Now it’s time to roll up your sleeves and get to work! To carry out an attack correctly, there’s a huge amount of information to search for and record in an Active Directory environment. This chapter will help you identify potentially vulnerable servers and workstations that can later be used as an entry point by an attacker.
For this, you will play the role of a system administrator for the company MedicEx. We’ll be using this fake company regularly throughout the course. As a system administrator, you can connect to the network without restriction, and you don’t need to be concerned with potential detections (antivirus, EDR, network probes, etc.)
Identify Machines in the Work Environment
The first step in identifying vulnerable machines is to discover them on the network. This is the first thing I do when I start a penetration test in a company. I’ll search for the location of the machines. Obviously, clients know where most of their equipment is located, but two things are of interest:
It’s important to learn how to discover them yourself, regardless of the network’s size.
Servers are regularly brought online without the client’s knowledge. Attackers often look for these machines, as they are either unmonitored or only partially monitored.
The goal is to track them down. The main technique for this is network scanning. Watch the video to learn more about this process.
There are many network scanning tools to choose from, with varying levels of speed and discretion, but I’m going to show you the ones I use most often for auditing. Remember that you don’t have to be concerned with being detected. I’m going to tell you about some techniques that I consider to be effective and introduce you to two tools.
The first tool, called nmap, allows you to perform various types of scans. It’s an open-source tool that is free of charge, and it has a large community that has been improving it for several years.
ICMP Scan
The easiest scan to understand is the ICMP scan, or Ping Scan. The tool sends an ICMP request (a ping) to all the IP addresses you want to discover. If the machine responds, it means that it’s online. To use it with nmap, the -sP parameter must be specified, followed by the IP addresses to scan.
nmap -sP 10.10.10.0/24TCP Scan
The most common scan is TCP scan. I am going to provide you with a quick reminder of what TCP is, but you can find more details in the course Set up TCP/IP Networks.
When a client wants to access a service provided by a server, they can use the Transmission Control Protocol (TCP). This protocol ensures that the server receives the client’s messages in the correct order and that the client receives the server’s messages in the correct order. This is particularly useful when a server must receive packets. Imagine a server that provides a sales service on the internet, but it doesn’t verify the payment information.
To achieve this, the client informs the server that it wants to communicate over a specific port, corresponding to the requested service, by sending a SYN (Synchronize) message. If the server accepts the connection on this port, it will respond with a SYN/ACK (Synchronize and Acknowledge). The client will then validate this response with a simple ACK (Acknowledge).
If the server refuses the connection on this port, it will respond with a RST/ACK (Reset and Acknowledge).
Finally, if the server is offline, there will be no response at all.
The principle behind a TCP scan is to send a TCP SYN connection request to multiple IP addresses on different ports. If these targets respond with a SYN/ACK or a RST/ACK, it means that they are online. If there is no response, you can’t communicate with this IP address. This may mean that there’s no machine, it’s offline, or there’s a network filter blocking your packets.
If the response is a SYN/ACK, you also know that the port you tested is open with an accessible service on it. This is useful because you can try interacting with this service - and perhaps exploit it!
This is the default scan type in nmap. Simply run the following command:
nmap 10.10.10.0/24SYN Scan
Another type of scan I’d like to tell you about is the SYN scan. It’s faster than a TCP scan. With a TCP scan, as soon as a port is opened, the tool correctly closes the connection by responding to the last ACK. The SYN scan doesn’t do that. It sends a SYN, analyzes the response as before, and moves on to the next IP address. This saves a little bit of time, allowing it to scan faster!
You need to pass the parameter -sS to use it.
nmap -sS 10.10.10.0/24NetBIOS Scan
The last type of scan I often use is the NetBIOS scan. It’s slightly different because it is more limited than the other scans we’ve discussed, but it’s extremely fast. It uses the Windows NetBIOS protocol that matches IP addresses to machine names.
The free, open-source NBTscan tool can perform this type of scan. I use it when I need to scan very large network ranges, and I find that it’s really efficient.
You simply provide it with the IP addresses to be scanned.
nbtscan 10.10.0.0/16Because it uses a Windows protocol, NBTscan will usually discover only Windows machines. Since it’s extremely fast, you can see where machines are located in a very large network and then scan these discovered subnetworks more thoroughly.
Once the machines have been identified on the network, a vulnerability scan can help you take control of one of them.
Enumerate the Vulnerabilities
Now you know which machines are accessible on the network. The goal is to go even further and explore the services provided by these machines, with the intention of exploiting them and taking control of a few hosts.
The first crucial step is port enumeration. We mentioned this technique already in the section on TCP and SYN scans. When you find a machine that responds to you, you can perform a port scan. You’ll send a TCP request to each port, and the server’s response will tell you if there’s a service listening on that port. Here’s how you would use nmap to scan ports 21, 22, 80, and 443 on a specific IP address:
nmap -p 21,22,80,443 10.10.10.2Generally, a port is associated with one service. However, this may not always be the case. Nmap’s -sV option is a very helpful tool to find out which service is running on each port. It will even try to identify the service version! Here’s the command with an example of the tool’s output.
nmap -p 22 -sV 10.10.10.2
Starting Nmap 7.60 ( https://nmap.org )
Nmap scan report for 10.10.10.2
Host is up (0.58s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH for_Windows_8.1 (protocol 2.0)Here, the tool is telling us that the 10.10.10.2 machine is online, TCP port 22 is listening, and the service running on this port is OpenSSH for Windows version 8.1.
You can check on CVE Details to find out whether this version of OpenSSH is vulnerable.
Isn’t it a bit tedious to look for vulnerabilities for all versions of all services? Surely there’s a more automated way to find out what’s vulnerable?
That’s true! It is quite tedious, and there are solutions that can automate this process. That said, understanding the process allows you to learn how these tools work. And if you needed to search for something specific on a machine one day, you won’t need to launch a tool that will move heaven and earth just to retrieve the one little piece of information you were looking for.
These automated solutions are called vulnerability scanners. They often go through all the steps we’ve talked about. They automate the discovery of network hosts, services, versions, and their vulnerabilities. OpenVAS is one such vulnerability scanner that is free and open source. In the professional world, Nessus is commonly used.
Before we move on to the exercise, you need to appreciate the importance of keeping up to date with Active Directory’s vulnerabilities. Let’s listen as Lionel explains how to keep up to date on the subject:
Let’s Recap!
Identifying machines on the network is essential for targeting attacks. To achieve this, we can use various types of scans:
The ICMP scan is a simple and effective way of finding online machines.
The TCP scan provides additional information on the status of one or more services.
The SYN scan is faster than the TCP scan, but requires privileged access on the scanning machine.
The NetBIOS scan is extremely efficient, but because it is more limited, it should be used in combination with one of the other three scans mentioned.
Learning about the machines’ services, versions, and potential vulnerabilities can help you prepare an effective attack plan.
This chapter showed you how to map the network, the machines, and their services. There is one group of services that is of particular interest to us: Active Directory. It’s finally time to dig into this environment, and we’ll start by identifying the domain and its potential entry points.
