Author: tim

  • Chained Attacks and How a Scan Can Leave You Vulnerable

    The results from your vulnerability scan showed only a couple of low or moderate level findings, but there is no denying that two experienced hackers now have domain admin rights; the freshly printed summary document on your desk spells out in excruciating detail how they traversed the darkest corners of your network and gained access to critical data.

    Fortunately for you, they’re Raxis team members, and you’ve paid them to do just that.

    The Chained Attack

    This scenario plays out frequently for Raxis customers who previously relied on companies that pass off vulnerability scans as faux penetration tests. It highlights why a scan, by itself, can give businesses a false sense of security about their cyber defenses. At their best, scans only point out individual links in what skilled and experienced hackers can turn into a chained attack – using one vulnerability to discover others, increasing or escalating network access with each move. In the case of parameter or business logic exposures, scans often remain blissfully unaware, failing to identify the exposures at all.

    UNFAMILIAR WORD OR TERM? VISIT OUR GLOSSARY.

    We’ll use a real-life example from a recent Red Team engagement to illustrate just how this works. Keep in mind that the following recap is just one way to employ a chained attack. There are many others. In fact, it’s such a common technique that it’s part of the test ethical hackers take to earn the Offensive Security Certified Professional (OSCP) certification. (Read about Senior Penetration Tester Andrew Trexler’s experience with the OSCP exam.)

    The First Link

    Using a response poisoning attack, our testers achieved Man in the Middle (MitM) and relayed Server Message Block (SMB) handshakes to hosts with SMB signing disabled, which allowed them to execute local commands and extract local password hashes stored by the security account manager (SAM). One of those hashes was associated with a local administrator account, and they used it to connect to a system on the internal network.

    Once inside, they exploited a known design flaw in Windows authentication and used this local administrator hash in a Pass-the-Hash (PtH) attack using CrackMapExec (CME). They didn’t even have to crack the hash and get a cleartext password. Just sending the hash was sufficient to allow access.

    Creating the Chain

    Using PtH, our ethical hackers enumerated users logged on to a system, determined valid usernames, and extracted their Kerberos ticket hashes. This time, they did have to crack the hashed ticket for an administrative service account they found. A weak password and robust cracking hardware made this possible within seconds.

    Having identified the cleartext password for that administrator account, they found that it was shared amongst numerous systems. They connected to other systems across the network and found a domain administrator logged into one of them. An attempt to access the Local Security Authority Subsystem Service (lsass.exe) file failed at first because the company’s security blocked “procdump.exe,” the tool we were using to gather a memory dump of the process. However, a second attempt with Process Explorer was successful and allowed our team to download a memory dump of the “lsass.exe” process, giving us access to the runtime state of the service that performs Active Directory database lookups, authentication, and replication.

    Another tool, Mimikatz, enabled our testers to extract the contents of that file, including the reusable NTLM password hash of a Domain Administrator (DA). Again, using CME, they used the NTLM DA password hash to extract the contents of the entire Active Directory database. This is the database housing all Active Directory objects, including users and their password hashes for the entire domain (that often means every employee at a small company or every employee in a division of a large company).

    “Vulnerability scans are excellent point-in-time snapshots of potential problems. But it takes comprehensive penetration testing to demonstrate how easily a malicious hacker can link them together to create a chained attack.”

    Tim Semchenko
    Owning the Network

    Using this DA access, our team created a new backdoor domain administrator account in the Domain Admins group – ample proof for the customer that Raxis had in fact pwned their network.

    What else could they have done? Anything they wanted, including staying on the system indefinitely or just logging in periodically to steal data or disrupt operations. Once a hacker has this type of access, it’s very difficult for a company to know if their access has been truly and completely removed.

    How is this possible? Because a serious security flaw – one that would not be revealed in full by a vulnerability scan – offered our skilled team members an entry way to take down an entire network had they been bad guys.

    The point is that vulnerability scans are excellent at providing a point-in-time snapshot of potential problems on your network. But it takes comprehensive penetration testing to find out just how serious those issues are and to demonstrate how easily a malicious hacker can link them together to create a chained attack.

  • Meet the Team: Tim Semchenko, Senior Manager, Operations and Customer Delivery

    I’m Tim Semchenko, senior manager of operations and customer delivery for Raxis. As part of our Meet the Team series, I agreed to do an interview with our marketing team. Below, you’ll see how I found my way to Raxis and why I like it so much here. If you’re interested in working with an outstanding group of folks, go visit our careers page or check out our YouTube channel to get an idea of what it’s like to work with us.

    Tim on the beach

    Jim: Tim, tell us about your role at Raxis.

    Tim: My title is senior manager of operations and customer delivery. That means my job really starts once a sale is made and the scope of work is established. My role is to make sure the customer has a great experience from the beginning of the engagement to the end.

    Jim: That sounds like a tall order. What all do you have to do in order to make sure the engagement is successful?

    Tim: So, my role is “soup to nuts” – making sure we have the right resources available, that we stay on schedule, that we deliver everything we said we would, and that the customers get what they’re expecting. I’m Raxis’ liaison, so, when issues come up, it’s my job to figure out how to adapt and adjust to make sure they get what they need.

    Jim: What’s your favorite part of the job?

