Category: Penetration Testing

  • Cool Tools Series: Nuclei

    Cool Tools Series: Nuclei

    Hopefully you enjoyed Adam Fernandez’s recent Cool Tools post, Nmap For Penetration Tests. In this next post in the series, I’d like to introduce another great penetration testing tool: Nuclei.

    Nuclei is an outstanding enumeration tool that performs a myriad of checks against the systems and services it discovers. It does particularly well against web applications. It also tests for known vulnerabilities, can pull versioning information from systems, and can try default credentials.

    Installing Nuclei

    You can use apt to easily install it on Kali Linux:

    apt install nuclei
    

    Templates

    Nuclei uses saved templates to perform tests against systems. This lets users create new templates as new discoveries are made. You can also generate custom templates for tasks you often use or things you discover yourself.

    More information about these templates can be found here: https://docs.projectdiscovery.io/templates/introduction

    You can explore the templates Nuclei uses by default here.

    https://github.com/projectdiscovery/nuclei-templates/tree/main

    Options

    There are a lot of different options when using the tool, but generally, when I’m using it for external network and web application tests, I just pass a target or a list of targets to the program.

    To get a full list of options, all you need to do is this command:

    nuclei –help

    To scan a single device, simply use:

    nuclei -u {Target}

    Here is an example from a recent penetration test. There was only one target, so I simply passed that target to Nuclei:

    Nuclei with one target

    You can see that Nuclei examined the responses from the web server and found that security-related headers were missing.

    Here is an example using Nuclei against a list of targets. I put the targets for the engagement into a file called targets & ran the following command:

    nuclei -list {File}
    Nuclei with a list of targets

    Real-World Nuclei Discoveries

    Here are some examples of useful things Nuclei has found for me during various penetration tests.

    Here Nuclei found a Solr panel, revealed the version running, and shared it in a human-readable format easy for me to use as a pentester:

    Nuclei discovering Solr panel and displaying discovered information.

    Here Nuclei did some testing against a host on an internal network and successfully performed a Log4j exploit. It then reported the success with a critical flag as this could lead to remote code execution (RCE):

    Nuclei successfully performing Log4j exploit.

    I’ve also found Nuclei’s ability to try default passwords to come in handy when testing.

    As an example, I use a self-hosted Git instance and changed the root account’s password to one that Nuclei uses. You can see how Nuclei successfully logged into the GitLab and notified me:

    Nuclei discovering a default password.

    Thanks for Reading

    There’s a lot more to Nuclei, but this is a good start. Thanks for taking a look at this post, and I hope you’ll be back for future Cool Tools posts in the series.

  • Raxis: Your Trusted Partner in Penetration Testing

    Raxis: Your Trusted Partner in Penetration Testing

    I’m Cole Stafford, a Sales Development Representative at Raxis. I help with customer relations, building the contracts, and making sure everything gets out in a timely order. I’m proud to be a part of the Raxis team and share a few of the reasons why below.

    At Raxis, we redefine the penetration test experience by prioritizing customer satisfaction and simplifying the entire process. As a leading name in cybersecurity assessments, we understand that the concept of penetration testing can be daunting. We’ve crafted our approach, not only to uncover vulnerabilities effectively, but also to ensure our clients feel supported and valued every step of the way.

    Customer-Centric Approach

    Our philosophy revolves around building strong client relationships. Raxis believes that commitment to low-pressure sales and prompt responsiveness is key to customer satisfaction. We pride ourselves on quick response times.

    Cole and the Raxis sales team at an Atlanta conference

    We endevor to respond to all client inquiries promptly during business hours, demonstrating our commitment to excellence in supporting our customers when it matters. Choosing Raxis means partnering with a team dedicated to making your cybersecurity journey smooth and stress-free.

    Personalized Service

    Unlike cookie-cutter approaches, Raxis tailors each penetration test to meet the unique needs of our clients. We listen attentively to your requirements and recommend solutions that best fit your specific situation. This personalized approach ensures you receive targeted insights and actionable recommendations.

    Friendly Expertise

    While penetration testing can appear complex, our team at Raxis is known for its approachable demeanor and deep expertise. Our senior penetration testers, each with years of experience in both cybersecurity and IT, ensure assessments are conducted with precision and professionalism. We prioritize clear communication and make technical details understandable for all stakeholders.

    Beyond assessments, we see ourselves as educators in cybersecurity. We guide clients through the process, simplifying technical language and delivering comprehensive reports that outline risks and provide steps for improvement.

    Easy button

    Our aim is not only to identify vulnerabilities, but also to empower you with the knowledge to enhance your security. It’s not your job to know the ins and outs of cybersecurity on your own. We aim to be an easy button for our customers so that they know their risks and are empowered to close those gaps.

    Why Raxis?

    Raxis blends high-level technical acumen with a friendly, accessible approach that sets us apart. From initial contact to post-assessment support, we strive to be your go-to partner — making cybersecurity effective, straightforward, and enjoyable.

    Conclusion

    At Raxis, we are more than a cybersecurity firm; we’re your partner in safeguarding what matters most to your business. Discover the difference of working with a team that values your satisfaction and aims to exceed your expectations at every turn.

    For a penetration testing experience that’s as friendly as it is effective, choose Raxis. Contact us today to secure your digital infrastructure with confidence and ease.

  • Cool Tools Series: NMAP for Penetration Tests

    Cool Tools Series: NMAP for Penetration Tests

    In Scottie’s recent Cool Tools blog about discovery tools, he, like many network penetration testers, starts with Nmap. Nmap is a great discovery tool with many flags and scripts. In this post, I will expand upon Scottie’s ideas and delve more deeply into what Nmap has to offer, specifically for network penetration testing.

