use of DNS server. It provides hostname-to-IP based multicast packet sent across the network by asking all the listening network interfaces to respond if they are authoritatively known as the hostname in the query.
This process takes place by sending network packet to UDP port 5355 to multicast network address.
IV. NBT-NS (NetBIOS Name Service):
The resolution protocol used for local machines is known as NBT-NS which uses the same strategy as ARP.
NBT-NS broadcasts the request and waits for the response. It sends out the name and includes an identifier on the end of the type of name we are looking for.
In NETBIOS you can also find the address information for domains, users and other things. The response carriers a resource record with IP address.
V. LLMNR/NBT-NS Spoofing:
If a windows client cannot resolve a hostname using DNS, LLMNR protocol is used to query neighboring computers. LLMNR can be used to resolve both IPv4 and IPv6 addresses.
If suppose LLMNR fails to resolve a request, NETBIOS will be used. Both NetBIOS and LLMNR serves the same purpose. The only difference is that NetBIOS works over IPv4 only.
When both LLMNR or NBT-NS are used to resolve a request, any host on the network who knows the IP of the host being asked can respond. The catch here is the host responding with incorrect information will also be regarded as legitimate. (Even if the host does not know the IP but still can respond to the query as legitimate one)
Using this loophole many attack tools have been developed which will reply to all these queries in order to receive the sensitive information. Responder is one of the tools which can answer LLMNR and NBT-NS queries giving its own IP address as the destination for any hostnames requested.
Responder Link:
VI. SMB & Relay Attack
SMB — SMB stands for Server Message block
It is a client-server communication protocol which is used for sharing files, printers, serial ports and communication abstractions between computers.
How does it work?
This protocol enables applications or users of the applications to access the files on remote servers, printers, mail slots etc.
Client application can open, read, create, move and update files on remote server. Before one can communicate with the other, the user will have to authenticate themselves. SMB protocol operates in Layer 7 (application layer).it can be used over TCP/IP on port 445 for transport.
For Unix systems SAMBA, an open-source server that supports SMB protocol was released.
SMB process:
1. NetBIOS session established between the client and the server,
2. Server and client negotiation the SMB protocol dialect,
3. Client logs on to the server with the proper credentials,
4. Client will connect to a shared resource hosted on the server (i.e. wireless printer),
5. Client opens a file on the share, and,
6. Client reads or edits the requested resource.
SMB protocol dialects:
Below are the brief overview of the SMB protocol’s notable dialects:
SMB Relay Attack:
Although the authentication/ access control protection is in place. It can be manipulated by allowing authentication attempts to be relayed and access the systems. It can also be abused in a way to collect the password hashes. This process of relaying is called SMB relay attack.
- The attacker selects the target server he wants to authenticate to and then the attacker waits for someone on the network to authenticate to his machine.
- This is where rogue host detection, vulnerability scanners, and administrator scripts that automatically authenticate to hosts become a penetration tester’s best friends. When the automated process connects to the attacker, he passes the authentication attempt off to his target (another system on the network, a server)
- Now the target generates the challenge and sends it back to attacker. The attacker sends this challenge to originating scanning system. The scanning system thinks that this is the legitimate challenge request coming from the target and encrypts the hash with correct password hash and sends it back to attacker.
- The attacker passes the correctly encrypted response back to his target and successfully authenticates.
Below is the illustration of the same:
Thank You for reading through, There are more parts yet to be released to cover this vast topic.
PART 2 includes: Password Hashes, Types of Hashes, Types of Windows User Accounts, Windows Processes, Kerberos Authentication Process.
