Improve Penetration Testing Results With a Simple PasswordAccess to legitimate credentials can allow pentesters to effectively configure tooling and frees more time to focus on discovering potential attack vectors. By: Nate Drier, Secureworks Adversary Group
Give your pentester a password.
No, that doesn’t mean sharing a current employee’s credentials. Creating a valid account for the pentester can maximize the value of a penetration test when time is limited.
During internal and external penetration tests, members of the Secureworks® Adversary Group perform customized password spraying. The first goal in password spraying is to accumulate as many potential usernames as possible. Depending on the goals of the test and what information is available, this activity could include the following tasks:
- Enumerate usernames from a misconfigured domain-joined system
- Perform a “timing attack” to validate usernames based on how long the server takes to respond
- Examine emails, password reset pages, or other sources to discover the customer’s username scheme
- Browse the customer’s LinkedIn page to compile employee lists
- Run a query for identified usernames or username schemes in the proprietary Secureworks CredCloud platform, which contains data from historical breaches
Sometimes pentesters don’t have enough information to determine all legitimate username schemes. Authentication can be complex, especially for external tests. A login format could be DOMAIN\user, email@example.com, first.last, flast, first_last, or a non-standard convention. During long-term Red Team engagements, the pentesters have time to discover those nuances. However, goal-based penetration tests have much shorter timeframes. That time is better spent identifying weaknesses that threat actors could exploit in the customer’s network perimeter.
If given valid credentials, a pentester can test, for instance, the customer’s password reset app. They can watch the authentication flow and verify that the password spraying tooling is properly configured. Misconfigured tooling, even just a single incorrect or missing element, can cause the attack to fail despite a correct username and password pair. Being able to validate the configuration at the onset eliminates the need for multiple rounds of password spraying and enables the pentester to begin searching for weak, predictable, breached, or common passwords on the first day of testing. It also allows time for testing more passwords against additional user accounts. Given that ransomware threat actors are increasingly leveraging password spraying, it’s beneficial to include as much of this testing as possible.
The most important key to a successful penetration test is communication. During the initial “kickoff” call, the customer should explain their goals for the test, provide information about their infrastructure, and describe existing security controls. This information enables the pentester to provide guidance and feedback, and to tailor the test to meet the customer’s needs. With these insights and valid credentials at the beginning of the engagement, the pentester can maximize their time and provide even more value to the customer.
The members of the Secureworks Adversary Group have years of experience and have tested thousands of network perimeters across organizations from all verticals. Contact us to learn more about our adversarial security testing services and how they can benefit your organization.