    Hosts Marked as Down When They Are Up

    If you find you have problems with Nmap flagging hosts as down, even though they should be up, I would recommend adding these flags to your command:

    • -PS – SYN ping scan. You can optionally add a port number after this.
    • PA – ACK ping scan. You can optionally add a port number after this.
    • -PE – Typical ICMP ping echo request, typically blocked by firewalls.
    • -PP – ICMP timestamp ping query, which can sometimes get around misconfigured firewalls.
    • -PM – ICMP subnet mask ping query, also good for evading misconfigured firewalls.
    • -PO -This issues an IP protocol ping, which seems to work a lot of times when other probes don’t.

    Putting that all together, my typical scans are now starting to look like this:

    sudo nmap -oA [output] -sSUV --unique --resolve-all -PS -PA -PE -PP -PM -PO -T4 -O -p T:-,U:53,161 -vv -iL [targets]

    Some other options present here:

    • -oA [output– Output in all file formats simultaneously.
    • -sSUV – Combo of -sS (TCP SYN scan), -sU (UDP scan), and -sV (service version scanning).
    • –unique – Scan each IP only once (e.g. if raxis.com resolves to 1.1.1.1, and both are targets, only scan 1.1.1.1 once).
    • –resolve-all – If an DNS name resolves to multiple IPs, scan each IP.
    • -T4 – Go a bit faster than default, recommended for modern networks (unless you’re trying to be quiet).
    • -O – Try to determine operating system.
    • -p T:-,U:53,161 – Scan all TCP ports as well as UDP ports 53 (DNS) and 161 (SNMP).
    • -vv – Be very verbose in output.
    • -iL [targets– Use the targets in the specified file.

    Additionally, when using -oA, if your scan gets interrupted, you can use this to resume the scan where it left off:

    nmap --resume

    The Nmap Scripting Engine

    The Nmap Scripting Engine (NSE) provides 604 scripts and 139 libraries at the time I’m writing this. That number grows each year, so, needless to say, this is a very useful tool for penetration testers or for blue teams checking out possible vulnerabilities in their systems. I’ll discuss some Useful NSE scripts here, and I encourage you to take a look to see if there are others that would be helpful for your needs.

    Shodan

    • Queries the Shodan API for the targets. Follow the instructions on the NSE site to setup a Shodan API key.
    nmap --script shodan-api [IP Range] -sn -Pn -n --script-args 'shodan-api.outfile=potato.csv,shodan-api.apikey=SHODANAPIKEY'
    nmap --script shodan-api --script-args 'shodan-api.target=[IP],shodan-api.apikey=SHODANAPIKEY'

    Server Message Block (SMB)

    • Check if SMB signing is disabled:
    nmap --script smb-security-mode -p445 [IP]

    File Shares

    • Attempt to enumerate SMB shares:
    nmap --script smb-enum-shares -p445 [IP]
    • Show NFS Shares (Exports):
    nmap -sV --script=nfs-showmount [IP List or Range]
    • Attempt to get useful information from NFS shares (mimics an -ls command):
    nmap -p 111 --script=nfs-ls [IP List or Range]
    nmap -sV --script=nfs-ls [IP List or Range]

    Databases

    • Attempts to find configuration and version info for a Microsoft SQL Server instance:
    nmap -p 445 --script ms-sql-info [IP]
    nmap -p 1433 --script ms-sql-info --script-args mssql.instance-port=1433 [IP]
    • Looks for MySQL servers with an empty password for root or anonymous:
    nmap -sV --script=mysql-empty-password [IP]

    Domain Name Server (DNS)

    • Perform DNS Cache Snooping:
    nmap -sU -p 53 --script dns-cache-snoop --script-args 'dns-cache-snoop.mode=timed,dns-cache-snoop.domains={host1,host2,host3}' [IP]
    • Checks DNS anti-spam and open proxy blacklists to see if an IP has been flagged:
    nmap --script dns-blacklist --script-args='dns-blacklist.ip=[IP]'
    nmap -sn [IP] --script dns-blacklist

    Virtual Private Network (VPN)

    • Checks if the host is vulnerable to the Cisco ASA SSL VPN Authentication Bypass Vulnerability:
    nmap -p 443 --script http-vuln-cve2014-2128 [IP]

    Network Time Protocol (NTP)

    • Shows an NTP server’s monitor data:
    sudo nmap -sU -pU:123 -Pn -n --script=ntp-monlist [IP]

    Remote Access

    • Attempts to brute-force a VNC server:
    nmap --script vnc-brute -p 5900 [IP]
    • Discovers the security layer and encryption level that is supported by a RDP service:
    nmap -p 3389 --script rdp-enum-encryption <ip>

    Network Protocols

    • Attempts to brute-force a POP3 account:
    nmap -sV --script=pop3-brute [IP]
    • Attempts to brute-force a telnet server:
    nmap -p 23 --script telnet-brute --script-args userdb=myusers.lst,passdb=mypwds.lst,telnet-brute.timeout=8s [IP]

    Java

    • Attempts to dump all objects from a remote RMI registry:
    nmap --script rmi-dumpregistry -p 1098 [IP]
    nmap --script rmi-dumpregistry -sV --version-all -p 443 [IP]

    Weak Ciphers & Algorithms

    • Enumerates all web ciphers that a server accepts:
    nmap -sV --script ssl-enum-ciphers -p 443 <host>
    • Finds the number of algorithms the SSH2 server offers (or lists them with verbosity set):
    nmap --script ssh2-enum-algos [IP]

    Certificates

    • Displays the server’s SSL certificate. Set verbosity to add more details:
    nmap --script=ssl-cert -p 443 [IP]

    Http

    • Checks if HTTP TRACE is enabled:
    nmap --script http-trace -d [IP]

  • Cool Tools Series: Host Discovery

    Before starting any penetration test, you must know the scope of the work. Depending on the type of assessment, this could be specific hosts or full ranges of IP addresses with live hosts scattered throughout. If the scope is the latter, then it is a good idea to initially identify which hosts are live and then discover common, known vulnerabilities on the hosts. This will narrow down the attack surface and potential attack vectors to help establish a list of priority targets during the assessment.  

