Per a Q4 2023 survey, 77% of organizations use penetration testing to evaluate their security measures.
Today, there are a variety of penetration testing methods organizations can use to identify and resolve potential weaknesses in their cybersecurity programs. One method that is becoming increasingly important for businesses in every industry is internal network pen testing.
Penetration testing, or pen testing, has become a common security assessment practice for helping organizations take a proactive approach to protect against cyber threats. It is a simulated attack on computer systems, networks, or applications to identify vulnerabilities and weaknesses.
With these results, your business can improve security by addressing vulnerabilities before they can be exploited by malicious actors. It plays a crucial role in maintaining the confidentiality, integrity, and availability of critical systems and data.
For years, organizations have used external pen testing to evaluate the possibility of a remote attacker getting into the internal network, and is the traditional, more common approach to pen testing. The attacker could be an insider such as an employee, vendor, or partner organization, or could have gained internal access through an external vulnerability or social engineering. Conducting specific internal attacks via an actual external compromise is often more time intensive, something an attacker may be willing to invest but which may be out of scope for most external tests. Internal testing should answer the question “What could an attacker potentially do once they have achieved a foothold inside the network?” with a measure of independence from any particular path used to gain internal access.
Whether it’s a malicious insider, a 0-day vulnerability in a perimeter system, or simply a negligent employee who exposes your organization to a phishing attack, organizations must consider evaluating their cybersecurity efforts from an attacker’s point of view who has already gained access to the internal network. Employing security measures on the inside, as well as the outside, fulfills the proven strategy of having a “defense-in-depth” approach to your information security. A good internal pen test will evaluate internal security boundaries that may protect sensitive enclaves, management, or development networks as well.
Internal network pen testing helps organizations identify and prioritize internal systems and configurations with the biggest impact to internal security. The goal is similar to external pen testing, to gain control over or access to sensitive systems and data, but the major differentiator is that the “attacker” either has some sort of authorized access or is starting from a point within the internal network. A good pen test will “meet an organization where they are at” and allocate efforts the same way an attacker would; that is to observe the environment and look for low-sophistication/high-reward techniques first and move on to more difficult methods if initial efforts are not fruitful. A sophisticated door lock may be a poor investment if a brick through a window will get the attacker what they are after. Security budgets are often limited, and a practical test that leverages current techniques will help to prioritize resources to maximize impact and meet defined security posture goals.
Many organizations have an effective infrastructure for monitoring external threats, but their internal detection capabilities are often lacking. And, while having a rogue employee in your midst isn’t likely, ensuring that your critical internal systems are secure is paramount. Here are a couple of reasons why internal pen testing is important:
More and more of today’s cyberattacks don’t look like external threats. They look like internal users who are abnormally accessing systems and data. Internal network pen testing is the best way to protect your organization from experiencing significant damage from these types of threats.
…and Become More Secure
As a penetration tester stated, “I find it too easy to fully compromise an internal network without running malicious code on a single target. These techniques leverage built-in services and common configurations of modern enterprise systems in an Active Directory environment and I’m going to demonstrate what can be done with freely available tools by penetration testers and true threats alike.”
Windows systems like to communicate, they check in constantly and are configured by default to work in a wide variety of network environments “automagically”. Often these environments consist of a mix of old and newer systems, from multiple vendors, and configured by different administrators over many years. Best practices evolve over time and old capabilities are often preserved for compatibility with legacy systems. Sometimes even after those legacy systems are long gone. Chief among the legacy system requirements is a lack of requirement for signing in Server Message Block (SMB) communications. SMB is used for file and printer sharing as well as other communications between networked systems. When signing is required, it prevents tampering with SMB authentication attempts like a security seal on an envelope. Would you trust a letter claiming to be from your bank if the envelope had been opened and taped shut again?
