In today’s digital landscape, cybersecurity is often misunderstood as a set of restrictive measures that hinder technological progress and user experience. However, this perspective couldn’t be further from the truth. Cybersecurity, when implemented correctly, acts as a powerful enabler that empowers businesses and individuals to leverage technology safely and confidently.
Freedom to Innovate
Cybersecurity provides a secure foundation upon which innovation can flourish. By implementing robust security measures, organizations can explore new technologies and digital transformations without constantly worrying about potential threats. This freedom to innovate allows businesses to stay competitive and adapt to changing market demands.
A strong cybersecurity posture builds trust with customers, partners, and stakeholders. When users know their data is protected, they’re more likely to engage with digital services and share information. This increased trust can lead to better customer relationships, improved brand reputation, and ultimately, business growth.
Contrary to the belief that security measures slow down processes, well-implemented cybersecurity actually streamlines operations. By preventing breaches and downtime, businesses can maintain continuity and focus on core activities rather than dealing with the aftermath of cyber incidents.
Raxis Penetration Testing: A Key Enabler
Raxis, a leader in cybersecurity services, offers penetration testing that exemplifies how security measures can enable rather than restrict. Here are three ways Raxis penetration testing proves beneficial:
Uncovering Hidden Risks: Raxis penetration testing identifies vulnerabilities that might otherwise go unnoticed. By simulating real-world attacks, businesses can proactively address weaknesses before they can be exploited, enabling them to use technology more confidently.
Strengthening Security Posture: Through comprehensive testing, Raxis helps organizations strengthen their overall security stance. This improved posture allows businesses to adopt new technologies and expand their digital footprint without compromising on security.
Demonstrating Value: Raxis’ approach includes data exfiltration demonstrations, which clearly show the potential impact of security gaps. This tangible evidence helps justify cybersecurity investments and enables businesses to allocate resources effectively for maximum protection.
Embracing Cybersecurity as an Enabler
To truly harness the enabling power of cybersecurity, organizations need to shift their mindset. Instead of viewing it as a necessary evil or a set of restrictions, cybersecurity should be seen as a strategic asset that facilitates growth, innovation, and trust.By partnering with experts like Raxis for penetration testing and other cybersecurity services, businesses can create a secure environment that empowers users and drives technological advancement. This proactive approach not only protects against threats but also opens up new opportunities for digital transformation and business success.In conclusion, cybersecurity, when implemented effectively, is not about limiting what people can do with technology. It’s about creating a safe space where individuals and organizations can push boundaries, explore new possibilities, and thrive in the digital age. By embracing cybersecurity as an enabler, we can unlock the full potential of technology while keeping our digital assets and identities secure.
As the head of project management at Raxis, I have been a part of many customer debriefing calls. Generally, these calls just entail the penetration tester discussing the findings on the report and answering questions such a priority to fix or best options for correcting them.
In some cases, though, there is no way to fix the finding, at least in the near term. Organizations that are looking to correct all findings in order to provide the most secure environment for their customers and to meet compliance requirements look to our team for advice.
In this blog, I’ll discuss the options of accepting risks or using compensating controls to limit the risks as much as possible until a larger solution can be implemented.
ACCEPTING RISKS
When dealing with penetration test findings, organizations sometimes have to accept certain risks instead of fixing them immediately. The decision is often part of a broader risk strategy that may mean fixing the issues is not feasible, at least in the short term.
Resource constraints include financial limitations, such as when the cost of fixing the vulnerability outweighs the potential impact of an exploit. Time constraints also come into play when fixing the vulnerability might delay critical projects or updates.
In these cases, we often recommend that the organization thoroughly discuss, and, if appropriate, accept the risk. The risk is still there, but the proper stakeholders within the company will understand the risks involved and document acceptance of the risk.
When deciding to accept penetration test risks, organizations should follow a formal risk acceptance process:
Thoroughly document the vulnerability and associated risk
Perform a detailed impact analysis, including input from several departments when necessary
Identify and implement compensating controls
Get sign-off from appropriate stakeholders, such as a CISO or CIO
Set a timeline to re-evaluate the risk
Monitor the risk closely
COMPENSATING CONTROLS
Compensating controls could include several measures that are positives to have in place at any time in case of newly discovered vulnerabilities or other issues. Examples of compensating controls include:
Encrypting sensitive data at rest and in transit
Implementing strong access controls such as least privilege, and multi-factor authentication
Enhancing monitoring and alerting for the affected systems to allow for rapid detection and response if the vulnerability is exploited
Network segmentation to contain the spread of an attack
Keeping systems as up-to-date as possible with available patches
LOWERING FINDING RISKS WITH MITIGATION
Often vulnerabilities that cannot be fixed involve legacy software that no longer receives updates from the vendor but is necessary to business operations. In these cases, until the legacy systems can be replaced, organizations can decrease risk by segmenting the system to an entirely separate area of the internal network. This way, if a compromise occurs, the rest of the network is protected.