    There are several tools that I like to use when I start a new assessment. Some are free open-source tools, while others are commercial.

    Open-Source Tools

    Nmap

    The first tool I always use in Nmap. Nmap is an open-source tool that can identify live hosts and services by conducting protocol enumeration across systems. It can also be used for specific configuration checks or even as a vulnerability scanner by using the Nmap Scripting Engine (NSE).

    Even when I use Nmap with vulnerability scanners, I still regularly utilize Nmap scripts. Nmap come pre-installed with Kali Linux but can easily be installed on any Linux or Windows system. Using Nmap for the first time can be intimidating, but after using it for a bit, users often find it very easy and reliable.  I usually run the initial scans by ignoring ICMP checks (Ping) and just assume that all hosts are live. I do this because some network admins like to disable ICMP on live hosts as a security measure (Good on ’em!).

    nmap -v -A --open -Pn -iL targets.txt -oA nmap_scan

    Note: -Pn disables the ICMP check.

    If the scope is extremely large and the Nmap scans won’t complete in the time allowed, I enable the ICMP check by remove the “-Pn”:

    nmap -v -A --open -iL targets.txt -oA nmap_scan

    Below is a screen shot of a typical initial scan I perform on network assessments (internal & external):

    nmap -v -A -Pn --open {IP Range} -oA {Output File Name}
    Nmap Discovery Scan

    The commands above are easy to learn once you use them a few times, and I’ll cover what is going on here.  

    • First, I like to use the “-v” which enables verbose outputs.
    • The “-A” enables OS and version detection, as well as script scanning and traceroute output.
    • “-Pn” disables ICMP ping for host discovery, causing the scan to assume that all hosts are live.
    • Next, we have the IP range, in this instance a standard /24 internal network. If I have specific hosts or multiple ranges to target, I will create a text file and use the “-iL” switch to point to the text file.
    • Lastly, I like to output the results to all supported formats by setting “-oA.” The reason I do this is because I like to ensure I have the different file types for future use. For example, the .nmap output is easy to read when I want to scan through the output. I typically use the XML output for importing into Metasploit or when using Eyewitness to enumerate web hosts.

    There are quite a few good cheat sheets out there too if you let the Googles do the work for you. If not, follow this series for more Nmap tips and tricks in the future.

    Masscan

    Another tool similar to Nmap is Masscan. Masscan is a TCP port scanner that scans faster than Nmap. Unlike Nmap, Masscan requires you to define the ports you want to scan. I typically don’t use Masscan and just stick with Nmap, but it’s a good option if you want to quickly look for specific open ports on a network.

    OpenVas

    Another tool I use on occasion is OpenVAS (a.k.a. Greenbone), a vulnerability scanner. Greenbone offers a commercial version, but there is an open-source version available as well. I’ve used this many times when I am unable to access my usual vulnerability scanners. One downside to the tool is that It can be difficult to install. I recently followed the instructions for installing with Kali and ran into quite a few issues with the install. I’ve also noticed that the initial setup can take some time due to the signatures that are downloaded. If purchasing a commercial vulnerability scanner is too expensive, then Greenbone is definitely worth looking into, despite its challenges.

    OpenVAS Dashboard

    Commercial Tools

    Nessus

    By far, my favorite vulnerability scanner is Tenable’s Nessus. There is a free version available, but it’s limited to 16 IP addresses. If you are doing a lot of vulnerability scanning or time-boxed penetration tests, then it might be worth looking into purchasing this.

    The thing I like most about Nessus is how I can sort by vulnerabilities across all hosts in a given scan. I can also sort these vulnerabilities by risk rating, which helps me narrow down critical or specific vulnerabilities to exploit or signs that a host or service may be a high priority for a closer look.

    When viewing Nessus results, never ignore the informational findings. They often provide clues that more may be going on on a host or service than you realize at first glance.

    Nexpose

    Another great vulnerability assessment tool is Nexpose, owned by Rapid7. Nexpose is similar to Nessus, as it provides similar vulnerabilities. There are some slight differences in the way the products display results.

    Nexpose is built around “sites.” Each site has defined hosts or IP ranges under it. From there each host’s vulnerabilities will be listed.  The easiest way I’ve found to list out all vulnerabilities is to create a report from the site I’m working in.

    Besides greater extensibility, one major advantage with Nexpose is that it ties in with Rapid7’s vulnerability management product, InsightVM. If you’re looking for a full vulnerability management solution and not just a vulnerability scanner, Nexpose is a good option to check out.

    There are many other tools that I use, but these are always my first go to tools to start an assessment. 

    Follow the series!

    Stay tuned for more posts in the Cool Tools series, where the Raxis penetration testing team will highlight some of their favorite tools and explain how to get started with them.

    Take a look as Adam Fernandez dives into Nmap for Penetration Tests in the next post in this series.

  • OWASP Top 10: The Bedrock of an Application Penetration Test

    When performing a web app, mobile app, or API penetration test, many companies, including Raxis, refer to the OWASP Top 10. Here we’ll discuss what that means and why it’s helpful.

    A History

    The OWASP (Open Worldwide Application Security Project) Foundation is a non-profit organization with chapters worldwide. OWASP formed in 2001, and the first OWASP Top 10 was released in 2003.

    While OWASP is best known for their Top 10 list, they have several other projects as well and host conferences around the world encouraging people interested in application development and cybersecurity to come together. All of their tools, documentation, and projects are free and open to all who are interested in improving application security.

