An ethical hack reveals endpoint security vulnerabilities
Erin Duncan
“Know thy enemy and know yourself; in a hundred battles, you will never be defeated.”
~ Sun Tzu, The Art of War
Sun Tzu’s advice is as applicable in cybersecurity as it is in battle. He warns, “When you are ignorant of the enemy but know yourself, your chances of winning or losing are equal. If ignorant both of your enemy and of yourself, you are sure to be defeated in every battle.”
Endpoint Security Vulnerabilities: What are yours?
As much as you think you understand your endpoint security strategy, do you really know how well it would hold up against a targeted attack? Many companies employ ethical hackers or bring in external red teams to test security controls and pinpoint potential physical, hardware, software, and human vulnerabilities. A multi-layered attack simulation can reveal issues before they get exposed by a cybercriminal or flagged in a security or compliance audit.
Raimonds Liepins, one of Delinea's ethical hackers, demonstrated how an attacker could use a few simple tools to exploit a user’s vulnerable endpoint. In only 15 minutes, he was able to escalate privileges and gain access to a Domain Controller and ultimately an organization’s entire IT environment.
You can test your defenses by simulating a similar attack on one of your endpoints.
Here’s how he did it:
Step 1: Access
Acting as an ethical hacker, Raimonds, bought access to a company’s internal system through the Dark Web for only a few hundred dollars. Alternatively, he could have gotten access through leaked credentials, phishing, or other social engineering strategies.
Step 2: Reconnaissance
Once Raimonds gained access to the company’s internal system, he performed broad reconnaissance, including a network sweep using Nmap. He was able to enumerate networks, services, directories on hosts, vulnerabilities, and privileges. Using command-line controls, he ran a search looking for open ports, such as web ports, SMB ports used for network shares, and remote desktop ports for managing workstations.
Step 3: Check for low-hanging vulnerabilities
Why pick the lock when the door is left open? As Raimonds showed, an attacker would first hope to find vulnerabilities for SMB ports, such as SMBGhost or Wannacry. If you’ve done a good job patching those SMB vulnerabilities and hardened your system, an attacker would need to continue looking for opportunities.
Step 4: Target weak applications
In the attack scenario, Raimonds targeted DotNetNuke as an example of a vulnerable application. The target endpoint user, a developer working on the CMS, had access to an older version of the application that exposed common exploits. Raimonds identified that the application was vulnerable to Cookie Deserialization Remote Code Execution and was able to load the exploit in Metasploit, which is an open-source penetration testing framework. He could then conduct all kinds of activities on the user’s endpoint, such as accessing the camera, recording keystrokes, etc.
Step 5: Elevate privileges
The ethical hacker learned that the endpoint user has Seimpersonate Privilege, which is the default on any network service accounts and Windows IIS app pool accounts. Unless you’ve disabled that default setting, a cybercriminal could escalate privileges from a basic user to a system user almost instantly.
Raimonds then used the exploit tool Rogue Potato (a new incarnation of Juicy Potato) to run a second session with system-level privileges on the endpoint. He was then able to act as part of the operating system, adjust memory, or other system functions without the user ever knowing.
Step 6: Pass-the-Hash
Raimonds went looking for any hashes left by high-level users who logged into the endpoint in the past. For example, a domain administrator could log into a user’s workstation to do administrative tasks and when doing so leave an NTLM hash. With this hash, a Pass-the-Hash attack can be executed to get access to systems as the highly privileged user, without knowing the actual user’s password.
Step 7: Extract privileged credentials
Ultimately, Raimonds was able to extract the credentials he wanted using Mimikatz. He then gained access to the Domain Controller, giving him host access to Windows domain resources, as well as more workstations and other servers within the domain. He could manipulate systems, exfiltrate sensitive information, and essentially do anything he wanted on the domain.
Defense is the best offense
Now that you’re sufficiently frightened by the endpoint hack scenario, let’s talk about how it could have been prevented with a privilege management solution, such as Delinea Privilege Manager.
First and foremost, it’s essential to remove local administrative rights from business users’ endpoints. With a least privilege policy, users should only have the level of access they need to do their jobs. Additionally, you should never allow users who have domain admin privileges to use them when operating on a local endpoint.
Policy-based application control is also essential to preventing an endpoint attack like this one. Using Privilege Managers’ granular policies, you can block or deny certain things that a user might try to run on an endpoint, including applications, executables, and installers. In this case, both Rogue Potato and Mimikatz could have been added to a deny policy and blocked from executing.
Even if a cybercriminal were to use a different malicious application—one you don’t know about—application control policies would allow you to quarantine a file and examine it before you allow users to run it.
Additionally, command-line actions can be blocked with Privilege Manager. The search commands run in this attack scenario using Nmap could have been blocked because they were run from the command line in command.exe (or if the commands were run from PowerShell).
What about that residual hash, you ask?
If the cybercriminal had indeed found a hash, a Pass-the-Hash attack could have been blocked by a PAM tool, such as Delinea Secret Server, which would have automatically rotated the Domain Admin’s password. Therefore, even if the attacker had the old hash, it would not have matched the new password, and he would have been denied access.
Remember, Pass-the-Hash attacks can’t be successful if privileged accounts aren’t used on endpoints. This brings us back to the fundamental practice of enforcing a least privilege policy with Privilege Manager.
Implementing Least Privilege shouldn't be hard