While this does not remove the risk from the penetration test, we’re able to lower the risk of the finding if our customer lets us know and gives us access to test that the segmentation is correctly in place.
Another case we often see are custom web or mobile applications and APIs. Updates to codebases may be a major effort that requires planning and waiting for resources to become available to make the changes. In other cases, custom code relies on vendor APIs and changes must wait for vendor API updates.
Each of these cases is unique, but there may be opportunities to limit access to the at-risk functionality or to put in place strong compensating controls.
CONCLUSION
We understand that many factors come into play when working to keep your company and customers as secure as possible. Options are available to allow organizations to stay as secure as possible while working towards a more permanent solution.
You saw us last with Nathan Anderson’s awesome MSFvenom tutorial. Moving on from there, I’m going back to network discovery tools that I find useful in my penetration tests. In this post, I’ll introduce masscan.
The Basics
Adam has blogged about using Nmap for discovery. Another tool for finding open ports is masscan. Masscan doesn’t give as much info as Nmap but can be great when scanning large networks or just looking for open ports, as it can go much faster. Masscan also comes with Kali, and you can read their write-up here.
I normally use masscan when given a large target list. Masscan does need to be run as root, so make sure to switch to the root user or use sudo. My normal use of masscan looks something like this:
masscan --top-ports 1000 -iL targets --rate 500
Basically, this command takes the top 1000 TCP ports and scans all the targets from the host file. The target file can be a list of networks on each line. If you’re scanning just one network, you can also omit the -iL and simply pass that network on the command line.
Useful Tips
I will show a few examples using my local little network, so not too exciting, but a good look at how to use the tool.
By examining the saved config file, we can see the top 1000 ports it scans:
There are times when I want to save the output of a masscan to a file for more processing. There are a few different formats that masscan provides: binary, XML, grepable, JSON, and list. The flags are -oB, -oX, -oG, -oJ, -oL respectively. When using the flag you just pass the filename and masscan will output in that format to the file. I normally use the list format (-oL).
If, for some reason, you need to stop an ongoing scan, you can Control + C, and masscan will pause. It will then write a config file called paused.conf, wait for 10 seconds, and then close. You can then resume the scan with –resume.
You can also modify the paused.conf file to change settings. For example, I changed the scan rate here and started the scan back up. Notice it’s now scanning at 250 packets per second instead of the original 500.
You can also write config files and have masscan run those by designating them with the -c argument, but I don’t normally do that.
You can specify which ports to scan with -p. If I’m not scanning just the top 1000 ports, then I normally scan all of them using -p 1-65535. But, if you want to know where all the https services on port 443 are or the Kerberos services on port 88 are, you can specify just those ports with -p.
Here’s an example where I’m looking for all services on ports 20-23, 443, and 80. I’m also saving these to a list:
Here you can see the output of the list:
I normally just end up grabbing the host and port with Awk. To get a list of host:ports you can use the following.
awk -F" " '{print $4":"$3}' < me.out
Maybe we will take a look at Awk and Vi at some point in a future Cool Tools post, but this gives you an idea of how useful they are.
There will be extraneous lines in the beginning and end, but those are easily removed.
There is also a way to exclude hosts and networks from a scan. Say I don’t want to scan 192.168.1.151. I can either use the –exclude flag, or, if I have a list, use the –excludefile flag.
Here we do the same scan as before, but this time I pass an exclude file with 192.168.1.151 in it, and we can see that IP doesn’t show up in the results.
You can scan UDP services as well with -pU. Here I’m scanning for just 53 as an example, but listing ports works just the same as with TCP.
Conclusion
Masscan can do much more than what I describe above, but this is a good primer. I hope you’ve enjoyed this look at masscan. Please check back for the next post in the Cool Tools series!
I’m Jason Taylor, lead penetration tester at Raxis. I’m bringing my love of learning and my enthusiasm for enabling companies to improve their security posture to the team. If you team with Raxis for a penetration test, social engineering engagement, or a red team, we might get to work together!
Bonnie: You’re our first penetration tester in Kansas, and I know you’re a big part of building the cybersecurity community there.
Jason: I grew up in Fort Worth, TX but have been in Wichita, KS since 2006. While I have gotten used to small city living, I do still regularly drive up to Kansas City to visit Ikea or take occasional trips down to Texas for conferences or events.
I enjoy driving and will always drive if it’s an option. I’m on the tall side and don’t fit well in airplanes; I would happily drive for 11 hours instead of spending 2 hours in a plane.