    OWASP states their vision as “No more insecure software,” and all of their efforts aid in that goal.

    OWASP released their first Top 10 list in 2003 and continued with a new list every three years for about a decade. Updates have become less less frequent as web application security has matured. The most recent Top 10 list was released in 2021 and before that in 2017.

    More Than Just a Web App Top 10 List

    While the OWASP Top 10 list focuses mostly on web applications (and sometimes mobile applications, which share a number of similarities with web applications), in the last five years, OWASP has begun releasing a Top 10 list for APIs as well. An API (Application Programming Interface) contains functions that allow internal or external applications to contact the system for viewing and sometimes editing data. As such, APIs have a number of differences from web and mobile applications when it comes to keeping systems secure.

    The OWASP API Security Top Ten was first released in 2019 with an update every other year, the most current in 2023. While there is some overlap with the application Top 10 list, this list focuses solely on APIs.

    Updates to the Top 10 Lists

    Updates to the Top 10 lists often combine vulnerabilities as cybersecurity professionals come to realize the items are related and best corrected in the same ways. As applications become more complex, OWASP has added new items to their lists as well.

    Why a Top 10 List?

    Knowing that application developers often have a lot of goals and limited time, and keeping with their vision of “no more insecure software,” OWASP releases its Top 10 list to give developers a succinct guide to follow within their SDLC (Software Development Lifecycle) process.

    The items in the list are broad ideas that can be used in all parts of the planning, coding, and testing phases for applications. This encourages developers to build in security features early in the design phase as well as to find and add security measures later.

    From a penetration testing perspective, the OWASP Top 10 list is also helpful. While malicious hackers have all the time in the world and don’t care if they crash systems and servers, penetration testers aim to discover as much as possible within an affordable time-boxed test without causing harm to an organization’s systems.

    The OWASP Top 10 allows penetration testers to prioritize testing using agreed upon standards. This way customers receive the information needed to secure vulnerabilities in their applications and the knowledge that the controls they have in place are working correctly or need to be corrected. This doesn’t mean that penetration testers don’t examine other findings, but, within a time-boxed test, penetration testers attempt to focus first on the most critical risks.

    How OWASP Creates the Top 10 List

    On their website, OWASP explains their methodology for creating the OWASP Top 10 list, with eight categories from contributed data and two from a community survey. Contributed data is based on past vulnerabilities, while the survey aims to bring in new risks that may not have been fleshed out entirely in the cybersecurity world yet but that appear to be on the horizon and becoming key exposures.

    The team also prioritized root causes over symptoms on this newest Top 10 list. The team has extensive discussions about all of the gathered CWEs in order to rank them by Exploitability, Detectability, and Technical impact. The move from CVSSv2 to CVSSv3 also played a role, as there have been multiple improvements in CVSSv3, but it takes time to convert CWEs to the new framework.

    OWSP Top 10 2017 to 2021 Mapping

    Source: https://owasp.org/www-project-top-ten/

    A Look at the 2021 OWASP Top 10

    The most recent Top 10 list, released in 2021, added three new categories, merged a few categories, and changed the priority of several categories. Though some risks were merged, no risks were entirely removed. Here’s a look at the current OWASP Top 10 Risks (Source: https://owasp.org/www-project-top-ten):

    A01:2021 Broken Access Control moves up from the fifth position; 94% of applications were tested for some form of broken access control. The 34 Common Weakness Enumerations (CWEs) mapped to Broken Access Control had more occurrences in applications than any other category. Raxis published a blog about A01:2021 just after the Top 10 list was released that year. Take a look at OWASP TOP 10: Broken Access Control for more details.

    A02:2021 Cryptographic Failures shifts up one position to #2, previously known as Sensitive Data Exposure, which was broad symptom rather than a root cause. The renewed focus here is on failures related to cryptography, which often leads to sensitive data exposure or system compromise.

    A03:2021 Injection slides down to the third position. 94% of the applications were tested for some form of injection, and the 33 CWEs mapped into this category have the second most occurrences in applications. Cross-site Scripting is now part of this category in this edition. Raxis published a blog about A03:2021 just after the Top 10 list was released that year. Take a look at 2021 OWASP Top 10 Focus: Injection Attacks for more details.

    A04:2021 Insecure Design is a new category for 2021, with a focus on risks related to design flaws. If we genuinely want to “move left” as an industry, it calls for more use of threat modeling, secure design patterns and principles, and reference architectures.

    A05:2021 Security Misconfiguration moves up from #6 in the previous edition; 90% of applications were tested for some form of misconfiguration. With more shifts into highly configurable software, it’s not surprising to see this category move up. The former category for XML External Entities (XXE) is now part of this category.

    A06:2021 Vulnerable and Outdated Components was previously titled Using Components with Known Vulnerabilities and is #2 in the Top 10 community survey, but also had enough data to make the Top 10 via data analysis. This category moves up from #9 in 2017 and is a known issue that we struggle to test and assess risk. It is the only category not to have any Common Vulnerability and Exposures (CVEs) mapped to the included CWEs, so a default exploit and impact weights of 5.0 are factored into their scores.

    A07:2021 Identification and Authentication Failures was previously Broken Authentication and is sliding down from the second position, and now includes CWEs that are more related to identification failures. This category is still an integral part of the Top 10, but the increased availability of standardized frameworks seems to be helping.

    A08:2021 Software and Data Integrity Failures is a new category for 2021, focusing on making assumptions related to software updates, critical data, and CI/CD pipelines without verifying integrity. One of the highest weighted impacts from Common Vulnerability and Exposures/Common Vulnerability Scoring System (CVE/CVSS) data mapped to the 10 CWEs in this category. Insecure Deserialization from 2017 is now a part of this larger category.

