Adding Red to Blue: 10 Tactics Defenders Can Learn from Penetration Testers
Malicious attackers and penetration testers can use some of the same tools. Attackers use them to cause harm while penetration testers use them to bring value to organizations. In this blog post, I've partnered with colleagues Jason Frank and Will Schroeder from The Veris Group's Adaptive Threat Division to describe some of the common penetration testing tools and techniques that can greatly benefit network defenders. While this blog post cannot cover all the techniques and shortcuts we use in the field, we do describe a set of 10 tactics that provide very little network disruption, are easy to use, and freely available.
Penetration testers and malicious attackers have it much easier than their defensive counterparts. They have to find that one crack in the wall or single unsuspecting user to gain a foothold in a network and conduct malicious activities, such as escalating privileges, exfiltrating data, or causing disruptions. Defenders have the tougher task of protecting the entire infrastructure, and a single mistake could be costly. Many financial, political, and organizational forces affect defenders' strategies and sometimes push them into introducing holes into their own solutions.
While the offensive and defensive sides have their differences, penetration testers also differ from actual malicious adversaries in many ways. Despite trying to emulate a real attacker, penetration testers also have to provide a thorough assessment of an entire network, usually within a finite amount of time. With efficiency at a premium, penetration testers become experts at writing scripts and creating tools to aid their attack tactics and help derive information about large environments in a short timeframe.
How did you do that?
On countless assessments, many customers have been surprised when our penetration testing teams discovered findings on systems that they didn't know were on the network. Many customers have hundreds of thousands of internet protocol (IP) addresses and struggle with not only protecting the space, but gathering an accurate inventory and maintaining situational awareness. Many customers turn to us to gain more information on how we comb over such a large space in a short amount of time and provide a full picture of the hosts, services, and users present in their network.
The same tools that penetration testers use for assessments can be extremely beneficial to network monitors, system administrators, and anyone in a position of defending a network. So why haven't they been using these tools in the first place?
Penetration or "hacker" tools get a bad rap. These tools are typically seen as potentially containing malware or being malicious in nature and therefore should not be allowed on the network. While this can be true for some tools, the majority of tools are safe to deploy and contain no malicious code that could be potentially flagged by defense appliances. In fact, the majority of tools used on our penetration testing engagements are for information gathering, not exploiting. Best of all, most of these tools are free and open source.
An unfortunate fact is that malicious attackers use the same tools, but with the intent of causing harm. Penetration testers and attackers gather information that allows them to exploit the network and steal sensitive information. Attackers are driven by malicious motives, but penetration testers use this sensitive information to provide better risk profiles and situational awareness to organizations. The same tools that attackers use to harm can also be used in an ethical and responsible manner to bring value to an organization.
We focus on the Windows environment since it has the largest operating system market share and thus, is the greatest target for attackers. More specifically, this approach allowed us to focus on the Windows Active Directory (AD) environment, which can contain numerous avenues for attackers to escalate privileges and traverse the network. With our heavy focus on Windows environments, it is important to note that the tactics rely heavily on Windows PowerShell. This tool has become extremely popular tool for system administrators and hackers alike.
For penetration testers and network defenders who are new to PowerShell, it is important to note that version 2.0 of the tool by default came integrated with the operating system since the release of Windows 7 and Server 2008 R2. PowerShell was a revolution for system administrators because it enabled easier management of systems through task automation and scripting. The power of the tool comes from its ability to directly interact with the Windows API and .NET framework. The tool, now in version 5.0, runs completely in memory, which raised some eyebrows in the hacking community. While it was a great tool that made the lives of defenders easier, it also became a new weapon in the post-exploitation phase of attacks. A deeper dive on why PowerShell is so valuable to penetration testers can be found on Veris Group researcher Matt Greaber's personal blog.
The 10 tactics in this blog post are derived from the original presentation, Go Hack Yourself: 10 Pentest Tactics for Blue Teamers, that I co-presented with Will Schroeder and Jason Frank (Click here to view a video of the presentation) at the BSides Pittsburgh conference in June.
- Tactic 1 - Asset discovery may be the most innocuous of all the tactics presented, but is arguably the most important. Whether attacking or defending, it is important to have an accurate picture of the network and what systems exist. Defenders often struggle with maintaining full situational awareness of their networks for a variety of reasons, some of which are out of their control.
When faced with a large network, we use advanced Nmap flags to adjust round-trip time (RTT) timeouts, scan delays, and retry counts to adjust the performance of the tool based on the network latency. We also start with a discovery scan that focuses on 10-to-12 commonly used ports instead of scanning all 65,536 ports on hosts that may or may not exist at a given IP address.
With sound network mapping data in hand, we use tools such as EyeWitness to gain more information about the host. EyeWitness focuses on web pages by reading in raw Nmap data, browsing the site, taking a screenshot, and outputting a categorized list viewable through a web browser. This list provides a quick and efficient way to view websites and appliances that may exist within a network. These items, of course, can be plentiful in large environments. During engagements, we use this information to gather low hanging fruit, such as sites that still have default credentials that we could leverage to gain access to the website and its underlying host.
- Tactic 2 - Regardless of how it happens, a breach is most likely to land the attacker on a user's desktop in the organization. The next step an attacker takes is to analyze that system and find a way to escalate privileges. This escalation could happen in a variety of ways, such as liberal permissions on a service executable or vulnerable registry keys that you could modify. The attacker could use the PowerUp module in the PowerTools suite of PowerShell scripts to quickly check for host-based vulnerabilities. We encourage defenders to run this script on all Windows desktops, especially against "gold" configurations that are pushed out to large groups of users.