Bonnie: As our vertically challenged team member, I don’t have that problem, but I can see why you feel that way. And you’ve had reasons to travel with family around the country, right?
Jason: Yes, I served a brief stint as a security guard at a casino in California for a year while visiting my grandmother before she passed. We then moved as a family out to Wichita where my mom’s sister was located.
Bonnie: And I know your family has been proud of all you’ve accomplished through the years.
Jason: I was the first person in my immediate family to go to college and got a degree in information security.
I worked through college building aircraft blower motors used in the ventilation system of planes. So, the next time a little cone blows semi-cool air onto your face, you might be able to thank me for that.
Bonnie: You actually started your IT path even before you graduated from college, right?
Jason: Shortly before graduating college, I got a job as a part time network administrator at a law firm. Since our department was only made up of two people, I was exposed to everything from ISP routers and Wi-Fi setup to installing software before deploying a new PC.
When I learned about Windows PowerShell, I dedicated time to learning it. I automated our new PC deployments and software installs. I automated every task that I could. I was then able to spend more time applying what I had learned to improve our security and workflows.
Bonnie: I see you caught on to what makes so many developers love the work… do it well, and you make things easier for everyone. And then you make the time to make other improvements!
Jason: Yes! I secured our exposed ethernet ports by putting them on a guest LAN; I secured our Wi-Fi by separating the guest and corporate WLAN, and I started adding detection software like Kismet to detect rogue access points.
I moved on to get a system administrator role in a bank, where I continued to bring automation and a focus on security to my job functions. I eventually moved into an information security analyst role at the bank and became a security engineer.
Bonnie: That’s a great path into cybersecurity. You taught yourself to build the tech and then moved on to protecting it. Tell me more about how you ended up moving into penetration testing.
Jason: I discovered HackTheBox and TryHackMe, two CTF/hacking learning platforms. I thoroughly enjoyed them and was having a lot of fun learning about exploits, vulnerabilities, etc. I especially loved the practical aspect of performing these attacks in a lab environment to learn more about them.
Initially my goal was to learn how attacks happen in order to strengthen my defensive skills, since I was working as a system administrator and my job was to build and maintain secure environments. I quickly started loving hacking more than I did learning about cloud infrastructure management and group policy migrations.
Around this time, I started noticing a lot of breaches were occurring all around the country. I received breach notifications from sources I follow every few months. That made me even more interested in delving into security.
Bonnie: But you didn’t stop there. You’ve earned a lot of security certifications as well, right?
Jason: In 2020 I made the commitment to myself that I was going to switch gears, and, instead of protecting my one little company, I wanted to help more than just one employer. My strong desire for efficiency kicked in, and I wanted a bigger impact for my efforts.
I studied for and obtained the Security+, then moved on to OSCP, more CompTIA certs, and eventually the PJPT and PNPT. Work paid for me to obtain my GCIH, which was a very fun cert.
Since I had been a system administrator for 10 years in the financial industry, I am very used to receiving annual penetration tests… and of being the guy that needs to resolve the issues found.
I had a lot of opinions about what pentesters provided and how they could have better presented information to help me, as a defender, to replicate and resolve their identified issues. This led me into loving the task of writing pentest reports.
Bonnie: Well, that is new! I don’t know any penetration testers who would volunteer for more reporting!
Jason: You found one! My favorite part of the OSCP, PJPT, and PNPT were the need to write an actual, functional penetration test report on my findings. I have since learned that I am a bit in the minority in that. I think it stems from my past as a system administrator and needing factual, actionable and reproducible information.
Bonnie: So, what do you like to do to unwind & have fun?
Jason: I have recently gotten really into small electronics. Like most people, I have a couple of Raspberry Pi’s sitting in a drawer doing nothing but collecting dust. In 2023 I volunteered for a local security conference (OzSecurity in Wichita), and one of my tasks was to assist with the electronic badges that we hired a company to build for us.
I had a lot of fun learning to program them to blink and even built a small text-based game inside of the badge. For 2024 we needed to build the badges ourselves, and I spent a few months learning PCB design and went through the whole process of knowing nothing to building a fully functional PCB badge with LEDs, Bluetooth, and Wi-Fi capabilities. This time I built an almost full featured text-based RPG in the badge for conference goers to enjoy.
Bonnie: Awesome! We show a photo of that badge you designed in your OzSec 2024 post last month for anyone interested.
Jason: I also recently got a 3D printer and have enjoyed the hobby of using it to print all sorts of things… especially printing toys for my two kids. They love it when I print ducks, keys, and other little knick-knacks. It’s also cheaper than commercial toys, if we ignore the $600 I spent on the printer….
Bonnie: That $600 is just the investment, and investing is good, right?!