    A09:2021 Security Logging and Monitoring Failures was previously Insufficient Logging & Monitoring and is added from the industry survey (#3), moving up from #10 previously. This category is expanded to include more types of failures, is challenging to test for, and isn’t well represented in the CVE/CVSS data. However, failures in this category can directly impact visibility, incident alerting, and forensics.

    A10:2021 Server-Side Request Forgery is added from the Top 10 community survey (#1). The data shows a relatively low incidence rate with above average testing coverage, along with above-average ratings for Exploit and Impact potential. This category represents the scenario where the security community members are telling us this is important, even though it’s not illustrated in the data at this time.

    What This Means for Your Application

    Raxis recommends including application security from the initial stages of your SDLC process. The OWASP Top 10 lists are a great starting point to enable developers to do that.

    When scheduling your web application, mobile application, and API penetration tests, you can rely on Raxis to use the OWASP Top 10 lists as a guide.

  • An Inside Look at a Raxis Red Team

    Raxis’ Cybersecurity Red Team Test is our top tier test that gives our customers a true feel of what hackers could and would do to their systems, networks, employees, and even offices and storefront locations.

    Curious to know more? Take a look at this short video that gives a true look at real Raxis red team tests.

    While that looks like fun and games, it’s actually serious business. Red team tests are slow and methodical, making sure not to trip any alarms or cause wariness… until the first crack in the armor appears and then things often move quickly from there.

    Hackers look for the low hanging fruit. Whether that is a friendly employee who lets them in, a badge reader system that is vulnerable to simple attacks, or an unsecured wireless network reachable from the parking lot, it’s likely only the first step. Once the Raxis team has some sort of access, we move quickly to establish long term access and to gain deeper access.

    While network and application penetration tests check your security controls and make sure that you are protecting each system to the fullest extend and following best security business practices, a red team widens the scope and looks at any way – often the easiest way – to get in. The scope of a red team widens to cover all or most of your systems, just as a malicious hacker would.

    Take a look at your cybersecurity controls, and, when you’re ready to take your testing to the next level, reach out to schedule a Raxis Cybersecurity Red Team Test.

  • Why We Always Harp on Healthcare

    Over the years, we’ve posted several times about the need for pentesting and a focus on security in the healthcare industry. Healthcare security may start with HIPAA regulations, but, in the end, it all comes down to protecting patients and the healthcare workers – from doctors to nurses to insurance offices, administrative staff, and everyone else who gives their all so that you and your family members are safe to focus on healing.

    Getting Better, But There’s More to Do

    Years ago, when I was still on the pentest team at Raxis, I recall walking through hospital patient floors during physical social engineering engagements. I’d put on the scrubs that I bought at Walmart, and even though they often didn’t match the scrubs the other nurses and doctors wore, I never got stopped while wearing them.

    I took papers off printers (to photograph for my report and return) and sat down at computer workstations to learn the software available since the systems weren’t locked. I walked through all levels of the hospital that were in scope for the test, using elevators and stairwells without finding a locked door and without being questioned.

    In this short video, Raxis CEO Mark Puckett speaks about healthcare pentests he’s performed in the past and how the vulnerabilities we find concern us all.

    More recently we’ve found hospitals more likely to automatically lock workstations, but with the shortage of healthcare workers and no short-supply of emergency situations, we want to give the healthcare industry every possible advantage to stay secure.

    STILL MORE TO DO

    Just as hackers are constantly changing and discovering new ways to attack, Raxis also changes in order to keep our customers secure in this ever-changing environment. We offer several options for the healthcare industry, and we created our newest option, PTaaS (Penetration Testing as a Service), in order to help our customers who have their eye on the strongest security possible today.

  • How to Create an AD Test Environment

    Lead Pentester Andrew Trexler walks us through creating a simple AD environment.

    Whether you use the environment to test new hacks before trying them on a pentest, or you use it while learning to pentest and study for the OSCP exam, it is a useful tool to have in your arsenal.

    The Basics

    Today we’ll go through the steps to set up a Windows Active Directory test environment using Proxmox to virtualize the computers. In the end, we’ll have a total of three connected systems, one Domain Controller and two other computers joined to the domain.

    Setting up the Domain Controller (DC)

    The first step is to setup a new virtualized network that will contain the Windows Active Directory environment. Select your virtualization server on the left:

    Select virtual server

    This is a Windows based environment, but we’re using a Linux hypervisor to handle the underlying network architecture, so under System, select Network, and then create a Linux Bridge, as shown in Figures 2 and 3:

    Create a Linux Bridge
    Creating a new network

    After setting up the network, we provision a new virtual machine where we will install Windows 2019 Server. Figure 4 shows the final configuration of the provisioned machine:

    Provisioning Windows Server

    The next step is to install Windows 2019 Server. While installing the operating system make sure to install the Desktop Experience version of the operating system. This will make sure a GUI is installed, making it easier to configure the system.

    Fresh Install of Windows 2019

    Now that we have a fresh install, the next step is to configure the domain controller with a static IP address. This will allow the server to function as the DHCP server. Also make sure to set the same IP as the DNS server since the system will be configured later as the domain’s DNS server.

    Configure Static IP Address

    In order to make things easier to follow and understand later, let’s rename the computer to DC1 since it will be acting as our domain controller on the Active Directory domain.

    Renaming to DC1

    Next, configure the system as a domain controller by using the Add Roles and Features Wizard to add the Active Directory Domain Services and DNS Server roles. This configuration will allow the server to fulfill the roles of a domain controller and DNS server.

    Adding Required Features

    After the roles are installed, we can configure the server and provision the new Active Directory environment. In this lab we will use the domain ad.lab. Other than creating a new forest and setting the name, the default options will be fine.

    Setting up the Domain
    Setting Up the DHCP Service

    The next step is to configure the DHCP service. Here we are using a portion of the 10.80.0.0/24 network space, leaving enough addresses available to accommodate static IP addressing where necessary.

