At NetWorks Group, our ethical hackers have the privilege of helping clients across a variety of industries including financial, healthcare, manufacturing, hospitality, retail, and IT, just to name a few. As you can imagine, when you explore, navigate, and scrutinize so many different networks, you begin to see patterns — certain configurations, settings, policies, and topologies that indicate whether or not a network is going to be easily exploitable. With so much experience to draw from, it becomes second nature for our ethical hackers to identify those red flags of an insecure environment.
On many engagements, our ethical hackers know within the first hour how easily it will be to achieve domain administration, or full control, of a network.
However, there are two things you can do today, to reduce your attack surface and enhance your overall cybersecurity posture:
- Schedule an annual penetration test (you might as well call your doctor and schedule your annual physical while you’re at it... us IT folks need to stick around)
- Implement the five action items described below.
Before we jump into the list, we must emphasize how much we love/“hate” seeing these implemented on our client's networks. Of course, we love seeing them because it shows our clients are being proactive, have limited their overall attack surface, and are doing their due diligence to remain secure; on the flip side, seeing these implemented also means we’re very unlikely to take control over the entire network.
So, without further adieu, here are five ways to ace your next pentest:
- Enable SMB and LDAP signing: when you have SMB and LDAP signing enabled, it prevents an attacker from performing relay attacks. These attacks are used for lateral movement, pivots, persistence, unauthorized data access/exfiltration, and privilege escalation.
- Patching: seriously, just patch your domain controllers, servers, and workstations to the most current version possible. This prevents attackers from performing novel attacks like coerced authentication, noPAC, and zerologon.
- Set Machine Account Quota to 0 for everyone: we promise you that not all of your Active Directory users need the ability to add up to 10 machine accounts. This will either prevent entirely – or make it very difficult – for attackers to succeed in exploiting noPAC, some ADCS template misconfigurations, and a few others. This quota is easy to overlook so double-check that yours is set properly (i.e. to zero).
- Run Bloodhound: we often tell clients that once an attacker has run a Bloodhound ingestor in your environment, you’re now chasing the threat (instead of staying ahead of it). We also say that by this point, the attacker is sprinting towards the finish line and you’re watching from the grandstands. Learn how to use Bloodhound, collect your own data, and see what your environment looks like to an attacker. You’ll be amazed at what jumps out at you when your entire Active Directory (Azure, too) is fully visualized.
- Use 2FA and increase password length and complexity: Whatever you’re currently doing, it’s probably not enough. 8 character minimums, 12 character minimums, no; it’s not enough anymore. Within minutes, our ethical hacking team can stand up an 8xA100 GPU with so much horsepower that we’re regularly cracking 16-18 character NTLMv2 password hashes (our current record is 27 characters as of August 2022). Now we’re not saying go that crazy, but push your employees to use as long and complex of passwords as they’ll tolerate (i.e. NetWorks_Group@123_Main_Street, Suite_123, Ann_Arbor, MI_87654 ). Even though that’s a fairly memorable password, its length and complexity would make it nearly impossible to crack. Lastly, regardless of your success battling password requirement policies, implement two-factor authentication in as many places as humanly possible, both externally and within your environment (i.e. SSH and RDP).
If you have questions or comments about our cheat sheet above or would like to talk about your network with one of our ethical hackers, please reach out! We love to meet new and like-minded folks and we’re always delighted to talk cybersecurity!
###
Published By: Chris Neuwirth, Senior Penetration Tester, NetWorks Group
Published On: October 11, 2022