Jason: Exactly! I love to learn new things. I have a fair number of certifications and plan to continue getting more. If I ever have a spare moment, I can usually be found watching some random educational/science YouTuber, learning about everything from how apples are harvested to how traffic lights work. I also have a fascination with vehicle recovery services, and shed moving/repo videos…
Bonnie: You love to learn, is what I’m hearing.
Jason: I also love helping others and teaching what I know. As a system admin at the bank, I would often run the Backdoors & Breaches Incident Response card games with both the security and system admin teams. I loved building realistic scenarios, and, with every single game, we came away with some weakness or gap identified that we could add to our list of things to improve upon.
Bonnie: I love that! And now we are excited to have you on the Raxis team where you can share your knowledge and help our customers build and improve their cybersecurity systems as well.
One interesting trend emerging among developers, which could impact the methodologies required when attempting to crack a hash, is Have I Been Pwned’s database of leaked credentials and the corresponding API that has made it easier than ever for developers to check for leaked credentials while users sign up.
An example of this can be seen with Supabase, a leading open-source alternative to Firebase. Supabase incorporates a check for leaked credentials by default, automatically opted-in, with no additional plugins or developer time needed. A simple toggle in an administrative interface allows developers to automatically check each of their clients’ credentials against leaked passwords and prevents clients from using known leaked credentials.
Supabase Uses HaveIBeenPwned API
As more developers incorporate either this API or a similar one, it could eventually discourage password reuse, reducing the effectiveness of several wordlists. Traditional attacks should still work, even if the majority of organizations adopt these methods, because many people will just modify their original password slightly, making rule and mask attacks even more important for catching minor variations of the same original password. It will also make tools that are used to make supplemental lists even more important.
Supplementing wordlists using tools like CeWL, crunch, or CUPP, is a key part of every penetration tester’s repertoire. This category is where one of my favorite new tools for password dictionary attacks appeared just two years ago.
Psudohash is great for those times when you want to create tons of permutations of something common, such as the business name or the product name that you are testing. It will create hundreds of millions or even billions of permutations of the same word.
Basic Psudohash Usage
The command below shows some of the options available where -cpb -cpa adds common paddings before and after. This list of common paddings by default is a list of 108 characters such as !!! or 123 that it will add to either side of the word if given the cpb or cpa argument. It can be modified to include whatever common paddings one chooses.
One thing to keep an eye on while using this tool is the size of the operation you are performing. I simply added years and common paddings -y 2010-2030 -cpb cpa, and, as a result, it will take over 50,000MB. This can produce output that challenges even the most contemporary password cracking rig, especially if additional permutations are applied while cracking.
Added One Argument and Multiplied Data Output by More Than 100x
Of course, there are numerous options available, and transformations can be as simple as character transformations such as a = @. Here I pass the tool multiple words to transform:
However, it is only good at creating permutations of words you pass to it. This makes it a great supplemental tool for your cracking efforts, but it should remain supplemental. I personally always pass company and product names to this when I have a hash that I am trying to crack for a penetration test.
./psudohash.py -w Microsoft –common-paddings-after -y 2020-2023
Using Psudohash to Create Common Company and Year Passwords
Up Next
This tool has helped me establish some major wins. In my next posts in this series, I will share how this tool has inadvertently helped me, not only to stay ahead of changes like this with Supabase, but also to identify biases in some of our datasets. I will provide an example of how this tool can not only fill in the gaps but also illustrate common gaps that many security professionals make when cracking passwords.
I’m excited for the new launch of Raxis Attack. We’ve already seen traditional penetration test clients transition to Attack and leverage its advantages for on-going penetration testing and communication with the Raxis team.
The new Raxis Attack offering takes a brand new approach to penetration testing. Instead of a point in time assessment, Raxis Attack is more like having a fractional penetration testing team available to you all year long. Not just one engineer – but literally an entire team – all at your fingertips.
Easily see your risk in one pane of glass
Attack gives our customers the ability to request unlimited penetration testing all year long. It’s the best “phone a friend” option for offensive security assessment on the market.
Our built-in ongoing threat management systems provide you with updated findings. See a finding in your system that gives you pause – send it to the Raxis team for penetration testing and reporting. Made changes to your environment? Ask the team at Raxis to assess the entire environment or just the changes. Concerned about something in your network? Live chat with our engineers or schedule a video call to discuss it.
Drill into full details of each asset. Assign names and tags for easy sorting.
On top of that, the Raxis team is your team. If we see something that concerns us, we’ll investigate and report. Our activities and findings are constantly tracked through the Raxis One portal. The interactive portal puts you in control of your environment with expert advice at your fingertips. Need that traditional PDF report for compliance reporting? Request one at any time in the portal and our team will assemble it and have it ready to go (usually within 2 business days).