    Setting up DHCP Service

    There is no need for any exclusions on the network, and we will set the lease to be valid for an entire year.

    Adding a Domain Administrator and Users

    Additional configuration is now required within the domain. Let’s add a new domain administrator and some new domain users. Their names and passwords can be anything you want, just make sure to remember them.

    Choosing Option to Add new User

    First we create the Domain Administrator (DA):

    Adding New Administrator Account
    Adding User to Domain Admins

    Here we also make this user an Enterprise Admin (EA) by adding them to the Enterprise Admins group:

    Add User to Enterprise Admins

    Next we will add a normal user to the domain:

    Adding a normal user
    Creating Windows PC

    At this point we should have a functional Active Directory domain with active DHCP and DNS services. Next, we will setup and configure two other Windows 10 machines and join them to the domain.

    The first step is to provision the resources on the Proxmox server. Since our test environment requires only moderate resources, we will only provision the machines with two processor cores and two gigabytes of RAM.

    Provisioned Resources for Windows 10

    Then we install Windows 10 using the default settings. Once Windows is installed, we can open the Settings page and join the system to the ad.lab domain, changing the computer name to something easy to remember if called for.

    Joining the ad.lab domain

    Adding the system to the domain will require us to enter a domain admin’s password. After a reboot we should be able to login with a domain user’s account.

    Seeing the Raxis user from the Ad.lab domain
    SMB Share

    At this point, there should be three computers joined to the Active Directory domain. Using CrackMapExec, we can see the SMB server running on the domain controller but no other systems are visible via SMB. So let’s add a new network share. Open Explorer.exe, select Advance Sharing, and share the C drive.

    I don’t recommend sharing the entire drive in an environment not used for testing, as it’s not secure: the entire contents of the machine would be visible. Since this is a pentest lab environment, though, this is exactly what we are looking for.

    Creating new share

    Creating the share resulted in the system exposing the SMB service to the network. In Figure 20 we verified this by using CrackMapExec to enumerate the two SMB servers:

    CrackMapExec Showing Two SMB servers
    Conclusion

    At this point, our environment should be provisioned, and we are ready to test out different AD test cases, attacks, and other shenanigans. This environment is a great tool for ethically learning different exploits and refining pentesting techniques. Using a virtual infrastructure such as this also provides rollback capability for running multiple test cases with minimal downtime.

    I hope you’ll come back to see my next posts in this series, which will show how to use this environment to test common exploits that we find during penetration testing.

    Want to learn more? Take a look at the next part in our Active Directory Series.

  • How to Hire a Penetration Testing Firm Part Two

    I’m Bonnie Smyre, Raxis’ Chief Operating Officer, back with the second in our two-part feature about how to hire a penetration testing firm. This time, we’re suggesting some questions to ask and answers to listen for in the selection process.

    Bonnie Smyre, Raxis COO

    In the first article on this topic, I focused on the six things you and your company should do to begin your search for a pentesting firm. We discussed the importance of identifying why you need a pentest, understanding the data and systems that are at risk, figuring out what type of tests you need, consulting with trusted advisors, as well as checking ratings, reviews, and references.

    If you followed those steps, you’re well-prepared to begin your interviews with prospective firms. Toward that end, here are some questions you should ask during your conversations and some key points you should be listening for in the answers.

    Question 1: What is your experience in performing the type of penetration testing our company is looking for?

    At Raxis, we’re happy to tell you how many and what kind of tests we’ve done and share with you some of our most common findings. If we don’t think the pentest you’re shopping for is going to accomplish your goals, we’ll tell you why and recommend a different type of engagement that will. That’s part of our job as professionals, and we have found that it makes for a better customer experience and often saves time and money.

    On the other hand, if the firm you’re interviewing continually tries to steer you toward more expensive testing or something far different than you think you need, that can be a big red flag. They may be trying to upsell you, or they may simply not have the expertise to conduct it.

    A point we make frequently is that vulnerability scanning is not the same as penetration testing. So, also beware of firms that try to downplay your needs and tell you one is as good as the other. Raxis might recommend a vulnerability scan, but we will never tell you that it should supplant a genuine pentest.

    Question 2: Tell me about your experience in my industry?

    Obviously similar to question 1, this one is based on your reasons for doing a penetration test. If your business is regulated and subject to special laws, rules, or industry requirements, you’ll save a lot of time with pentesters who are familiar with them. For example, if your company takes electronic payments, Raxis knows the Payment Card Industry Data Security Standards (PCI-DSS), and we can plan our testing to make sure you’re compliant.

    When you ask this question, listen to see if the pentesting company proactively mentions any applicable regulations in your field – such as HIPAA compliance for health care organizations or FINRA, GLBA, or SOX, for financial institutions. If they don’t, ask and make sure they understand your needs so that you don’t have to pay for more testing later.

    Question 3: How comprehensive is your reporting?

    The goal of penetration testing should be to give your team actionable results that enable them to prioritize issues and begin resolving them in order of severity. Ask potential pentesting firms to provide a sample report. Does it summarize the issues for executives? Does it categorize the findings effectively and provide sufficient detail for your team members?

    Raxis includes storyboards so that your team can see exactly what we did and how. We also exfiltrate and redact sensitive data when we can. That’s powerful proof of what bad guys can do if your network isn’t secured.

    Also, be sure to ask whether they report where your defenses were solid. This can be especially important when you’re building a cybersecurity budget. Many Raxis clients have found it helpful to show their leadership examples of where previous security enhancements are working well. (And it shows you that those defenses were in fact checked.)

    Question 4: Who are the people I’ll be dealing with? What are their qualifications?

    Be sure that the companies you interview can identify the person who will serve as your point of contact throughout the testing, to work with you on scheduling or to quickly resolve problems that can cost precious time.