- Tactic 3 - Much like mapping all the hosts on the network, discovering all the open file shares can be just as daunting for defenders. Many times employees share a folder to get files from one location to another and then forget to turn the sharing off when they are finished. Additionally, access control lists on shares can get confusing with many users and groups; one wrong permission can compromise everything.
The PowerView module in the PowerTools suite contains a method called Invoke-Sharefinder that queries the domain for a list of all available file shares on the network. It can even check to see if a given user has access to each share. Speaking from first-hand experience, I find it amazing how much information can exist in open file shares. From personally identifiable information (PII) to domain credentials, people save everything to their computer, where it can be leveraged by an attacker if shared. In some cases, the attacker finds that the default Windows $admin share is open, which allows an attacker to directly connect to the host.
- Tactic 4 - Attackers want to find out immediately who the privileged users are in a domain. Administrators have more rights and usually those rights are assigned only to a select group of people. Again, we use PowerView to search groups and users in the domain to find those that match a specific search string (with wildcard support), such as *admin*. This information is useful to defenders because it confirms the users who have those privileged rights. Sometimes special accounts, such as service accounts, are created for a short period of time, but never are removed. Restricting the number of privileged accounts, and managing who owns them, is critical in mitigating pivoting and escalation by attackers.
- Tactic 5 - Building off Tactic 4, once attackers discover who the high-value targets are, they can start to determine where these targets are located in the network. One way to locate targets is to leverage PowerShell and query the domain to find out where those privileged accounts and groups have access and if there are any users currently logged in. We achieve this scan using PowerView through its Invoke-UserHunter module, which can highlight active sessions that specific users have on hosts within the domain.
Once an attacker gains local administrator access to a machine where a high-value user, such as a domain administrator, has logged in, he or she can leverage other tools to impersonate the user or even recover the user's plain text password. This technique allows defenders to constantly check where the privileged accounts have logged in, which can cut down on an attacker's path to privileged escalation. It also helps to eliminate behavior such as employees using their privileged accounts when they are not needed. Remember, even if users have privileged rights, they should also have a separate standard user account for day-to-day activities.
- Tactic 6 - Speaking of those users, are they changing their passwords? A good password policy doesn't just shape the composition of passwords, it also shapes the frequency of when the passwords must be changed. We use PowerView to identify the last time a user's password was changed. Defenders should check password freshness consistently to make sure a group policy is working.
- Tactic 7 - As many defenders know, some networks are simple and many are not. Large corporate infrastructures could have multiple domains in multiple forests, especially if that organization has acquired other companies and absorbed their networks. Attackers have just as much trouble trying to figure out these intricacies, so the Invoke -MapDomainTrusts module was created in PowerView to assist with this problem. Using this function, we can create output in a format read by the open source tool yEd to provide a clear mapping of all domains within the network and the direction of their trusts to one another.
- Tactic 8 - It's no secret that one of the goals of an attacker is to get access to the domain controller, which provides access to any machine on the domain. The domain administrator account provides attackers access to the domain controller and all machines connected to the domain. For network defenders, however, it is important to pay special attention to the local administrator accounts on network hosts, especially on the domain controller itself.
As attackers move through a network, they collect as many local administrator accounts as possible in hopes that they are reused on other machines. We use PowerView to enumerate the local administrator accounts on any machine within the domain. Defenders can use this same tactic to verify that the right administrator accounts are there and monitor that no new accounts have been created.
- Tactic 9 - The Group Policy Preferences vulnerability (MS14-025) was a gift for attackers and a nightmare for defenders. In short, the vulnerability was that group policy extension files, which live on the domain controller, are used to automatically perform administrative tasks for unprivileged users (e.g., printer set up, mounted folded). These files contain an encrypted administrator password needed to perform the given task. The issue is that the key to the password became public in May of 2014; this key allows attackers to easily decrypt and recover the plain text password.
The problem for defenders is that fixing the problem is not as simple as applying the patch, which only prevents future problems. All affected group policy files must be removed, which can be a daunting task in a large environment. As a defender (or attacker), you can use another PowerShell script called PowerSploit to check for instances of vulnerable group policy preferences within the entire domain. The script even pulls out and decrypts the passwords for you.
- Tactic 10 - Attackers still have the task of getting sensitive information out of the network. With the amount of information coming in and out of a normal business network, defenders have the extremely difficult task of identifying, blocking, and logging anything that seems suspicious. As penetration testers, we have the task of trying to emulate exfiltration attempts in a standardized and measured manner. We use tools like Egress-Assess to aid in that effort. These tools make it very simple for defenders to test any egress solutions that are in place.
The purpose of sharing these tactics is to describe the shortcuts that penetration testers use to help network defenders gain better situational awareness. Knowing these tactics can also help defenders recognize some of the techniques that attackers are using (such as finding misconfigurations in the Windows domain environment). We selected these 10 tactics specifically because they all use free and open source tools, are simple to use, and are safe to introduce into any environment. Just as attackers put themselves in the mind of defenders to circumvent the road blocks in place, defenders can also put themselves in the minds of attackers to better protect and defend their networks.
To learn more about penetration testing, please visit
To view the presentation Go Hack Yourself, 10 Pen Test Tactics for Blue Teamers, by Jason Frank, Brent Kennedy, and Will Schroeder, please click here. To view a video of the presentation, please click here.