Raxis Attack puts an entire Raxis team at your disposal often for less than the cost of performing two full penetration tests a year. Even if you’re considering hiring a full-time employee to test your environment, Attack gives you the full Raxis team at a fraction of the cost of one salary.
The Raxis team provides full penetration testing write-ups throughout the year working collaboratively with your team
Whether you’re outsourcing all your assessment needs to Raxis Attack or using us to supplement your existing team, the collaboration and professional assessments that Raxis is already known for are a great addition to your existing solutions.
With the threat landscape always changing, the way you assess risk should evolve as well. Want to take it for a test drive? Reach out with our contact page, and our team will be happy to schedule a demo and let you decide if Raxis Attack is right for you.
Hopefully you enjoyed Adam Fernandez’s recent Cool Tools post, Nmap For Penetration Tests. In this next post in the series, I’d like to introduce another great penetration testing tool: Nuclei.
Nuclei is an outstanding enumeration tool that performs a myriad of checks against the systems and services it discovers. It does particularly well against web applications. It also tests for known vulnerabilities, can pull versioning information from systems, and can try default credentials.
Installing Nuclei
You can use apt to easily install it on Kali Linux:
apt install nuclei
Templates
Nuclei uses saved templates to perform tests against systems. This lets users create new templates as new discoveries are made. You can also generate custom templates for tasks you often use or things you discover yourself.
There are a lot of different options when using the tool, but generally, when I’m using it for external network and web application tests, I just pass a target or a list of targets to the program.
To get a full list of options, all you need to do is this command:
nuclei –help
To scan a single device, simply use:
nuclei -u {Target}
Here is an example from a recent penetration test. There was only one target, so I simply passed that target to Nuclei:
You can see that Nuclei examined the responses from the web server and found that security-related headers were missing.
Here is an example using Nuclei against a list of targets. I put the targets for the engagement into a file called targets & ran the following command:
nuclei -list {File}
Real-World Nuclei Discoveries
Here are some examples of useful things Nuclei has found for me during various penetration tests.
Here Nuclei found a Solr panel, revealed the version running, and shared it in a human-readable format easy for me to use as a pentester:
Here Nuclei did some testing against a host on an internal network and successfully performed a Log4j exploit. It then reported the success with a critical flag as this could lead to remote code execution (RCE):
I’ve also found Nuclei’s ability to try default passwords to come in handy when testing.
As an example, I use a self-hosted Git instance and changed the root account’s password to one that Nuclei uses. You can see how Nuclei successfully logged into the GitLab and notified me:
Thanks for Reading
There’s a lot more to Nuclei, but this is a good start. Thanks for taking a look at this post, and I hope you’ll take a look at the next post in the Cool Tools series as well.
I’m Cole Stafford, a Sales Development Representative at Raxis. I help with customer relations, building the contracts, and making sure everything gets out in a timely order. I’m proud to be a part of the Raxis team and share a few of the reasons why below.
At Raxis, we redefine the penetration test experience by prioritizing customer satisfaction and simplifying the entire process. As a leading name in cybersecurity assessments, we understand that the concept of penetration testing can be daunting. We’ve crafted our approach, not only to uncover vulnerabilities effectively, but also to ensure our clients feel supported and valued every step of the way.
Customer-Centric Approach
Our philosophy revolves around building strong client relationships. Raxis believes that commitment to low-pressure sales and prompt responsiveness is key to customer satisfaction. We pride ourselves on quick response times.
We endevor to respond to all client inquiries promptly during business hours, demonstrating our commitment to excellence in supporting our customers when it matters. Choosing Raxis means partnering with a team dedicated to making your cybersecurity journey smooth and stress-free.
Personalized Service
Unlike cookie-cutter approaches, Raxis tailors each penetration test to meet the unique needs of our clients. We listen attentively to your requirements and recommend solutions that best fit your specific situation. This personalized approach ensures you receive targeted insights and actionable recommendations.
Friendly Expertise
While penetration testing can appear complex, our team at Raxis is known for its approachable demeanor and deep expertise. Our senior penetration testers, each with years of experience in both cybersecurity and IT, ensure assessments are conducted with precision and professionalism. We prioritize clear communication and make technical details understandable for all stakeholders.
Beyond assessments, we see ourselves as educators in cybersecurity. We guide clients through the process, simplifying technical language and delivering comprehensive reports that outline risks and provide steps for improvement.
Our aim is not only to identify vulnerabilities, but also to empower you with the knowledge to enhance your security. It’s not your job to know the ins and outs of cybersecurity on your own. We aim to be an easy button for our customers so that they know their risks and are empowered to close those gaps.
Why Raxis?
Raxis blends high-level technical acumen with a friendly, accessible approach that sets us apart. From initial contact to post-assessment support, we strive to be your go-to partner — making cybersecurity effective, straightforward, and enjoyable.
