This One Time on a Pen Test, Part 2: How Just One Flaw Helped Us Beat the Unbeatable Network

Share and earn Cybytes
Facebook Twitter LinkedIn Email

Each year, Rapid7 penetration testers complete hundreds of internally and externally based penetration testing service engagements. This post is the second in a five-part series featuring testimonials of what goes on beneath the hoodie. For more insights, check out our report, “Under the Hoodie 2018: Lessons from a Season of Penetration Testing.”

Download the “Under the Hoodie” research report to understand the most prominent ways our pen testers were able to breach networks.

Get Started

During Red Team engagements, penetration testing operators are often pitted against some of the most well-hardened, locked-down, and mature environments. These clients are typically far along in their security maturity lifecycle and have spent large amounts of time and resources tuning their logging, deploying the latest and greatest security solutions, engaging users in security awareness training, and managing their vulnerabilities. However, sometimes all it takes is one misstep or oversight to bring all of that work crashing down.

Recently, we were on a Red Team engagement where this was exactly the case. Our target was a medium-sized company that is in the business of handling extremely sensitive information. Because they knew the risks that they operate under, they had spent years locking down their network as much as they possibly could. They also restricted all users’ accounts and workstations, deployed endpoint detection and response (EDR) solutions to all endpoints in the network, created an extremely efficient patching process, and had been through nearly a dozen penetration testing service engagements previously. These guys were good. Really good.

Cracking the code

We gained access through a VPN and got onto a restricted subnet with routes to only two subnets. We spent hours figuring out how to get a solid beachhead. There were no clients to attack on the local subnet due to guest isolation, no identifiable and exploitable vulnerabilities, no weak domain user passwords, and strong host-based security controls, and it was extremely difficult to target systems in the other subnets due to crossing a monitored network boundary. In an effort to get some type of foothold, we extracted the Kerberos service tickets for a small handful of accounts, put them into Hashcat, and left for the night.

Upon returning in the morning, we found that one had cracked. We quickly and discreetly got the domain group membership of the cracked service account and found that it was a member of the Enterprise Admins group. With this level of access, we could connect to any system in the target’s domain with elevated privileges. We began our hunt for critical data by guessing systems’ functions from their hostnames. On one of our first jumps using the compromised service account to RDP into a server, we struck gold—hundreds upon hundreds of pieces of information were at our fingertips. We were ready to start the exfiltration process.


The biggest takeaway from this engagement was that no matter how patched your systems are, how new and shiny your EDR solution is, or how hardened your network is, sometimes all it takes is one weak password or one overly privileged account to bring the entire show to a stop. Because of this, we always suggest that robust network monitoring and user behavior analytics be at the core of any security program to enable incident responders to detect anomalous behavior and begin the investigative process as soon as possible. As a matter of hygiene, organizations can also audit their Active Directory infrastructure for weak or out-of-compliance passwords, especially for those users who are members of admin groups.

Interested in learning more about how Rapid7 pen testers conduct their assessments? Give “This One Time on a Pen Test, Part 1: Curiosity Didn’t Kill the Cat—Honesty Did” a read and check back next week for Part 3, which will cover how a Rapid7 pen tester successfully gained access to an energy company.

Learn more about Rapid7’s penetration testing services today.

Request More Information

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About Rapid7
Rapid7 (NASDAQ:RPD) powers the practice of SecOps by delivering shared visibility, analytics, and automation that unites security, IT, and DevOps teams. The Rapid7 Insight platform empowers these teams to jointly manage and reduce risk, detect and contain attackers, and analyze and optimize operations. Rapid7 technology, services, and research drive vulnerability management, application security, incident detection and response, and log management for more than 7,000 organizations across more than 120 countries, including 52% of the Fortune 100.
Promoted Content
30-Day Trial: UBA-Powered SIEM with Rapid7's InsightIDR
Rapid7 InsightIDR delivers trust and confidence: you can trust that any suspicious behavior is being detected, and have confidence that with the full context, you can quickly remediate. From working hand-in-hand with security teams, we understand how painful it is to triage, false-positive, vague alerts and jump between siloed tools, each monitoring a bit of the network. InsightIDR combines SIEM, UBA, and EDR capabilities to unify your existing network & security stack. By correlating the millions of events your organization generates daily to the exact users and assets behind them, you can reliably detect attacks and expose risky behavior - all in real-time.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?