Penetration testing overview from Hugh Holland, Secure State

Introduce yourself and explain your path to penetration testing.

My name is Hugh and I’m one of the Senior Penetration Testers at Secure State Consultants. I have approximately 7 years of experience across Information Technology and Cyber Security. One of the core aspects of my position is providing penetration testing services to a diverse range of sectors across manufacturing, health, education, tourism and defence.

I started my journey towards Cyber Security as an IT Support Officer Trainee from local government where I was able to gain exposure to a wide array of systems that provided important services for the City of Adelaide. I then moved across into the Defence Industry at Saab Australia working within their Corporate IT department as a Senior IT Support Officer. During my employment at Saab Australia, I gained extensive experience assisting with the deployment of security controls and working with complex sensitive systems and environments.

After a few years I moved across to the Professional Services team where I engaged with clients from a diverse range of sectors such as health, education, food, manufacturing, and tourism and providing services such as obtaining Defence Industry Security Program Membership, preparing for ISO 27001 certification, or performing vulnerability assessments and penetration tests.

What strategies do you employ to undertake penetration testing?

The tools and strategies I utilise during a penetration test come down to the scope of the target and what’s been outlined with the client. I utilise and leverage all the tools at my disposable with a majority of those coming from the Kali penetration testing operating system. More often though the main tools I use once I’ve gained initial access on an internal test are the ones built into Windows, I try to live of the land rather than making a lot of noise.

Can you give us an example?

Throughout my years of penetration testing, I’ve encountered so many different systems, each with their strengths and weaknesses. The issues that stand out to me the most are misconfigurations, poor IT practices and legacy issues that have been left unattended for years maybe even decades.

In some cases, it can be legacy software that businesses don’t want to invest funds to find a proper solution because the current one works, and they spend increasingly significant amounts of resources, time and money trying to fix or secure a system that should be decommissioned and rebuilt and would likely cost them less to find a new solution.

Another common finding would be user permissions, a finding that will always appear in my reports is that users have access to significant amounts of sensitive information either because folder structures and permissions weren’t appropriately configured, users have created their own folder structures or folders have been merged with other folders that had inappropriate permissions.

This means that I don’t need to deploy specialised tools or use intricate techniques to escalate my access. I’ve already gained one of my primary objectives of gaining access to either finance databases, employee records and I’ve loaded it into the compromised users Teams account and back down to my device without anyone noticing or in some circumstances I can just transfer the files to my laptop on their network without user credentials.

What businesses struggle to comprehend is that it might not even be from a malicious actor with a compromised account that would steal this information it could be from a trusted insider such as a disgruntled employee who’s taken all the HR records related to incidents and wants to leak them to the media.

The last item that I constantly encounter is inadequate logging and monitoring. I’ve encountered numerous times where I’ve escalated myself to Domain Administrator and taken control of the domain controller and no one has noticed or detected that I dumped all the password hashes from a Domain Controller, its at this point I can do basically anything such as steal all the information they have or spread ransomware.

While some businesses have monitoring in place that may be from a third-party service these services tend to be slow to react with notifications being provided to the IT department within 3 days after I’ve compromised the environment. With effective logging and monitoring these businesses could have been aware that I was active in the environment especially when utilising tools such as Impacket which can trigger alarms as soon as it’s detected by some defensive tools if properly configured.

What are your recommendations for all types of business.

After years of working across both IT and Cyber there are numerous recommendations that I could provide but If I had to provide my highlights they would be (most of these are covered by Essential8):

Multi-Factor Authentication – Implement MFA to increase the difficulty of an account being compromised, alternatively if you have the time, resources and funding then implement phishing resistant MFA.

Remove Legacy Solutions – If a business is using a system from 10 or 15 years ago and it’s no longer supported then it’s time to engage with your IT department or Managed Service Provider and start investigating a new product.

User Permissions – Check user permissions on file servers, see what a standard user can access. It’s likely that as a business has grown that folder structures have been created and forgotten about.

Logging & Monitoring – Invest time in building an effective logging and monitoring system with tools that can detect malicious network traffic and attempts to leverage inbuilt windows tools for malicious purposes.

Phishing Detection Technologies – Businesses should consider using checking if their current tools offer increased protection that isn’t configured currently or look at solutions from major providers to help prevent email phishing.