Conclusion
At Raxis, we are more than a cybersecurity firm; we’re your partner in safeguarding what matters most to your business. Discover the difference of working with a team that values your satisfaction and aims to exceed your expectations at every turn.
For a penetration testing experience that’s as friendly as it is effective, choose Raxis. Contact us today to secure your digital infrastructure with confidence and ease.
In Scottie’s recent Cool Tools blog about discovery tools, he, like many network penetration testers, starts with Nmap. Nmap is a great discovery tool with many flags and scripts. In this post, I will expand upon Scottie’s ideas and delve more deeply into what Nmap has to offer, specifically for network penetration testing.
Hosts Marked as Down When They Are Up
If you find you have problems with Nmap flagging hosts as down, even though they should be up, I would recommend adding these flags to your command:
-PS – SYN ping scan. You can optionally add a port number after this.
–PA – ACK ping scan. You can optionally add a port number after this.
-PE – Typical ICMP ping echo request, typically blocked by firewalls.
-PP – ICMP timestamp ping query, which can sometimes get around misconfigured firewalls.
-PM – ICMP subnet mask ping query, also good for evading misconfigured firewalls.
-PO -This issues an IP protocol ping, which seems to work a lot of times when other probes don’t.
Putting that all together, my typical scans are now starting to look like this:
-oA [output] – Output in all file formats simultaneously.
-sSUV – Combo of -sS (TCP SYN scan), -sU (UDP scan), and -sV (service version scanning).
–unique – Scan each IP only once (e.g. if raxis.com resolves to 1.1.1.1, and both are targets, only scan 1.1.1.1 once).
–resolve-all – If an DNS name resolves to multiple IPs, scan each IP.
-T4 – Go a bit faster than default, recommended for modern networks (unless you’re trying to be quiet).
-O – Try to determine operating system.
-p T:-,U:53,161 – Scan all TCP ports as well as UDP ports 53 (DNS) and 161 (SNMP).
-vv – Be very verbose in output.
-iL [targets] – Use the targets in the specified file.
Additionally, when using -oA, if your scan gets interrupted, you can use this to resume the scan where it left off:
nmap --resume
The Nmap Scripting Engine
The Nmap Scripting Engine (NSE) provides 604 scripts and 139 libraries at the time I’m writing this. That number grows each year, so, needless to say, this is a very useful tool for penetration testers or for blue teams checking out possible vulnerabilities in their systems. I’ll discuss some Useful NSE scripts here, and I encourage you to take a look to see if there are others that would be helpful for your needs.
Shodan
Queries the Shodan API for the targets. Follow the instructions on the NSE site to setup a Shodan API key.
Before starting any penetration test, you must know the scope of the work. Depending on the type of assessment, this could be specific hosts or full ranges of IP addresses with live hosts scattered throughout. If the scope is the latter, then it is a good idea to initially identify which hosts are live and then discover common, known vulnerabilities on the hosts. This will narrow down the attack surface and potential attack vectors to help establish a list of priority targets during the assessment.
There are several tools that I like to use when I start a new assessment. Some are free open-source tools, while others are commercial.
Open-Source Tools
Nmap
The first tool I always use in Nmap. Nmap is an open-source tool that can identify live hosts and services by conducting protocol enumeration across systems. It can also be used for specific configuration checks or even as a vulnerability scanner by using the Nmap Scripting Engine (NSE).
Even when I use Nmap with vulnerability scanners, I still regularly utilize Nmap scripts. Nmap come pre-installed with Kali Linux but can easily be installed on any Linux or Windows system. Using Nmap for the first time can be intimidating, but after using it for a bit, users often find it very easy and reliable. I usually run the initial scans by ignoring ICMP checks (Ping) and just assume that all hosts are live. I do this because some network admins like to disable ICMP on live hosts as a security measure (Good on ’em!).
nmap -v -A --open -Pn -iL targets.txt -oA nmap_scan
Note: -Pn disables the ICMP check.
If the scope is extremely large and the Nmap scans won’t complete in the time allowed, I enable the ICMP check by remove the “-Pn”:
nmap -v -A --open -iL targets.txt -oA nmap_scan
Below is a screen shot of a typical initial scan I perform on network assessments (internal & external):
The commands above are easy to learn once you use them a few times, and I’ll cover what is going on here.
First, I like to use the “-v” which enables verbose outputs.
The “-A” enables OS and version detection, as well as script scanning and traceroute output.
“-Pn” disables ICMP ping for host discovery, causing the scan to assume that all hosts are live.
Next, we have the IP range, in this instance a standard /24 internal network. If I have specific hosts or multiple ranges to target, I will create a text file and use the “-iL” switch to point to the text file.