    The company should also be willing to tell you about the experience and certifications of team members. It’s a good idea to ask whether the team that conducts your test will include members with similar qualifications so you know it’s not a bait-and-switch.

    At Raxis, the diverse skillsets our team members bring to the table are one of our greatest strengths and something we like to talk about. Before they became penetration testers, our people were corporate cybersecurity leaders, software engineers, web developers, and network admins. And they also bring to the table computer hardware, electronics, mechanical, and IoT experience.

    Question 5: How much will it cost and why?

    Raxis’ CEO Mark Puckett addressed pentest pricing in a recent blog post that goes into detail about the factors that can and should drive the cost of a high-quality penetration test. In summary, the scope of the testing, the time it will take, and the skills of the testers are all cost drivers.

    If the firm mentions additional services they provide, be sure to ask if those are covered in the cost you’ve been quoted, or if there is an additional fee. And ask if there is a minimum engagement time.

    Minimums are common in the industry. Raxis requires three days, but we’ve seen other companies with seven to 10-day minimums. Make sure you ask this early in the conversation. Otherwise, you could waste time you don’t have being sold services you don’t need.

    Conclusion

    Hiring the right penetration testing firm necessarily involves a lot of research and careful consideration. After all, you need a company that can bring to bear all the skills, determination, and devious creativity of black hat hackers – and still act as your trusted security advisor, providing actionable reporting on your vulnerabilities.

    The preparation outlined in part one, along with the questions above, should help you find the best match for your specific needs.

    Of course, we hope you choose Raxis, and we’re ready to put you in touch with our experts whenever you’re ready to talk.

     

    Want to learn more? Take a look at the first part in our How to Hire a Penetration Testing Firm Series.

  • How to Hire a Penetration Testing Firm – Part 1

    I’m Bonnie Smyre, Raxis’ Chief Operating Officer. Penetration testing is a niche in the cybersecurity field, but one that is critical to the integrity of your network and your data. This is the first of a two-part guide to help you select the right firm for your needs.

    Step 1: Identify Your Why

    There are lots of reasons why companies should routinely do penetration testing. The most important is to understand your vulnerabilities as they appear to hackers in the real world and work to harden your defenses. It may also be that your industry or profession requires testing to comply with certain laws or regulations. Or perhaps you’ve been warned about a specific, credible threat.

    Whatever your reasons for seeking help, you’ll want to look for a firm that has relevant experience. For example, if you run a medical office, you’ll need a penetration testing company that knows the ins and outs of the Health Insurance Portability and Accountability Act (HIPAA). If you’re a manufacturer with industrial control systems, you’ll need a company that understands supervisory control and data acquisition (SCADA) testing. The point is to make sure you know your why before you look for a pentest firm.

    See a term you don’t recognize? Look it up in our glossary.

    Step 2: Understand What You Have at Risk

    A closely related task is to be clear about what all you need to protect. Though it might seem obvious from the above examples, companies sometimes realize too late that they are custodians of data seemingly unrelated to their primary mission. A law firm, for instance, might receive and inadvertently store login credentials to access clients’ medical transcripts or bank accounts. Though its case files are stored on a secure server, a clever hacker could potentially steal personal identifiable information (PII) from the local hard drives.

    Step 3: Determine What Type of Test You Need

    General use of the term “pentesting” can cover a broad range of services, from almost-anything-goes red team engagements to vulnerability scans, though the latter is not a true penetration test. In last week’s post, lead penetration tester Matt Dunn discussed web application testing. There are also internal and external tests, as well as wireless, mobile, and API testing, to name a few. Raxis even offers continuous penetration testing for customers who need the ongoing assurance of security in any of these areas.

    Raxis offers several types of penetration tests depending on your company’s needs:

    Step 4: Consult Your Trusted Advisors

    Most companies have IT experts onboard or on contract to manage and maintain their information systems. You may be inclined to start your search for a penetration testing service by asking for recommendations from them – and that’s a good idea. Most consultants, such as managed service providers (MSPs), value-added resellers (VARs), and independent software vendors (ISVs), recognize the value of high-quality, independent penetration testing.

    In the case of MSPs, it might even be part of their service offerings. However, it might make sense to insist on an arm’s-length relationship between the company doing the testing and the people doing the remediation.

    If your provider is resistant to pentesting, it might be because the company is concerned that the findings will reflect poorly on its work. You can work through those issues by making it clear that you share an interest in improving security and that’s the purpose for testing.

    The downloadable PDF below includes this list of Raxis services with an explanation of what we test and and a brief explanation of how we go about it.

    Raxis Penetration Testing Services
    Step 5: Consider Ratings and Review Sites

    Another starting point – or at least a data point – is review and rating sites. This can be incredibly helpful since such sites usually include additional information about the services offered, types of customers, pricing, staffing, etc. That gives you a chance to compare the areas of expertise with the needs you identified in steps one and two. It can also introduce you to companies you might not have found otherwise.

    Here are some resources you might find helpful as a start:

    Step 6: Check References

    Once you have your short list of companies, it’s a good idea to talk to some of their customers, if possible, to find out what they liked or didn’t like about the service. Ask about communications. Were they kept in the loop about what was going on? Did the company explain both successful and unsuccessful breach attempts? Did they get a clear picture of the issues, presented as actionable storyboards?

    In addition, it’s a good idea to ask about the people they worked with. Were they professional? Was it a full team or an individual? Do they bring a variety of skillsets to the table? Did they take time to understand your business model and test in a way that made sense? It’s important to remember here that many pentesting customers insist on privacy. The company may not be able to provide some references and others may not be willing to discuss the experience, However, some will, and that will add to your knowledgebase.