When SMB signing is not required, an attacker can take a legitimate authentication message, rewrite it, and pass it off as their own. This is known as relaying. The target system is configured not to check whether the message has been tampered with and happily accepts it. The result is the attacker is now authenticated to the target system as the account that sent the request, no password needed! Once authenticated, the attacker can take actions as if they were the original user and keep this logged in status for an extended period. The only requirement is to identify target systems where SMB signing is not required and find a way to take control of these authentication messages. There are quite a variety of methods to accomplish the latter and still more are being discovered even though this attack has been well known for 15 years (See MS Security Advisory 974926).
Three broadcast-type features in the Windows operating system allow for spoofing and capturing of SMB authentication attempts on a local subnet of a network. Link-Local Multicast Name Resolution (LLMNR), NetBIOS Name Service (NBTNS), and Multicast Domain Name Resolution (MDNS) are all intended to help a Windows system find another system even when more conventional and modern methods, such as DNS, are intended to be used. Most corporate networks have no need for these protocols at all, but they are still present as a fallback mechanism when other methods fail. A common reason for this failure is a typo in a computer name or attempting to connect to a system that is no longer present. The attacker simply answers one of these queries and says “Here I am! Connect to me!” and is often rewarded with an authentication attempt shortly thereafter which is then relayed to a vulnerable system. Windows typically re-attempts connections or moves on to another method when one fails, so these interceptions appear to users at most as as minor momentary “glitches” and do not disrupt normal operations.
Many corporate networks use Dynamic Host Configuration Protocol (DHCP) to flexibly assign IP configurations to systems without manually configuring every system. Attackers can inject malicious values into these messages, or simply operate as a rogue DHCP server offering alternative configurations for IPv4 or IPv6 networking. IPv6 is particularly easy to use as an attacker because it is frequently unused in corporate networks but Windows clients prefer it when available. The attacker will offer the configuration temporarily and use it to direct all authentication requests to the attacker for a short period of time. These are then relayed and the rogue DHCP service can then be discontinued to avoid detection or impacts to normal network operation.
These protocols all use broadcast messages to communicate so all computers on the same local network (layer 2 broadcast domain) receive these broadcast requests. Any computer can choose to respond to the request without any checks that the system response is legitimate. Here’s how this might look:
When a workstation makes a broadcast request looking for a resource (in our example \\fileserver) a malicious computer (Workstation 2 in our example) can respond, tricking the requesting computer (Workstation 1) that they are the resource they are looking for. The requesting computer will automatically attempt to authenticate to the malicious computer.
On a typical corporate network, an attacker can obtain many authentication attempts from a variety of users within minutes.
Other techniques also exist to solicit or coerce systems to make authentication attempts to the attacker’s system, and new techniques are still being discovered every year. This cannot be fully eliminated but the opportunity can be significantly reduced. The option to capture hashed credentials is inherent with this attack, and it is always an option for an attacker to attempt to recover the corresponding plain text password through offline rule-based or brute force analysis or “cracking”. This becomes difficult when passwords are strong, but a successfully cracked password can be used even against targets where relaying is not an option.
As with any technology change, testing and planning are key. There may be systems which depend on these technologies and other changes or updates may be required. Several layers are important to mitigate this issue in most environments. System configuration can be managed in a variety of ways across differing operating systems and is beyond the scope of this blog post. See links to additional resources at the end. For Windows-based hosts the following hardening configurations are typical:
If you follow these recommendations above (after careful testing, of course) you will have a more secure environment with little effort or impact on the network. Often exceptions can be made to a handful of specific systems where needed. Hackers and penetration testers will find it more difficult to get a foothold on your internal network, hopefully, this will force them to try other attacks that are more likely to get noticed by your internal monitoring. If you implement these changes, which is highly recommended, post a comment and let us know your experiences.
Organizations must understand the threat landscape and conduct applicable threat modeling in their pen testing. At LBMC, our cybersecurity team is constantly evolving our pen testing methods to emulate the types of attacks that are happening today.
If you’re looking for a way to protect against insider threats, I’d invite you to learn more about our extensive internal network pen testing method and purple team engagements. You can also connect with our team at any time to learn about our other pen testing methods or cybersecurity services.
Content provided by LBMC security professional, Jon Sullivan.