Lastly, I like to output the results to all supported formats by setting “-oA.” The reason I do this is because I like to ensure I have the different file types for future use. For example, the .nmap output is easy to read when I want to scan through the output. I typically use the XML output for importing into Metasploit or when using Eyewitness to enumerate web hosts.
There are quite a few good cheat sheets out there too if you let the Googles do the work for you. If not, follow this series for more Nmap tips and tricks in the future.
Masscan
Another tool similar to Nmap is Masscan. Masscan is a TCP port scanner that scans faster than Nmap. Unlike Nmap, Masscan requires you to define the ports you want to scan. I typically don’t use Masscan and just stick with Nmap, but it’s a good option if you want to quickly look for specific open ports on a network.
OpenVas
Another tool I use on occasion is OpenVAS (a.k.a. Greenbone), a vulnerability scanner. Greenbone offers a commercial version, but there is an open-source version available as well. I’ve used this many times when I am unable to access my usual vulnerability scanners. One downside to the tool is that It can be difficult to install. I recently followed the instructions for installing with Kali and ran into quite a few issues with the install. I’ve also noticed that the initial setup can take some time due to the signatures that are downloaded. If purchasing a commercial vulnerability scanner is too expensive, then Greenbone is definitely worth looking into, despite its challenges.
Commercial Tools
Nessus
By far, my favorite vulnerability scanner is Tenable’s Nessus. There is a free version available, but it’s limited to 16 IP addresses. If you are doing a lot of vulnerability scanning or time-boxed penetration tests, then it might be worth looking into purchasing this.
The thing I like most about Nessus is how I can sort by vulnerabilities across all hosts in a given scan. I can also sort these vulnerabilities by risk rating, which helps me narrow down critical or specific vulnerabilities to exploit or signs that a host or service may be a high priority for a closer look.
When viewing Nessus results, never ignore the informational findings. They often provide clues that more may be going on on a host or service than you realize at first glance.
Nexpose
Another great vulnerability assessment tool is Nexpose, owned by Rapid7. Nexpose is similar to Nessus, as it provides similar vulnerabilities. There are some slight differences in the way the products display results.
Nexpose is built around “sites.” Each site has defined hosts or IP ranges under it. From there each host’s vulnerabilities will be listed. The easiest way I’ve found to list out all vulnerabilities is to create a report from the site I’m working in.
Besides greater extensibility, one major advantage with Nexpose is that it ties in with Rapid7’s vulnerability management product, InsightVM. If you’re looking for a full vulnerability management solution and not just a vulnerability scanner, Nexpose is a good option to check out.
There are many other tools that I use, but these are always my first go to tools to start an assessment.
Follow the series!
Stay tuned for more posts in the Cool Tools series, where the Raxis penetration testing team will highlight some of their favorite tools and explain how to get started with them.
Ryan: When I was a kid, at about 9 or 10 years old, I started building my own computers. By junior high I was in advanced placement software development courses through Indiana University Southeast.
This continued through college where I took computer science courses. However, due to the job market, after the 2008 crash, I ended up working in marketing right out of college. I read Automate the Boring Stuff with Python, which was absolutely pivotal because it allowed me to automate 80-90% of my job and focus on skills I wanted to improve. Realistically it means I ended up doing everything but marketing.
Bonnie: So how did you get into Penetration Testing?
Ryan: Several years ago the company I was working at was hacked and was actively serving our customers malware. Our main developer locally was on maternity leave, and our offshore devs were all on holiday. I ended up being the main technical resource who was available and familiar with our website, so I was thrown into the fire for my start.
At the time I helped develop and deploy a patch. Then, in the medium and long term, we came up with mitigation strategies, but, really for me, that started my passion to learn more through platforms like HackTheBox and OffSec.
Bonnie: What a way to start your journey into cybersecurity! Did you just manage to find those platforms and come up with mitigations on your own?
Ryan: Definitely not! One of my closest friends from undergrad introduced me to the community, and I do believe the cybersecurity industry is much more of a community than most industries. We are all learning and building each other up together. The emphasis in the cybersecurity community about giving back is one of my favorite things about this industry.
Bonnie: So community is really important to you?
Ryan: Absolutely! I’m from a very small town of only about 1,500 people. Everyone knows everyone, and, even though I now live outside of a major city, the lessons I learned in that small town about the importance of sticking together have stayed with me.
Bonnie: Wow that is a small community! Anything more you can tell me about that kind of community?
Ryan: When I was growing up there, no one really had much of anything, so we focused on the good times we could have together. I wouldn’t be where I am today without such a great family and community standing behind me. I still visit several times a year.