    Tim: Honestly, I enjoy the challenges that come with managing a heavy workload. No two jobs are exactly the same, so there are sometimes complications that we can’t foresee going in. When that happens, it’s like triage – solving ‘unsolvable’ problems. Scheduling around the birth of a baby, for example. There are always fires to put out, but I love the fast pace, the people, and the conversations.

    Jim: How do you measure success? How do you know that your customer has had a great experience?

    Tim: I know because they tell us. My work doesn’t end when the penetration test is over. We go back and ask them how we did and what we can do better. As I said, I like the conversations and it’s incredibly rewarding to hear what they say about our team and the quality of our work.

    Jim: Is it fair to say you came into this role in an “indirect” fashion? You didn’t start out in tech, right?

    Tim: You could say it was very indirectly. I grew up south of Boston, in Quincy, MA, and was actually a religion major with minors in music and philosophy in college. Afterwards, I was a high school music teacher and football coach for a while, and even went back to school to get a master’s degree in special ed. I was taking classes during the day and tending bar at night, but a softball injury ended my bartending, so I started driving a cab.

    Tim belts out a song on stage with friends.

    Jim: So, you went from driving a cab to working in cybersecurity?

    Tim: Not quite. While I was driving the vice president of a large investment management firm one day, we started chatting and he told me his division was hiring. So, I took a job working in foreign exchange and from there got into project management with a different penetration testing company that does a lot of work with Raxis. I really liked the company and the people, so when the opportunity opened up last March, I joined the Raxis team.

    Jim: You’ve had very diverse working career. What do you do for fun?

    Tim: I enjoy all sorts of outdoor activities with my wife and two kids. Going to the beach, kayaking, playing sports.

    Jim: You clearly have a lot of musical talent as well. Do you still perform?

    Tim: Yep. I’m not in a band, but I have several friends who are. So, they let me join in for sets on occasion. And, of course, I like karaoke as well.

    When you’re on stage, everyone’s eyes are on you and there’s a lot of pressure to perform well. To me that’s what makes it exciting. That same dynamic is one of the things I enjoy most about my job at Raxis.

  • Raxis’ Transporter Enables Remote Penetration Testing

    Adapt. That one word sums up what was, for most of us, the biggest challenge of 2020 and the COVID-19 crisis that came along with it.

    As the pandemic took hold, families, employers, and employees had to adapt to a new way of living. Children had to adapt to learning virtually. Parents had to adapt to working from home while caring for children and helping them with school. Pets had to adapt to everyone being home all the time. Companies had to adapt to remote work, Zoom meetings, and new ways to collaborate. 

    It was much easier for some than others. Raxis, for example, has been a remote-work company since its launch in 2011. For us, working from home was literally another day at the office. For many of our customers, however, it was a major disruption with lots of implications for security. The need for penetration testing was made more urgent by the dramatic shift to WFH. The question we faced was how to go about it in a way that was both safe for our team and effective for our customers.

    We did continue to travel when necessary, but the pandemic made it more difficult to get to our clients and more time-consuming to conduct our testing. Fortunately, we had another option, one that would allow us to complete internal and wireless network testing without the need for going onsite.

    We developed the Raxis Transporter device several years ago as a time- and cost-saving measure for our customers. With this secure network backdoor, which can be mailed to and installed easily by customers, we can conduct in-depth testing remotely. When the pandemic hit, the Transporter became a lifeline for customers who needed our services, even if they couldn’t host us at their physical locations.

    In the video above, I explain more about the Transporter, how we use it, and why it gives us another cost-effective option for delivering high-quality services to our clients.

    As you heard in the video, Raxis’ Transporter is a simple-to-install device that allows our elite team of professionals access to everything they need to perform a thorough penetration test. And that’s just one of the many practical innovations we bring to our work.

    All of us hope that the pandemic is on its way out, but remote work is here to stay. I’m proud to work with a company that remains way ahead of the curve for our team and for our customers. 

    If you are ready for Raxis to put your security to the test, contact us. We can discuss which type of test would best suit your company and your needs. 

  • Three Reasons Why a Penetration Test Won’t Break Your Network

    Myth: A penetration test breaks your network. 

    Reality: A penetration test helps you find vulnerabilities so someone else doesn’t break your network (and your customers’ confidence in you).

    This is actually a common concern we hear from potential customers. Many are worried that a pen test will damage their network by crashing a server, knocking their website offline, causing an eclipse, or maybe releasing a 5G kraken. 

    In the video above I explain how we work with our customers ahead of testing to make them feel at ease and to help them understand that our profession is hacking but that our business is protecting theirs.

    As I explained in the video, our pen testers aim to make as little noise as possible while they’re slinking around in your network. Our whole goal is to get in, and to not get detected or get blocked. Crashing and breaking things is the opposite of that. And we’re simply not going to perform the kind of attacks that cause actual damage.

    The only scary part of our penetration tests are when you realize what might have happened if a hacker found your vulnerabilities before we did. 

    Be sure to also check out this article from Bonnie Smyre: What to Expect When Expecting a (Raxis) Pen Test?

    If you are ready for Raxis’ elite team of professionals to put your security to the test (did we mention they have successfully breached some of the most sophisticated corporate networks in the US?), then reach out to us here.

    Also, if you liked this video, please be sure to subscribe to our YouTube channel for more videos that can help you improve your security posture.