    If you’ve completed steps 1 through 6, you should be armed with the information you need to begin interviewing potential penetration testing companies. You’ll be able to explain what you need and gauge whether they seem like a good match or not. And you’ll know how their customers feel about their service.

    If you found this post helpful, make sure to follow our blog. In the weeks ahead, we’ll be discussing the questions you should ask potential pentesting companies – and the answers you should expect to hear.

    Want to learn more? Take a look at the second part in our How to Hire a Penetration Testing Firm Series.

  • Reporting Tools for Large Penetration Tests

    “Give a pentester a table, they submit one report. Automate making tables, they can submit reports for life.”

    k0pak4

    Displaying findings clearly and concisely is key to making a penetration testing report actionable. The proof of concept allows a client to replicate the finding, and a list of affected targets allows them to properly remediate all assets. On large engagements, there are often findings that affect many hosts; when presented concisely, this can be acted on much more easily. There are already amazing tools out there to scan many hosts and report their findings. (Nessus, Nexpose, and Nmap are examples.) The problem is that none were doing what I was looking for — reporting the affected hosts for one finding, concisely.

    The first two tools described here quickly create tables showcasing the details behind two common findings on large external pentest reports. Clients can also use these tools to verify remediations without having to manually inspect each host. The last tool can be used to turn any list into a sorted table, which works well when you simply need a large table to display many hosts.

    mass-sslscan (https://github.com/k0pak4/mass-sslscan)

    There are several tools that will break down the weak SSL/TLS protocol versions, ciphers, and signature algorithms used in TLS connections. Some of these are web-based, such as SSL Labs, and others are command-line based, such as the SSLScan tool. My mass-sslscan tool runs SSLScan against an entire list of hosts, parses the output of the tool, and creates a table with each host that displays which weak configuration(s) they have. This can also be used in remediation to ensure those servers have had their configurations strengthened. An example of running the tool is shown below:

    mass-sslscan command line
    server-header-scan (https://github.com/k0pak4/server-header-scan)

    On penetration tests, it’s common to find the HTTP server header, which can disclose the web server’s software and sometimes its exact version. This information leakage is typically of low severity, but helps an attacker fingerprint the server, which may disclose a vulnerable version. In more targeted attacks, it might tell them what software to build an exploit for. My tool, server-header-scan, retrieves the server header from each target, and inserts the results into a table with each retrieved value, as shown in the following example:

    server-header-scan command line
    table-maker (https://github.com/k0pak4/table-maker)

    The table-maker is a bit more straightforward. It takes a list, either as a comma-separated list or as a file with one item per line, and turns it into a table with the desired number of columns. This can be useful for extremely large scopes or when discovering many hosts are vulnerable to a specific finding. This results in a csv ready to be opened and pasted as a table, as shown in the illustration below:

    table-maker command line

    If you compile reports for large penetration tests, odds are that you’re going to be pressed for time at some point. My hope is that these tools will make it easier for you to provide more and better information to your customers in a way that helps them understand and act on your findings.

  • How Artificial Intelligence Will Power Raxis Continuous Penetration Testing

    A few years ago, Mark Zuckerberg of Facebook and Tesla’s Elon Musk feuded very publicly over whether artificial intelligence (AI) would be the key to unlocking our true potential as humans (Zuck) or spell doom for our species and perhaps the Earth itself (Musk). Apparently, neither of them accepts the notion that AI, like all technology, will expose us to new concerns even as it improves our lives.

    Meanwhile, here in reality, business owners are still facing the less dramatic, but more urgent threat posed by all-too-human hackers. Most seek money, some are in it for fame, others cause havoc, and many want all of the above. It’s against this mob that Raxis is using AI, more accurately called machine learning, to give honest companies an upper hand in the fight.

    Here’s how it works:

    Human Talent Sets Us Apart

    Raxis has built an incredible team of elite, ethical hackers, who are all the more effective because of their diverse backgrounds and skillsets. Our process starts with a traditional penetration test. Based on our customers’ parameters, we set our team to work testing your defenses.

    Think of this like your annual physical at the doctor’s office (without the embarrassing paper gown). Our goal at this stage is to find ways into your network and determine where we can go from there. Once you know where you’re vulnerable, you can remediate and feel more comfortable that your defenses are solid.

    AI Extends Human Capabilities

    One major challenge of staying cybersecure is that new threats are emerging and new vulnerabilities are being discovered even as I write this sentence. The point of continuous penetration testing is that we leverage technology to account for the pace of this change. Our smart systems will continually probe your defenses looking for new weaknesses – with software that is updated in real time.

    In keeping with my earlier example, this part of the process is analogous to wearing a heart monitor and having routine blood work. As long as everything remains normal, we let the system do its job.

    Humans Enhance AI Effectiveness

    When our AI discovers an anomaly, it alerts our team members, who quickly determine if it’s a false positive or a genuine threat. If it’s the former, we’ll simply note it in your Raxis One customer portal, so you don’t waste time chasing it down. The latter, however, will trigger an effort by our team to exploit the vulnerability, pivot, and see how far we can go.

    Consider this exploratory surgery. We know there’s a problem, and we want to understand the extent so that you can fix it as quickly as possible. That’s why we give you a complete report of the vulnerability, any redacted data that we were able to exfiltrate, and storyboards to show you how we did it.

    More than a Vulnerability Scan

    If you’re familiar with vulnerability scanning, you’ll immediately recognize why the Raxis Continuous Penetration Testing is different . . . and better. Ours is not a one-and-done test, nor is it a set-it-and-forget-it process. Instead, you have the advantage of skilled penetration testers, aided by technology, diligently monitoring your network.

    AI isn’t ready to change the trajectory of the human race just yet, but it is improving our ability to protect the critical computer networks we rely on.

    If you’d like to learn more, just get in touch, and we’ll be happy to discuss putting this new service to work for your company.