Besides that there are all kinds of fun stories that would take up way too much time. Some other time you will have to remind me to tell you about how we used to take jon boats up the highway when it flooded or stories about Larry Bird – you know he was originally from my hometown – if you are into the NBA or basketball.
Bonnie: Wait, you are from a town of 1,500 people, and one of them was Larry Bird?
Ryan: Hahaha! Yeah, I guess it’s a pretty atypical town. It’s Indiana so we already have a much higher percentage of people who are into basketball, but I would say my hometown takes it to another level in terms of enthusiasm.
Bonnie: So I’m assuming that is probably one of your hobbies? Do you have any others?
Ryan: Playing and watching basketball are two of my hobbies, but, honestly, I have a lot of hobbies. I’ve also consistently been into running and lifting weights for a very long time. Now that I think of it, my first experience “hacking” really was installing a chip in my PlayStation so I could play homebrew and modified games. So video games have always been around in my life too.
Otherwise, I really enjoy a challenge and learning new things. During COVID that meant mastering my sourdough technique. Lately I have been playing piano for a new challenge. Lastly, of course, I’m into computers. The challenges I’ve been looking into recently, when it comes to computers, are working with and understanding low-level code, like assembly, better.
Bonnie: I could see that being useful for your cybersecurity career as well. What are your plans with your career?
Ryan: Yeah, I really think becoming better acquainted with low-level concepts will help me to succeed when I take the OSED in the next year or two. I’d love to eventually get my OSCE3 and a CISSP as well.
Right now, though, I’m just excited to be joining a team like Raxis. This is a goal I’ve worked towards for over six years, grinding through become a top ranked hacker on HackTheBox, getting my OSCP, and watching countless hours of DefCon and Black Hat talks. There really couldn’t be a better company for it to happen at either. Not only does Raxis have amazing clients and great relationships in the security community, but I’ve also been impressed with each person I’ve worked with so far.
Bonnie: Thanks for the kind words! We are looking forward to having you on the team full time!
In a Windows domain, devices have an msDS-AllowedToActOnBehalfOfOtherIdentitity attribute. Per Microsoft, “this attribute is used for access checks to determine if a requestor has permission to act on the behalf of other identities to services running as this account.” In this blog, we will exploit this feature to gain administrative access to a target system in a Resource Based Constrained Delegation (RBCD) attack.
First we need to have control of an account with an SPN (Service Principal Name). The easiest way to do this for our test is to create a machine account. By default any non-admin user can create up to 10 machine accounts, but this value is set by the MachineAccountQuota. You can query this info by using NoPAC scanner.
python3 scanner.py Domain/User -dc-ip DC-IP
Seeing the MachineAccountQuota above 0 (again default is 10), any user can create a machine account. I used impacket’s addcomputer.py script.
After configuring the attribute, I used impacket’s getST.py script to get a Kerberos ticket where we impersonate the administrator user on that device. In this case make sure to use the created machine account to login.
Note: When using the tickets, make sure the target isn’t an IP address but rather the domain name (i.e. lab1.ad.lab). You can use the target-ip flag to point to the right computer if names don’t resolve. I don’t want to admit how long it took me to figure that out.
Playing around with RBCD
Certipy has the ability to access an LDAP shell with a PFX certificate. Say there is web enrollment enabled. As we discussed in the past, you can force the server to authenticate to you then relay it to web enrollment.
certipy relay -ca CA-IP
After a successful relay you can use the saved certificate to access the LDAP shell.
Once in the LDAP shell you can set up the RBCD attack with the set_rbcd command where the first argument is the target device and the second is the controlled account.
set_rbcd Target Controlled-Account
After setting up the RBCD, it’s the same as before using getST to get the ticket and run with it.
Next I wanted to try the same thing but against the domain controller. So I setup certipy to get a domain controller certificate, as we’ve previously discussed.
As a note, because it’s a domain controller, the template has to be specified as DomainController, but you can still use it to access an LDAP shell.
I made a new user, protected.user, to show how to add protections within Active Directory to prevent these attacks. Here I successfully exploit RBCD before adding protections.
As expected, it worked.
Now I checked the box that prevents the account from being delegated.
And then I tried again.
This time the attack didn’t work, which is what we were looking for.
Microsoft also has a group called Protected Users which should (based on my understanding) enable protections against this and other attacks. While I’ve been blocked before by that group while performing penetration tests, for some reason, in my lab, adding a user to that group did not actually prevent the attack. I’m not sure why, but it didn’t, hence the method I discovered above to be sure the account is protected.
A Final Note
The end result for RBCD really is just getting administrative access to a machine. It’s a privilege escalation exploit, and it only works on the machine you’re targeting, not across the domain. If you’re on a DC then great. But it’s still a great way for someone to get admin access to a machine in order to try lateral movement or to access info on that machine during a penetration test.
